b3ee8c90d9038c94565785ba2eeca0362de853a6324e3c93736a22eba09b50f2

Analysis

max time kernel
134s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

diamond.xml
Size

420B
MD5

2effe63f1f3ed1de34c13964e0ddc618
SHA1

052b64d10a4703f3ef9617221834bac8ee954582
SHA256

cd623d8f84a9bad0a1fe67dfbde5b602a0c01a796c165ed4b2baedc7a47ba575
SHA512

88e71dd54c43b2b4b482764084637d251ab4ed7a65e74b53c765d59928a146bfdcd7a23ce4ec20421b449dc890b8b11baa430ec30f96574bc588a48c9f5f40ac

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102f0a97c7b8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396374478"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae0000000002000000000010660000000100002000000069cfd0a865362596ef52110d5865fce21f2cee8c13e0fea8c994424809f4fde8000000000e8000000002000020000000e80c56c41377d6e231b93790449cebbd7122d66e3ab1823bd4bd31b08b478b0990000000984389767438126afac9beabd026c1941d24a3b071f001dcb940f240acfe52472c82063363a0e5870595c643ae57b991af942bc17c5c47adcb898a8a440c040cb016c46f0e783242297ca15f68c2e852c03316fee1df0a39f1269002607f66a7e5002b3d3927d0085b55eac245c7809fd7b2388160ef470a47642ab996821770843cc02c3ef4f812acc14e918b209a5c40000000544830adfb3d6b187eb18151d7a18c84cc0062cee4b1cf96185adb9cf0ef1ef3845b231dc26cf7bf42f3a50c730b91abe7b2f49a862951f4ae63b1dbc233fddd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C254C361-24BA-11EE-A5F9-C20AF10CBE7D} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae000000000200000000001066000000010000200000006edb4ded16ab6a2d5850c1b39b800554effc36079a69247b074c9daa7dde6d26000000000e80000000020000200000007106a0c2093a326032234cfdc7caf3c3aad702bd52d1a27021b90730970e21f6200000003d3bcef1abb21b9b00db3b121fffc3df6620a2456975cd5c9773b03b82b08303400000006791397ff67d7cb06bb76723127248065381c3ac9f9ae0054590ceef7c52c33ff411e84b6d70175b7214a78ec1c1d626b0a629fd142dc1b1e1f384883a009e67	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 624	1952	MSOXMLED.EXE	28
PID 1952 wrote to memory of 624	1952	MSOXMLED.EXE	28
PID 1952 wrote to memory of 624	1952	MSOXMLED.EXE	28
PID 1952 wrote to memory of 624	1952	MSOXMLED.EXE	28
PID 624 wrote to memory of 2672	624	iexplore.exe	29
PID 624 wrote to memory of 2672	624	iexplore.exe	29
PID 624 wrote to memory of 2672	624	iexplore.exe	29
PID 624 wrote to memory of 2672	624	iexplore.exe	29
PID 2672 wrote to memory of 2452	2672	IEXPLORE.EXE	30
PID 2672 wrote to memory of 2452	2672	IEXPLORE.EXE	30
PID 2672 wrote to memory of 2452	2672	IEXPLORE.EXE	30
PID 2672 wrote to memory of 2452	2672	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\diamond.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d0becbf774ca733bdf17ed6986d801f

SHA1
3b66757139a2ee117341a3d32bb4fa496af8ed87

SHA256
30c9ce9082a9b0432bcd19ecae291022b555f36b5df242c424ae02e40c61f85b

SHA512
c2075a1a1b03d1764da3c05f6d8b1803c77e945cac61cdb876db2ba454e67c6b60c81de80ce3d324f8daa3d78f53014460b1ee7046e4b37e252908b29355e42f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe1aff7d23ffe96362b6462d125156d9

SHA1
c2f421a8953632f42c8f7caf75c1369b6635d59c

SHA256
02c9afcf3457423cd501bdcd78f4a02c640d2740e741e202a91e9977f905da2b

SHA512
7323bb4b8059e58a57f8abf1626809e44d8e0c50526459089b451bbb55d6235f64ed14f586432d7eeeb842cf4330b0eb8864bcd53e7ce537d0b6818e79f37c26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3580b9b4f76e975a97373d523d991f9d

SHA1
1d1bc9cec4d53afaef34250169c029b6858f7b88

SHA256
203ea6e6de7f014aec0bded3c7ec3be382bf5e2331c599b1fac843ebb8588820

SHA512
453f71bc40c390443df16ff9509a3cac6c31b353e384d425cf7347f73bcd6513178c18632abfdb11cf32fa15492c84af5d25e52117d2e999fd138aa091269a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68291089719571efd4dce82623818fbe

SHA1
dbd59eb732485e87cd69f4fdb75c92488508ab93

SHA256
67ccbf0e0b8d3a0e46d1a325c95bc10176665167b022ea466ad8afdcd6987c0f

SHA512
ca68184f182b44da9acc999f614b649b0854e5521fa729dda28681bb40fe978c3bc3b677d578d35dfa5ca9b79864de1cbdee4e3332c345a279e4aabf7f27d709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23d3d7ce0b7109a84c245612b451e1c5

SHA1
36697e27e52f34a6a1920d731a864a65ca109e94

SHA256
9c418572ea0c9b7b0a0633058c16943faae9b89c8a93222ef8bae18e45a98a1d

SHA512
aa77b1346c2554b4b2fb3515698207f1b374bf8332e01360cbd11585a8da9923c60decd129a0d6180168c0b0464276f8bef2111e45c711e65a8c33016ef9cb5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4637a4e3d8a0dea47fc8c661c1c3a40

SHA1
7ee59953312f9288d7283af96547cd23eff1a9ea

SHA256
0ce1d96aaabf6357a4bababd2c093999775a6cd40e0b829f02c3ab874d7726f7

SHA512
c2d1bcee5e5576fddbb3f5c6e38156fbb4bef6bcbca0c1dd61a5a02f5621f6e9e67b289e47ab0240ada88bb463d5d4571d92601cf4a9474e85e2a486d008feb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69fe461dba830dd8e89091e6b0640e9c

SHA1
451baaa6afcb8439919c4cda8cc8390f5dde7ef0

SHA256
07e5d05018de37d08ec8b078677087431e9b510d2bb84c8902986f19969ede9e

SHA512
5c797ec9db7f1bc69073084c913dae1e61a82e42949140787b214620983217c8670155c9791346721582ddb672689df78d6d04b3c12af6f75d9105737f0cfc54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d613965a8ca8d519e0db394d5bc3195

SHA1
e9ece08b09843bc2238f77ab9ed504cbed2fbff9

SHA256
53b92a0b57686c7cbe7ad4d15e538e8f189d8730a9d5efe7057eaafbed93f246

SHA512
0ea4724dcc2738a165a5d9a16dccff620913f384ad521af3a880e1e68734762a643d892ad8b227ae953f6fc4b496152eee029af1789026261fe7194aca8a23cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
535c2e2f9a68b97a915542b41a80fbf0

SHA1
195e1c4ac98402ad5052e57f2c96e1df375f46a9

SHA256
5b14632bee6d855dbe0b2a627f5e58c4413b079bf87eb3a56176dfa9845d48c1

SHA512
2d2013f5334431a0db749e79bd2e92fbf70c47621288d7639f185f3990dfb0a4e608eac2401f50eda198758675e70d6c54e356e628269f46012e7827a3ff06e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O5N1CMJ9\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9129.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91DA.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\60WABNJ1.txt

Filesize
608B

MD5
414c96f8fddf0a8d03e24588d02eefb3

SHA1
f2da0bbafc486dfad62b15d5b4b12329afe27c25

SHA256
b4b21cb289c54ced52944f01903c913a441cceb95cb2f2e06746f3b946053299

SHA512
64f00ab93a1f5c43e29f216fb3f9c67553f766f5c09376373929db64154c85558e159ce31ecc567001415cfab556025051c1026ac815e8fc1357fb75d78b519a

Download Submit