b3ee8c90d9038c94565785ba2eeca0362de853a6324e3c93736a22eba09b50f2

Analysis

max time kernel
134s
max time network
142s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default_paper_2.xml
Size

2KB
MD5

36cafbfd63e8774bf7863123e3e9701b
SHA1

16207c1b628183cc8d116670253e3b662d186020
SHA256

1798b882dd9dbf31ba3885ae6d1a415c79a2f8417d24af38fd3c97f2b8e00a83
SHA512

3d933ebb2ff0f27548a8fd08053f0f165717aecc61f64ab56233fded015529d52a7a997d3d5ce7a6efb6354f6926f41a78edaa6b4fcb5ba4ded20f47ac0640a6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000023f719516487983eee702c59c4169eae17173389dc168ebdfbb44cb715057ffc000000000e8000000002000020000000d5b37725486cbf4274deaa660aefb99816161fb43d1f415b583c1e623031e18620000000c6ca102300c21cdedbcf540941efd3ee7a2eb2470f69f34892c34163a4019b7d400000002a38f0ce97dad24d10069d416bfc5af43a5944e8faa43c9713d37b8cd39f372ce9af65b9552a1f879cfe7bc25d6ddd9e5b50cd10f5d62c8c1d7b956ac2f26334	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000007cfc74d952f547161e640b914c5f40e6733cbda0565f2e611ea4d55ef67166bc000000000e800000000200002000000070e87afa864adfe0294e3264bee8f0d2a82a67b449fe8bf2f97f511b24b5c19c90000000999122165b7066fc80aef2e3fa28da79ff4bf232eca6d2cebb59175321289a8767c489df28bb0185eb9c6ec7e6a8d56f6bf45eb8bda53ffa24cf68b904ffd610760e7db2edb00ad46b9f9bd2a8f19f1cadb5c3c4d235870fbc11b9e96b1f35b610175b009393a08c7553e97ef5fa0fdd416357143e6889f02f22c96a5794a3fbdff8b58899d0d84ff64571cfa8f3d846400000005d3972a0edeecaeb1eaa4bdc7a18808d7fd823750a08fd1898f67d323042f3d0df90dc64c37df03bb545fd50e960a6d3a97397469b3f228b3de3cd47c556679b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C40263C1-24BA-11EE-A2BC-CEADDBC12225} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3016a798c7b8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396374481"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2564	2652	MSOXMLED.EXE	28
PID 2652 wrote to memory of 2564	2652	MSOXMLED.EXE	28
PID 2652 wrote to memory of 2564	2652	MSOXMLED.EXE	28
PID 2652 wrote to memory of 2564	2652	MSOXMLED.EXE	28
PID 2564 wrote to memory of 2836	2564	iexplore.exe	29
PID 2564 wrote to memory of 2836	2564	iexplore.exe	29
PID 2564 wrote to memory of 2836	2564	iexplore.exe	29
PID 2564 wrote to memory of 2836	2564	iexplore.exe	29
PID 2836 wrote to memory of 2844	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2844	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2844	2836	IEXPLORE.EXE	30
PID 2836 wrote to memory of 2844	2836	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\default_paper_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a699ed74606d18b6363a5ff6e6fe0a2

SHA1
64196138b741f50773c2d2931fbf5d1db08aee46

SHA256
c1374c0a5a0e1ad07950166f9b6a49631016ecfdbe366ecb9330cd46ac75d561

SHA512
16cde325b23eae6059249a85ace7d735667a9be04af19fbc8fa64ad66a16850ffef558b217ec24811d92614886399e31cf83704ce80cc029bbae0320576d2aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f50daeb4d6c790c7b3f4c2e8ee83eb16

SHA1
6dd096d78607387d414dad582a748009abaa1c3f

SHA256
1a8d9f57148b40b0f6a6d328237f4ac5067738e80e1f999d7e78302ba679c2ad

SHA512
4b07debc8899d9a91e503fb0767c9650373ab61aa5793aba6a15a7d3b00320f00f9659e3d9ac633ff1627ebaf8945d5a2b5b6eb35ec7b9385c657d426da5afb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13083b3728b32a6953c5f34c32f4ad50

SHA1
59f3f67b505f8a619aa08270b21345d951fe654f

SHA256
15a1f59cfee43cb3d0debf0f4b9077aebfdff77eb42d31ed46b29bc406957a88

SHA512
97078073d4ff9fb6f96dcf960be80741eafbcc6091f8c5d4d5f5053d61be5e195f5c7b4955b8d01d54876a9e6891536732113b8be70a282968e12a9353168af4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50a81bb6baa187888e192f002ddd70a8

SHA1
d28d28d8fabe652b9a3162e96d7aa3b034a98750

SHA256
45b5036be8dab9eb646f8ba95d606387f0bdbb805cb602e5967f0c06fb0b9c6b

SHA512
2c1f00c8aaf05278b9401ce15f3cafd2f865af10cae18b5fe8f060fce996c007141a12243e8d4377e34c76bb6f8aaa39c920affb2b3c9458cfa45af17b7988ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a21e46eb161705d8e7c1e6d76ea0fffb

SHA1
1d1e17fafb4315abc7a0a73e9efd23560a3a83b3

SHA256
19c30356edfd6b931d89ea7c32b785f40bfacfd4117e395af89cdd833281cd52

SHA512
c4cf3b690847570a35dc57ff4d25f723110e42e6a4d3ee44f614802b01452bdb7598ff5f95dc49af0d1451bf5271b69147d581d9e9bb7b74f19f18617e49f220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6095efc09099c2e32f64c3885aa61fc8

SHA1
28031f6191489d7c3a0b29a932389d23af32d2e3

SHA256
3102252bf0b070c2f694f1de464410e1a3ea5e4806586f8b26d5ecb934484682

SHA512
f43d5681e7d3c87ad5668d2065597fa37553cbab65a818ca484bab26a5cbbca02648a6dd2f79783d8d71acb9678ad59e61dde168e0b4e444a90edba404879d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
589ede352ac81201d66aea09538237d9

SHA1
574b42c7f1b432f1eb56349f174953ff8f6bcf29

SHA256
a574dc63bf9896c0ed46e2fff34350f91aaf6d3b07069c1b19d90c234d0e78f3

SHA512
1ec01a84bb9551f6704f3fcccd6a08c3fe4c03f87dfb4ea4c24d9a51d456fe01b756489d9fa77b5948c4b79b6313b6fc783861bce937c370a3fad1a7c38e9449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
250007e0b05b1c55e81c1447ecd166b2

SHA1
7aa5224866a3b909f97dbe157b3b938b584d770a

SHA256
68bd2442ac54933fee9dbf8fc94d36a874154454fa5b5271d52d0566c92d2820

SHA512
4670003f16fcd34314e688c383949f4cec1666faa718c5cb4f6da41a7b04fae37cadbeaecaf3b7afb5dc963897251152f515316872cfe7766d6a140178907ecf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c36e35eb69172494100f9272af61f23

SHA1
aa53b7fb3c2ea10cb9b32c4372bdfb65c3e1e102

SHA256
9b63417039aa0e432570cb44b7d346c0c1cdb98841bde127aa0b8473e0ee238c

SHA512
3d83461ff2f93fe234c1123d832403d30fec057cc06bbd5f8f8eb0ec240907c3878e4f86fef274bc36678720d5d90834dca266d7a48675da3125d0eb1f18aff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2b207804f867c6f114ced96325a5de8

SHA1
b1fcfd7206fe54db669f389092db41bd8d094121

SHA256
cac2b765fcd3eaf2c9a0eda7376869c2fcc791ebd91bea6303d20f0351609640

SHA512
c94b98094ca31a26382df3332eed63482867cc939430125f86d3c2989cfc127628555258f47edac0431f956622a3c8ef334e33114379a95a2553ba723da62a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59fa420c8c39a6aa7831bfcf70f37f53

SHA1
6ab198fe10fe7b38bb07a2eb4337844019adf90d

SHA256
3fa0d821cdfbc19e5c45a9973ffbaf3389010c2763a1e201f96443b586b70dd3

SHA512
e4bd08d66d57f2cd72bafc8200df0f0296e97aa0c15e2ad178ec4ef81a0e4dfd6fbc077e8f3e49920ce42ee08c69729b0e52cd9ec6f406006981009525a54b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEWWZC8O\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab98BA.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar990B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0VMRPB68.txt

Filesize
606B

MD5
58f78125e0cacc2e5e4551d36a8f7a56

SHA1
8c48996bb2db2d32a94a375cd55d2010ff66ba03

SHA256
6d72a584b8dc5e65527a63c7ca697b841c14db9e0af6063fc16f626c5f132f43

SHA512
63db465205fd85563efe8b5aa01baa33d3e6ddc5fd6ff59235f913002d66b482c99245e690b7a68d2fec582deb909b9cf5cf396bf2b79bc420d7a5b746c22d7f

Download Submit