30438a48463c536433c61446a1f8e874ad7ba451180c1bff69461b2a9d7abdd9

Analysis

max time kernel
121s
max time network
168s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-07-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rev_3286/ExternalBoot.xml
Size

2KB
MD5

ada14c9e12ebb088628c86ada31184e6
SHA1

a2578366538e3de9ea2c047372217a3ff3ff25fb
SHA256

4bd2d8e664271482adfdb53411298577d2bb7c5cf18a6fff30fd8f40abb17ff4
SHA512

147a0d77b2c8e66a97d22e62d15248fc93c0a82d8529628a9612c7aac7dc48ccb3ca8fda317ccc0372e0c9001e8cdf8fa8d12e47d84412df3ddee0b1bebbd93f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16179621-27D2-11EE-8B12-EA84BFBCA582} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396714351"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000000ee9556db3179e3c5b0aa5db3ff43e349033dc1af6ccf4517d79e346def03289000000000e800000000200002000000039d8004899450ee2f733275fbfcfc3686bef3daf03df681e79da59a7cbd0e2909000000007179992541857d249659839081bf1861441431e6b4f4b03925e7275ba88c53e0d26922dce01bd22c4282d4da261849cb96aa8a069a3b52758b6f74a769b2561213823e530036fbf6a00838fd3fb89df53b5af1fe221678140716cab4ed610338619336244c05bff494fcddc7f81d5225af41c1c1c7f7d0dd88359f4c8f56bbb50d0b78e6847d1a3382a77fa589d978e40000000bd114d61860d6615cee1871396e7d97c133d0987b446aa939ee0e18df47aa9365affa55b36147ee89688cfd28f8ee2f3bb1c47a55ac093ef2737f98d4847d8fd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000098a0657105dc623ed4cf5774bbb8b6fb55ebfa2d0de8494886816ccad6820e74000000000e8000000002000020000000315e75de2ad03b26710508bd32a863c69c807b9fbb1804f10026da52f10cdbb920000000ad72eaf257c309fad72003f17e85342550ad9a125e059bd716c89bbef4d31cae40000000238ed26e3605796857889a07de0e12dd5800ccdb69ef184d3bb53c2482799cf49277a12f641f0f919aab31a7d0788abd6d85a93d9257a35eba855f9a9aa6ff0b	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0900febdebbd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2168	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2280	2548	MSOXMLED.EXE	28
PID 2548 wrote to memory of 2280	2548	MSOXMLED.EXE	28
PID 2548 wrote to memory of 2280	2548	MSOXMLED.EXE	28
PID 2548 wrote to memory of 2280	2548	MSOXMLED.EXE	28
PID 2280 wrote to memory of 2168	2280	iexplore.exe	29
PID 2280 wrote to memory of 2168	2280	iexplore.exe	29
PID 2280 wrote to memory of 2168	2280	iexplore.exe	29
PID 2280 wrote to memory of 2168	2280	iexplore.exe	29
PID 2168 wrote to memory of 2616	2168	IEXPLORE.EXE	30
PID 2168 wrote to memory of 2616	2168	IEXPLORE.EXE	30
PID 2168 wrote to memory of 2616	2168	IEXPLORE.EXE	30
PID 2168 wrote to memory of 2616	2168	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rev_3286\ExternalBoot.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
017a4c15a377358ba241b5ef70dfbabc

SHA1
3a6fa6defd63652c4eaf1b4bbe4f4c389465c387

SHA256
cced3ba282561bc36443895156573433f7df98151a3b8a77356e341188581ef6

SHA512
37ef2d77ba2b2b990087e3e7631bbefad78033ca22c7ab1fbdfab4d3ac70d61f515b3e135c3fd21c55f58bbcb06dc10ac186003582a84bcdea835e24d0ad6f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6451e67a8093768a22949ffbe7beb725

SHA1
1e3ffed54f0c466a908b27993d4ebf442a63c75f

SHA256
5e55b6e9a374b928bf94fa5d89eec96d7509f9ebf7bf6fdfb22810af0bb3b478

SHA512
7c8429061d4c1a7d3575d102a9865d877464d827d43804b1ab62cf1be164d7699fbb18769d6125fa2ba85704b8e1d121dc73fa806979bd5221f46159ffe951cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50d981614eccfa18372ee174b4cc5a43

SHA1
c39c89c76d6fff0607e5fadb34506a945d053c05

SHA256
99f37a8bf7803dd230edadd55f405365342eceec3ec6790fe7cf9ab6ee499802

SHA512
af382a9c09df1c511ff071878caf5e7f9b610e99ed61db3969386dde0ceb01f36014bde1edbf1d4519f613b87de782a212ada6b4960ef20e645f64f4e1d47950

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39dce87d97c094b10b4fd0a183c739fe

SHA1
5d864ed0122bbcd709abf61197cce6383c51b6a9

SHA256
aae333ffdbfdb3ff075aef4ca9d7bbfff7c5a54954eb533e1f9d875642a875bc

SHA512
40f2c0a45e684fd0c7d85af83c1a1a297f1607cf4d57d246c137a0a30e05ea623d70427f79eb7ad52e8f2a6107289569baa0eb66c0c73eb5f3cda9a507efeb92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64a3543ab3266642a54ebcb3c08d9649

SHA1
fca90f47154393e12259be4044fc5f965f43ed36

SHA256
6f75b882a8b3d1ca313a3d92904a55c56530ed19bfa029fb3e719b525c89acfa

SHA512
b7663fd401a71e763118d05ca01a4db79d1d6bc79d3bdd9890727511cfa06c4aab215694f901775be3ac0c108bf10e3ed590e2a44f0d5e3ce08b0d4e5c27e1a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
440fb12370cefee5bd79217eaf91d729

SHA1
815bb649e7ca2949c561837f70838519fc44dae8

SHA256
cf8852ebc298aa421ba8ab66ff985320688c9fdb124f023f52317f21983f04d5

SHA512
70fe59b9b6a926009f4356404bf7cd0f325f777e5e6d9f5d9d8250ceb8befbfe40bc6e8b35563e97aaf94c5e4c4ba13abb6dee324fe3b073cb9392427b34aa91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aea51ae8f6be681fc7c170550f64d41b

SHA1
40a06f03b7bfd4c855a78838b02d4ba691eebe1a

SHA256
a6d5fcfb36a2a720bfcca6105cf11a33622d62090f16e975bd2ddd25c00d23cd

SHA512
5551ff0e1bcd8a0d23c81bc3f2767d267f6aa768ec7a983e3999ca6db5bad7f8f2d39ab840f68149d5c1853869bd6154334d8c0e8d90facaf86b81cf45290103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84f79bec66114883e52b46f8b54aa857

SHA1
374c152f1d6a453ac11b39d25057892aa8fe27c8

SHA256
8cbf384cac45bb9eea8918622feb685a5f172f24c0e8337de6a71947bc25231b

SHA512
d6f78009d0ff9fd11c7179ab5b508fb3ccc44a9fe8d21d2d0581a6657e7688a8be927d1fe91b127ef7d1a2cf62ccb6893817a08051239f4967cba44b71fd25b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc9a579ea7bcb543501966517b0e85f0

SHA1
59447e7e825e663ea3c71f854889f0a0cc926baa

SHA256
8c6221374022bc4e91b01afafd49668d7b5851ea9cac70132ccec12f0f4f4b53

SHA512
d41c941de8717bdb2f487f2ddbd086f0c91d1c985c46470c60d80ac71d7fa256083fba588b49cb303f7f2b88b92d5c4d10a7fe1d78826ee2ddbe4161b6c39d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b20b48dcc004576d40f414192e307f12

SHA1
d388b9e9b91db0675a3becc715d96b5a17c01c3f

SHA256
65ab4f273ecc2c5d512a830dc59d021100b631b38df3a42b392ef22e1e52adf1

SHA512
e5266e46a3c73c153125d6b871fdad4f2b6063183297ab269bf9722d4eefb42013ab7899a1cabb38c76350069b9449c976d999706a1e16a804fa2b0c8353a9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb0a7da9c403c63a2172b104076ee8c2

SHA1
e51ec67d8f98ff282feaa99b3b62e394d99e0552

SHA256
0d7e3cf2e480e5808a05144be23cdec8f2f4913ffccdeb2177d4168d8da34209

SHA512
f6f336760870e348b69231c8695f5078b963db27c30b2889fc4f02ae27fad5a9330722089985fd6a322db4d3c8f2a644b79dd47634cb8152b47af5e9287c4f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9EM1SEHQ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab214.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar342.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QLW8VKFZ.txt

Filesize
606B

MD5
c504ee1e7128fd772c18d10aab1b59dc

SHA1
2ccf767b3321b4b560ed70d3406a75ffbbf39025

SHA256
f1680ec848962ed6409e998e6bb0e64b712b39da23db0447d92a0fdefd8a661f

SHA512
07e0b85abae3d8bb344da5326e2053b367d45b688a7b0d7281308ea6b6fca136176b967ed559b6a03a9aa18b4282d3b31816f8914786185f67af97ede6e4306f

Download Submit