30438a48463c536433c61446a1f8e874ad7ba451180c1bff69461b2a9d7abdd9

Analysis

max time kernel
122s
max time network
166s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/07/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rev_3286/SkyDrive.xml
Size

2KB
MD5

a94642be85e83bd11fe2edc8ee57a052
SHA1

cce07bcc7dbe8bfef8f9397c8b6e76b96ddc9aa9
SHA256

da3489644a56924340c30ba06dca8d02ac68a772c1971ebeedfb07767ea6f1ee
SHA512

cfe4f318b08c3924c51eb679541b3a8d8d36cb47ffb5ebd9d979d254c1cba8782dfd8757f748944967392608dcc1775fdf82b9324b03481314b1f661a085b733

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000007fd1a162319fb5893ffb82da9db7d222b3548050073cbd7704d269869f078f8b000000000e80000000020000200000006abd79ed6ad3582d90b2f61281292aae9d42ada7dcf8abd5f52215188155bde590000000525d1f20f3320fd5274e5f4e4972306f5374fbb54bfaa5a710afa972db04fb4a9c440a32c216503199b2f7764c377858f986c3c6974fea2447d995addb47e5dc56f0dd99a62fe2b93dedb60f45e71d5dae874cb4fa44a3b5bfb1aa0bf2cca4ddaeee03ba793f81c26636fd87cd64f0a5c7463f18d063f8a733e556279891fc7d5626b3c82272149a82bf5132ebadcf544000000011a502444341b280a642ba18433be65beeb3908298eb0ef8fe56f91ada886d6dfa9d8d9b6a9d31d0b0ae2388b9ba55f85139c8455f17520e8ef0f67cbdcc864f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396714362"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000ee57bc38c77b5cf5aee2e76948467760d8d7987213dde9401b1e83cede3a398d000000000e80000000020000200000002604cefb6fe47d162a37401be8c74b38e017f4477664ab05f711799f60fe876720000000e14f8713b853a16740e8a74418e8c22763083cb2aaaccbd71dcf3d2d9f4e509d4000000035338a7f89d91d88bf4e3cb5aea3efef809fb726392dc4786bee499197c9235006ff874f74f42a10f9090f4ab16458715230ee4176dffdcc0466ac7229a6a87b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c536f2debbd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D4848E1-27D2-11EE-B6C7-CEC9BBFEAAA3} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1256	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2908	2412	MSOXMLED.EXE	30
PID 2412 wrote to memory of 2908	2412	MSOXMLED.EXE	30
PID 2412 wrote to memory of 2908	2412	MSOXMLED.EXE	30
PID 2412 wrote to memory of 2908	2412	MSOXMLED.EXE	30
PID 2908 wrote to memory of 1256	2908	iexplore.exe	31
PID 2908 wrote to memory of 1256	2908	iexplore.exe	31
PID 2908 wrote to memory of 1256	2908	iexplore.exe	31
PID 2908 wrote to memory of 1256	2908	iexplore.exe	31
PID 1256 wrote to memory of 2304	1256	IEXPLORE.EXE	32
PID 1256 wrote to memory of 2304	1256	IEXPLORE.EXE	32
PID 1256 wrote to memory of 2304	1256	IEXPLORE.EXE	32
PID 1256 wrote to memory of 2304	1256	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rev_3286\SkyDrive.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
442de57133adb9564f1310bf306a0a92

SHA1
45e4a1d3c726ed5d34d98724c99eb8daf0b5e732

SHA256
47a5c2a7e0ba1dad049c0e28a4ee8ec230f149427f1aa2ec5fd46278cfa5c167

SHA512
1d342dbc53bf813ceb28b8e490d64c08f33a3770d61597b4fb98ec9ee4adefdddfda4d3a2a3d173c7407313fc40724728f0a3d1838dd951433461be274e57742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92777c6dfe7264151e051d9271ccdfe6

SHA1
94091dd594ea77169c75d4b03f2b8283ce9e18ae

SHA256
24ff14ed1e270fcd1ee1a126cb2864fbad1b62bef70eea214c9e7c4bde484a4b

SHA512
560cd48bf743fd5ad21711722cf75e857297347ac8f2a5cc6e3b7b2e3e411e43de9a26741cbe3295f3741ce0f66f3f4d5b8c8e3848123717c3794a45952ec246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e45efa2cf74be7fda28ecc4c91ec8e2

SHA1
71d8f18a4fcad4b33fb420eb2c21276f247b5ce5

SHA256
25f9a1a19e5b347ae8d0a4a0291e6c28a1c74da2e545ef5346fd71fe388a0081

SHA512
14b0136377c945389dd5003c18a821b2db0cfb5ceb7e46152b5b3d9bd3f947ff8f2e75269bf657e33c1a52aefc0bd10b28bfa9127f514c7f274adf704b22489a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f1ba9325e0463a03be0a4d7c3bb1e41

SHA1
11247b53c7db9f03cbda7a070289f5bd5c63eb92

SHA256
18577bd9d96f96d509ff1710c7e7ea4c7b009a75237e9976c05f806dcedecfbc

SHA512
d7b660817fc0168504ce5d9fd7405ff3abc950d98e6198213827cdb9338c859bbf3a54e406c9c729470dafe3214c9f1d8d9aa880194b86d0eb4b0355b356424f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc0444f4067c18ec6539190ef2f56c01

SHA1
f12f6f91b34210e6d496d2c9ab836348571b35cd

SHA256
13d0a75114c097d37a1e7181aaf4722c648668dc169c55ceecf6ed22949f4d8e

SHA512
199e9b8ad8359e69cbaefe5de5acbe080f213007a349e7c2504226400b209c7a20d901d171717bb609d7075c5bc5b54fcc4af6d37383c383cfe207e8544150d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
951c92e7d5ace7d02e65a73df347992e

SHA1
b6b45b747d5becdd8f30e782abf748f983ab7b9d

SHA256
45212b55e60af2bf0289e74e45d0d00472207fea8fc674d22589a8d90e7b984f

SHA512
f7dac5c39f871efb60b5d1cd64528fe9c2bbd289cbb414e2950dd828d7edd460910d0b37c6b7a0777517930e127fa740305349988c5828554f4550f101a308a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17019196ee7f89456ffbf9fc8ba7b57b

SHA1
691e8c07ae2a96622f5b68bfd90b68c7e6077c0a

SHA256
4197b2439283045579d829764c7ceaf67d6b7d996f52fdc16ec49a9a728259e4

SHA512
4177b8e468068c8cd86145aed41fdc898e7af10277890c81b88826b5c31410356645a98e49f77719bf4c44a7a146f1dacbfa53fe40a050c92190821d29fc8c16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a005d6efe27d498e16226d263b0247d7

SHA1
83d5cd13e9dc87f6bb964ab0124e408dc96e30bf

SHA256
c5f42727352258d81e942cff1d8ff6c9e68f49214daa0cf0f2291166b6cf6203

SHA512
f7ac8ea1682c143fbaaeae12a1569f9dc7ce8e76ee08ddb5b19e836f008615ee88c457dbed117c1ad9403b1184cd8c9f551bba59a49734aecca5e863c06b3a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fce228126aade32a933c859e0a2e26cf

SHA1
d4e932f25b30297fd317681e13ce3293b17b0a03

SHA256
8da9fa44d6ce49cf5f13c4b2e11dcef4cd8184fb2dafd6370edab65ac5d3a5e2

SHA512
d0fcd94928fb3d627954155b51dfdc38c6bfc431c27d4cfae9ca24c65068c73242eeed43c5e527099497e8a01af32b741f3344734dd3ef29c3fb1460daf221bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E25.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3088.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DG2ASWPG.txt

Filesize
601B

MD5
3883db8e5516005a65b271cb7ebf6aff

SHA1
0f4a54c541b3f9e155cf46018b8c7b97902eb3c7

SHA256
337f200fa8e98e4de31f9436d6b5ba82f2f886d088cd3603313912e567b56cb3

SHA512
6d58db3bf1efe2111f04db59365845648f629a198dc5dd3b8a93b23d0864e0c88b0147404765af956f56869123578bc1c9720ef45f9c160e6723d1370aa9f71d

Download Submit