30438a48463c536433c61446a1f8e874ad7ba451180c1bff69461b2a9d7abdd9

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-07-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rev_3286/inetres.xml
Size

1.6MB
MD5

39f0d8dbbe07170c55ff82ff6e0f137e
SHA1

9968c17e869250de0bfb2353362ff981b1152b9c
SHA256

5b9d8f4735a3bfc022542f617c2fd77dbe4b0bfbb506d51e1ed0adf896155356
SHA512

9f27dd0e757cc4b8a6c3e83e4044068440547380fa91d1580b00f1b62f07822376744ee65bb5eafddc4a35b6048b8f32209d00766f88bf09df9847053c1df3c3
SSDEEP

3072:0wQADKm6VNTp6qpxFwFVSl9t4VpR+4Mlu8ROYg1V:eWPq3yrvMD8Yg1V

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15FCDA61-27D2-11EE-8319-D2B7D0620653} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000009bfd985f76c44d64b8f4c0d786191cbf423ae604929f7d16f887efe50c504793000000000e800000000200002000000023e137ae2b7e5b6234c7caa057b76d1959864b85d108e0ed56e73e7514d18f7190000000e070273098a5285f63702eddf38e19e7cd6d2f831b802af53814a4c364320d7e880c41e84a6dd320db881f3db2ef1dbe064eb977a3b4addc38f9e554538af178f99d3a08189375b1ec93a6c6d5d2698e4779db66163386842a5010ccf94f21e8aff54f3a207fd56bb9d24453167056f63a755d6351cffe7f3bbc86a085a50491e409f9521d530ca9cf461ca02b763ea340000000ef38469909820f011bff09fde1eda6a098f2276e914dca887738264e51ef74e960e1821f9c3077b9e1e61691d668141e470574d752c97514caefac396bc87b99	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000000a876299296f010981423ccf27f56a36cf7720358a1cbe8b734daf17b88b3c78000000000e80000000020000200000001f095c533df6414c1f6247764839789a59bbba4f69b2bfcc87a50baa6fe41559200000002a11ce59bda2f03d029a21f8c1aacaaa23f5cc4142e4fddd7993b4f3626c186640000000a7ddbd25304ea6679a9ecee4aa370b4e6a9f83338bd849d2020ea433bd475a937b3d6617854551e7f95af85ba8773fb7764af5332110501e9f5c071d36b296c4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80837cebdebbd901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396714350"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2668	1400	MSOXMLED.EXE	28
PID 1400 wrote to memory of 2668	1400	MSOXMLED.EXE	28
PID 1400 wrote to memory of 2668	1400	MSOXMLED.EXE	28
PID 1400 wrote to memory of 2668	1400	MSOXMLED.EXE	28
PID 2668 wrote to memory of 2508	2668	iexplore.exe	29
PID 2668 wrote to memory of 2508	2668	iexplore.exe	29
PID 2668 wrote to memory of 2508	2668	iexplore.exe	29
PID 2668 wrote to memory of 2508	2668	iexplore.exe	29
PID 2508 wrote to memory of 2936	2508	IEXPLORE.EXE	30
PID 2508 wrote to memory of 2936	2508	IEXPLORE.EXE	30
PID 2508 wrote to memory of 2936	2508	IEXPLORE.EXE	30
PID 2508 wrote to memory of 2936	2508	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rev_3286\inetres.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bad02997cd3400fb8a890054aa49f8f

SHA1
b25c97d19a4706c4d53ecc1bae894ef3288b80d5

SHA256
19f38472daef3523be42797e39ac8f1446d164d41fb0c3ad9bcf50a3f760836a

SHA512
689ca9d1340ec9c12bd117d76c5146456eeb38070f8dd66886b992d41ed019b93c2b8f6c152ac5cbb9fc2e3f95e61a56db66057f65543889ce2f77a336b3da23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63f73c902dd2bcbc2c71e305c6bd70af

SHA1
5c1221098f2fc5b00c6b827c406e131875290297

SHA256
59309069f504f0ca3e93eb33126728d48372173bbae24ca1bd87c6a201883eaf

SHA512
142745e08f30efc8c431ac96f41ce6113a4573ee6d4cbb8a448574b19768345a93e6d1e113d24fc8a07e37d1ab575843984e152ee0fb7ba02d2333a53e9daa56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
395818f004b30bcac92e4bd8af56e22e

SHA1
368a047532b5edbbe2d8bbf0c31ae83539bb310f

SHA256
70128cca410c26d61cb9a0a3348670fdb684061cf1d084d7ae4097f95b5794ce

SHA512
30d4f494b42d156adc4cf186b134b945aa99351acf69f5df76184708635e0b0f5854d184cddc5733e7927b30f1d03f68d85b6b9e9a5d719cc9d03954148ddc54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e6eb2fb26e1c09d01f4c625f530d593

SHA1
4b1218dfa1b96d35b994779e8c2c6ecb55c6abf3

SHA256
c558f4cd60cd331b016294d5973431bbc7bb260dbee74a267764b17a38b9da7d

SHA512
efc1bdb1f6a821ddcf7489e47bf5922792a80127b8370646e133eb0c6ff6be18cd5c8839eb92b90795de5212bc61cc79a22df10c94f61baac335def584c15622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0283082878f7df10dfa9554dcc2e6e2

SHA1
eb8df73cfffbc9bf8f726a4e342a5598578d07bc

SHA256
f41e71ea71df3789f94d36f8c19d6fbc1ebee99123bf7c6dfffdd7dc0b2b32b1

SHA512
b13a84a6295cd452aa258ace2df4108867579a8ca7e8fb3ef9436c87fbe66255c6bbfa3eafbf1c35063ddb331a87008a21b86db9dc1343416f86d8dbd13b2e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
691563070638a6130f1c8b06d899d0b9

SHA1
6fdf9291a39de9bebff2ddf26d6efc12a11c0393

SHA256
a47d2e084cbbe6f30fab16c0390703c02f9fc4a945d95b10b16e0c6f03144d4b

SHA512
24d20f8a10213354395e2d35597f103454d244ed54cc98b160991fde6d28ef8a2a3d59bd847014fedf720e66d71509c8060fabf6821316af1b412175da9bd7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bffa952705515cf325e1ca3fa7b79f9

SHA1
1511c94ccfd382842905b4e6878237e29ffd2551

SHA256
25960ca9f62ebb79e37e85dfadfa57bdffbfa7d7fa5de7f328cc727202d2886c

SHA512
05135cf62b920f8ff826e3d3d82905cd1fecc182c76c49f89833f8be5940bcd7f0aef9c69d2551ea21b2f8b161dc0e87f452ae42a00dab793898693216688851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e64391ee7525bf662814e51232eea21a

SHA1
70be9255ae7c7198400ee5893e4375cebe0eec09

SHA256
8b03a11ef854b4dcde540583bd82826e11b83e97ac5a0030f2b5c67f4296045c

SHA512
cd90016fc91bfbf6c6c499b3f32a612536bc501a64dd18fef5c5412dd7d8aec79b7806abc63c70baabff73dc0a94f2c7febb98ef3f0986408237b009d595fdd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2AKN11NC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEABF.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEBFA.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KLNMXUKM.txt

Filesize
606B

MD5
9c33b6740ca646b9675a8c7a40cae99d

SHA1
d4c4c7e687008fabf2d87604c13aa591a6b8432e

SHA256
a8151465061bd990a870db0e6f05c28efca02147e50ed83e5f0436815c5eab04

SHA512
31c0b5e469de9772889b06cac11ebdb8a0432aec35739bb4b4bb6b8be819216ce6d3c36ebf3f4ce6103991fb6092c94609b800fba77ce43814f5e9e96982e15c

Download Submit