30438a48463c536433c61446a1f8e874ad7ba451180c1bff69461b2a9d7abdd9

Analysis

max time kernel
119s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/07/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rev_3286/syscond-en-US/AddRemovePrograms.xml
Size

10KB
MD5

dfe20a0ca8674d6eaea280c139e2688a
SHA1

97027b92d40f5029ff296a9ea3105b775b50c209
SHA256

c97cd236f8be2b235685d3d16632482839208604db3f550f9524eafda33b9ca9
SHA512

120c45bd17045b6f3d4a9295e1888d81ffa99ed0f1d146aa2eec387c1187eef8c718179771bc0cdbe01a37a487d933f55c92f6f37954f392f007cbfaa2aec877
SSDEEP

192:Eyvs59wT2mCtKNSMRdMi4LBDZDHZEzT+ygx5LDkFdzj9nWyihWhqeGzpbeEKJ28m:ZvyiCDdyTO54zj9na8hqe6pbeEK5jq

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15B60591-27D2-11EE-ADDF-4E44D8A05677} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000f05f38acab2dfcb208c48bcf1c8d6efd3b2a809168411e7e63f0033755ca3531000000000e80000000020000200000007f062700ff68ff58b290dbe3c656c096970d9cb550a65a46399cd808ae26c8c490000000a2c64a83a08bd1e5130950f5084cc27358a2a4ed37018260a10dc01764a89dd2eb29517a41adff6f8a660ae50afdb074f42da27073658647b6ed5d76e1261ce6389955e355912034317db34a9452016afe9772b9082529826e8bce6a00fe84140bff12054639f5e4423a67f114cde153b883aaeda67355ebe70aaf58939c0618df19b5d328308d47f29d1e0595e832514000000063de11d6a5f76b67582c739b9a35a96bc4e3d4f39ca6d1462fcb43945d58def815ab6662c7227e21718fc29692171f6f7acfe3c6a7afe6c262c84b76a1774733	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396714350"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000069d48f3fa7a66df6432a30e2620e2a96e5c5d08662e628e9cfcefb5f62137cdc000000000e80000000020000200000002d118dfd9cac316aea0368c0d0f69f3b00ce4a0afbf544fcd01bb5ecc7ef5685200000000a8637f5f662d28bc1baed3d8f972e27a48c81d8b9de59dc2f84fb62b3f28c96400000008ef8a6e61c1c72339a95fe9165030f141a34dab18594806b7d2311ab2ae6b14ac9d390e1faca3081edc2b4079772f788a64f964a6253d0368004994c22ae0eb3	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1029a2eadebbd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1396	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1736	2560	MSOXMLED.EXE	28
PID 2560 wrote to memory of 1736	2560	MSOXMLED.EXE	28
PID 2560 wrote to memory of 1736	2560	MSOXMLED.EXE	28
PID 2560 wrote to memory of 1736	2560	MSOXMLED.EXE	28
PID 1736 wrote to memory of 1396	1736	iexplore.exe	29
PID 1736 wrote to memory of 1396	1736	iexplore.exe	29
PID 1736 wrote to memory of 1396	1736	iexplore.exe	29
PID 1736 wrote to memory of 1396	1736	iexplore.exe	29
PID 1396 wrote to memory of 2044	1396	IEXPLORE.EXE	30
PID 1396 wrote to memory of 2044	1396	IEXPLORE.EXE	30
PID 1396 wrote to memory of 2044	1396	IEXPLORE.EXE	30
PID 1396 wrote to memory of 2044	1396	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\rev_3286\syscond-en-US\AddRemovePrograms.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
777580fbc144a6d060f98422ad01d33e

SHA1
af485ba478e31bee33ed7c1d93603fe88a4d40f0

SHA256
315e59e4f0a2ca822fb1fdca44cdd4338b1ea4c953b7b4011c33cf7241a01cfc

SHA512
54a6e1f3e18b5d203e0c3025c23c17bbf860cb312108f30d9d5d98c38b49d0a477d1f441c38a8c6052b5fb110160b99325d3190b92d7d59929711ed48bbb8f75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a17de564845fe5510949b0090c7e230

SHA1
6550be89bd3e0a27a9e9d41f88d4b1fe39cbaee9

SHA256
ea528ff453e3335b5d111624dc662cbc92067aef8884fc3b29c4fb2f0e61fde4

SHA512
81ea02a934759c3417ff9585f3b51d18434957701b57ff701da0e75810a54e3441631673bca0de076fc75b0b2018ce23382b6c9707cbf74555b31bfa11723aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c855e9791715dd3fa94598e295205d3

SHA1
355244a65326ccea7021258042253ccc85120bfd

SHA256
6a6126e461dcde9cb9a9ba6e852b4bb89e675174c38b2515e5e2d4b576657798

SHA512
a66e3705d5f163dc57285d6522cbdfbf6a96047034ea504ae46657c626fe122afe1acc99ad570ba7941e0576026e0a3d44cafd8aeed1db15f5cbd349d2f4b8ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1c49b3d6194728ff1222df90500b3a2

SHA1
98b988532e224340ebbd4a4f0538624b4306ed84

SHA256
51dc2a5081ae1de17f31bd4484896b1f946a5a15c45c7feeb7503e84f82a0a08

SHA512
7c62d376ddbf015205ea6361e47f79132738dfe7c00df14a0f4bbd4843bf24c0a465c7968793c77a52e836e38fc44aa2d2af320fd3ab7f4388503876f855c6a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1311db84e644b33ab98903a4a6a3679

SHA1
fd7e818eaaea6626e68fa51d883779c73dc01c77

SHA256
960d725d597d0982523b48300e1a00bddb69e046724351aa2cfb59894e01e90a

SHA512
ccf839c7e04ba3aae7122883af1edf6303bca4e66c6c49945091db73f95b1bf141cfc01204c10ae815f53e173ea9020ec7e1ee171380ac14c82a26fe2035d5fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c422195a190126cc764c21b23c3c13b

SHA1
eac0028b6ab6ae9a615721253329820ec57ff9d4

SHA256
67f9adfc88e8171d35ad5c94c4d2e6798e373f8a86a92e39e9d1e7e69f4a9aa9

SHA512
c7c259bb472c497ec2c8984b02265b79958d9ea9bad2391dd0725d23a2cc0a063d87fbfb0b07c93b5f4bab1527d385652faa95651ad5a3e2bf08d1da51375b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f2e0ae92d7529d222e2e618b479500c

SHA1
728c9e55bd7d8608fe7e251033110d860af70e72

SHA256
0393aee908d273ae98aad4a48f6411d35efad959eb5004788ec24f4d65058c1a

SHA512
88c3dd9a53e0af39e02ab684c1ef37bc6ea77073ffcc0beba23f975a6b90d9846d001dbf47eec75e748a961d6f35c01fdc1b8e66ab48844e29c70fe796789b8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09bff5af2fc71e86af2b897a70dc9fa3

SHA1
b68b71e8e82fcdc3461be03d5c971f3117af1823

SHA256
a4b0b32ab005df2ab428ee50003b183914307cdb6756c36495585f6f99f5348b

SHA512
280abb74876188609aa4b6ca65850fc139d7cb118af819a6da1f28eb747d12d9831137323b399ba2e06ad0b0fc456acf0c3b1537447780528ca2351d7a8678d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cf97f1bf27dd5b01793560e87e8127a

SHA1
0e440d9b1913d8614e5d036e21684f2810e0f3ba

SHA256
7dfdee4a7661d97f50e815c442a64b68129fca2ccbf6ace780e7e03af2ef8209

SHA512
2f80da44dc498bcd7ef87192e6cfe2e894c1ddbab90c70bd148a320863c51a0946f767501f529363d3e828d967527d5431d02ddc3674e41bfe3b6f01cbe48408

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e50b1a3235602c73d44feb8b56fb2d6

SHA1
af4c428a2c03ca210443c4d1c60a47091b5de5f7

SHA256
5f882d4117933eb11132bb312ccd187f4509c389c84da092069c498fa061f0d0

SHA512
50e1e0e4367ff79568c5a0386d1f77ed9008dba203ecb0e9a1cd8262745b9e3a44a3e9f9f4aec82d68d8f3de128feed99b34c9688ea733d0e8be34243f2c461b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9EM1SEHQ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE3AC.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE42E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UAL85T8R.txt

Filesize
606B

MD5
b1c2e2098f754a37122019736012e8f3

SHA1
4b4442a7c30c1eb29d831f9b966ef4d0d7d00eaa

SHA256
176b16ebb2b787ef909831b8f3381808b9d2aa3a304a9a152ead3ca140146bf1

SHA512
49c45c9bfe215ae5176a10baa6782663b94df9f81b207e31a134df9ef66278cc4e7dbc123641f0c40e09f1e9c4aa120528c0d4cf73bdbd3269229e278d7b682b

Download Submit