4ee8f34d530594990b263361cf5349b3ada27a21c08b7d65136d858381d2db7d

Analysis

max time kernel
134s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

annotation-key.xml
Size

1KB
MD5

4615f30dcfbf96c8c8a2c89a8e2e6437
SHA1

4a9f396ca0d5efb81e30117148358ff0d042c8a2
SHA256

ee74a0b9190e16be152a98d8370ed500b0be49f65d9b4e923e83f1b33bde555b
SHA512

0108808218a574572eafaaab1b47a4df91588ddbddf9076dde5ff2407bbbc9cd0bc1294747a22fa61a4507f3e9a4236db1f9571f5be94942e1849ded5f7ed8ab

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000001a09eaabe75b2ff95238584bb68d130ef94a4cd094b415b57b94170a426fb1b4000000000e8000000002000020000000eae37065c57eca517c6937d1f1e33121ed6eadd9455fd507d79deb44a2a3f6a620000000d6e95468b69e4e1fbdeb1b6d4d92b6549c1618b4e0a4ff09276970d52ed3c181400000006c4612e4e5b72d3ac7c850368fc651efa7cbafee8cbc42db37f5cf4d9d60d201d24dc410bf3c770bdf8592fd407372fd4e2f762d43d5b38fda1f0b691000c93b	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DD1E1A1-287A-11EE-9057-D63E05CE97E8} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c07d5287bcd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396786680"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000004fd04c39f61ef9d4da2951db8be1648b4f26feb2dd07f4e3f2591a0e85c64bf8000000000e8000000002000020000000f91200eb75cdf04c855edf4354120eab9709c743ea0436a9f85e6909250a524c90000000b2fe10697406a77ed74f5870e384984a04bc5d83f5e58462af2970733cd212455c4081a6f8aa857f10248e7a22f6c1a5acd4f673c3e6020c4280aaa724f3ed807f3b40e7ce3a0d05c3e2ead778577174eaf6729cdad330cc32c23ffb7b5abe570c3258932e1a6ef2ee58bb8ef9844d344a8160961bd20c7e55eedaf25e7c3055f6dacd8b08c192a52c046c28f2b4df1140000000752ae29a4e0ac65b0a84503c543661009109c721327aff1f379a429a9783273ff9562cdd9a9c0de1fea3b9fb1bdf602d05a92bf9696e835c2376157b8c483c14	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2944	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2940	2808	MSOXMLED.EXE	28
PID 2808 wrote to memory of 2940	2808	MSOXMLED.EXE	28
PID 2808 wrote to memory of 2940	2808	MSOXMLED.EXE	28
PID 2808 wrote to memory of 2940	2808	MSOXMLED.EXE	28
PID 2940 wrote to memory of 2944	2940	iexplore.exe	29
PID 2940 wrote to memory of 2944	2940	iexplore.exe	29
PID 2940 wrote to memory of 2944	2940	iexplore.exe	29
PID 2940 wrote to memory of 2944	2940	iexplore.exe	29
PID 2944 wrote to memory of 2448	2944	IEXPLORE.EXE	30
PID 2944 wrote to memory of 2448	2944	IEXPLORE.EXE	30
PID 2944 wrote to memory of 2448	2944	IEXPLORE.EXE	30
PID 2944 wrote to memory of 2448	2944	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\annotation-key.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e85aaf40fab6104767bf5fce7131f78c

SHA1
d0d36406ffdb9c24857c55f8fbb87ec79a9969d4

SHA256
8262dda985b4796b39a63cf04fb91a3d7002f7a50e9fded8f6aff130c766a717

SHA512
0d7341c9753c425c6e93bbdac1697377741d0753c55df234d56f70b3704ce2f31d7ae10e36b57194e23a8b3346cacda58b2241ac719f21d8707422078f01e2eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
589e55c9d5068b84804a9b8c5722b2ef

SHA1
01fec1f195e290a5bc63807405be31ba4d559bcc

SHA256
e496b947adac3ea47f1cef642384c4203657ebf1f5e7a6a8613e475c995d95d6

SHA512
55c3c15747ad94494b10649b2a82c2e7352cb80bd65a9282f46296af948264b1965237acb808aef3a4d611b46a4d1f36b53f856b15da3dfa26b3e82d5de95a96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a93917f43b29e980c35c1d57d939fc6

SHA1
0ada8540e0b6f2d88ca72b5a2023baa8fba2c62b

SHA256
7911019e9362150a986834ee912305e7a59bf46f3408632e84cd2ebcac17139c

SHA512
1c063ff3033ab7d2110651530dad5fa8d1c885c3083640cff549f2cf89a803279a1571c72c164cc13392c485af74d3a3e84c1893d76caad17280696cc068e0d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b1df5db4fae21f71a9f2feedf4d13ba

SHA1
87920c4e6aa3a942dae4fbb6a0b23d848cb7ced6

SHA256
05a11cc740a998a95dd4cf8a5a74741235ae98205b2570fe8deee5994806028c

SHA512
262b408980e90b1609513e0dcb336829b273917811416c008b4f58899a764421d29e8ebe94046cee49155c421b9751b0fbdf86d1fab0ee89594549371dc95b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e60452ef52b2e1f86163bf41a9161f5

SHA1
c6ec510b98f9612782d026c8baf89a17ae314b82

SHA256
53e6704fd586e8a083b0c1a6f7be21c25ea4610cc663c079635ef83cafe54de7

SHA512
faf22564c5c6e660fee3f66c94589dd0fde675529f022d946b0fba5d9c4da70903a551a944774b4a2766db445bb4b2bc78cb16e48ce68f0eab3cb2630eb7b410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7568e1ace543649e0b34613152881c26

SHA1
36f71803617f0ae5f180854785bf20472c6435e0

SHA256
50198fae52349f811d8d1a67d61d83110291eb1eadfcc81c380eae80f6a7aff7

SHA512
d4454b03f02d83bac3f4be2d1a0bed1ead7fc7788983351cc6c641d80921ed1f21c9effd45612d8103ed3f8febfd089832c8563227021ed5f750f2b095eb07fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4066b87572d9f77a2206468004f68ea6

SHA1
d5d3b4b47cbe1a270e03972f18257bb8f016202e

SHA256
c4e441348e0f5263c58dc9b81ef2c2907020b9ff98e816e3c794987cf34d8a00

SHA512
5447df1daf6b5def358dc597aa2e077e929742250c1afcf841df6db1416e16f97157816d586d9d1741b48dbac2c17e1d05b4c8b909a4b6c60b98994e1de0526a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95001da6505fc309357729f9a62da855

SHA1
753f8549e7c04e9d71033c2966dab902f6c756bb

SHA256
b5a75aa8b5fbdf79d92c17e0af0a3dfcd834ab46fab9fe267b31f10ab5d86a00

SHA512
e094224f317c117b5362a0bf713af60619105ec04e13e66d90765b52fc7c255ab3d335a9128b0eb4e6a708aa688dc6193735548011973f13239995e8f1ab1a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9476.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9563.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y4BTDVQQ.txt

Filesize
598B

MD5
1dd53c9411ac2a2fbf7abba1b229be90

SHA1
1906fb045bfb4945d4d9b847b0426a51c30e51d6

SHA256
1c3547be323d76a7570d7ee16db0c1578595a5a4ed186df6b7a921afe6bbe620

SHA512
78eb52e694d2b21fe7eab18480e99cbfe0fbc962e43a555381069893d23fa5f37f603412cac4f069672d8163ad4875755916744b203cb6854ad53b8d75b95054

Download Submit