6173930990c687e5b99f373761852d920c8ddb834638f5b581b550dfe69e42c4

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-07-2023 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_shellxsl_JC.xml
Size

455B
MD5

34e208a5ed6cf6c8442eba63970a8f9b
SHA1

d7ec693f9bd1603f551adbcfbd513eba2205de3d
SHA256

6173930990c687e5b99f373761852d920c8ddb834638f5b581b550dfe69e42c4
SHA512

f5d17a2e863a241e7584bbdd9aad9c453abc7d3bcebc869a4b9e7d661f2852995600900891dc6ea39c92404ae753d53902f6902c492efa90a5ccf4c813ee3e3d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000006d84acee1c36315cf7ac88d2ab4763bad895ac33cc7ade52b98a0dc5073fd749000000000e80000000020000200000000d58e9b792ef9b13fb8083c8dfd0cb986b8ca6c74bed5c3e293d36c1ce44de1e200000005ecade4797411ce14d361008fd73190eddddaf635f143ff49aaca8ad12d7798e4000000009b97d623d6699ac450fd9049b5b82f60fc05b004af9f6397d8e5659193e1825639bcb4b143b45d5a7a35b6ed5144c02035a77c9ce47cd6d362658582d28ca85	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000021fff152ac9e909b853cb4f9627741ac3ecffc04e153c10288889645b625261f000000000e8000000002000020000000d9fe35135a825c360e1bd3aa01a6d70eb67b2f609ab6e68528ff08e2bfbfb9319000000047c217a95969f047b11839967c316e52dbeecbca6ac0cc87374892ef7be30821db749f05eb6341845bd0a26066b10b392be966e6dddb1eba6320c9049e456b1f555749b494752c398c4f40bcb51ef01b4c7073852e23b53fe88e3fa10d5b8b6d5a0ff29e15c76ecb158224dd7e6b4ffbe12bc5fe39982d7dd089198eec3774dfc64a6739865d1e916e7b3fd39dc431f8400000005df57b4956bfff7dcc5d41a787de010d885cd0350e13529c64ed7fb1e935efb8be17851721a86bb7e83f4573453d63d45d3abb2415eb101b46d34ca2eb6f574a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396817989"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63403C81-28C3-11EE-8A66-C20AF10CBE7D} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708a1438d0bcd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1660	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1660	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1356	2552	MSOXMLED.EXE	28
PID 2552 wrote to memory of 1356	2552	MSOXMLED.EXE	28
PID 2552 wrote to memory of 1356	2552	MSOXMLED.EXE	28
PID 2552 wrote to memory of 1356	2552	MSOXMLED.EXE	28
PID 1356 wrote to memory of 1660	1356	iexplore.exe	29
PID 1356 wrote to memory of 1660	1356	iexplore.exe	29
PID 1356 wrote to memory of 1660	1356	iexplore.exe	29
PID 1356 wrote to memory of 1660	1356	iexplore.exe	29
PID 1660 wrote to memory of 2996	1660	IEXPLORE.EXE	30
PID 1660 wrote to memory of 2996	1660	IEXPLORE.EXE	30
PID 1660 wrote to memory of 2996	1660	IEXPLORE.EXE	30
PID 1660 wrote to memory of 2996	1660	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\NA_shellxsl_JC.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b057e5c6c38f894db85460953684ec80

SHA1
78213611b8f130771432156dac627e5b07c87d21

SHA256
e25760f39df311cfeca9c5066fde605a71dd80e067f1a65d56ef8a6e6c41271a

SHA512
defa3051c01e0289de787c1e5c2f933054e993b756fc760dd2152b2c947a5e6756f633760cbb89ae8fc8bca10d21a221e5c227cd5edad00e13ba575552307152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5428713ce4372d9a86badccd24a3d72

SHA1
bb76c2f84c8abe5e8b7844b3ed1f014fb463dd9e

SHA256
1cbfd8ce3bff04e39740e006d2dd7e4840ff17bd042bdd114ef58d0389fc3d6d

SHA512
89b375854fb5c4d54a83b105cf97bc9c513a09657c8899908119e4bf853acc728aff369c7edac0aa2d242d30658da75c4b210827515bcd3f37c4441c83facf30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4f0032cf800be473bab1c8d2d4ec9c5

SHA1
501016df776627e3d3685fbecc608a2d940d926b

SHA256
53d587b48892b60badb7a527401b949085bcfacfdf35c29bba7a7cc8256860e0

SHA512
f2b263d8c48012fa6566075556583f1b57764a59e809fa291ebfe3d48c0341fdd5487dc15623ec96bed47ff1090a2355a4fd6216aa0626dbc700cf703f199383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a3fabe21570287b0ab3b90bb7f99ac0

SHA1
bafffd4b5b2213655ef82f5961cba15a6442a0a1

SHA256
98bfb5bb8c537ca70350046641058196f28e83a8e943a2099e2815bc6180abf3

SHA512
648fbcf2e7a64c41c5da6acfcf7e7bacc6d468e42b4361477ec343ce72358e109498f914dfb18b75829c9a3a3359a6b8f2f6d6502a64a16d76d04c23c5482a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b682bbe013a300c2c23148541486847

SHA1
b6f658d5f20935a46c452c11fceecf8c96fc2027

SHA256
e1afce5822001bb1f999542cf82bbf2cd8682c9e79725f09c74c525d3179ca27

SHA512
55af5d54ff8a5d5cdbfcd4c139c4682c9194428b8961380f419abf31661e4982a0cbd64cb7ea888d2ef7f9145d492e708eaa75b3b71f135bf1a83e7b759c8038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
925ad21e6874fdd94be788f3ba17c0d4

SHA1
602f2be97055ec152689b34415bdbef72034a26e

SHA256
322fa5bab1d05252bc6bbfdfc12d0aa917774c16f75e7c9130ed6600163f1d97

SHA512
4b5883cf4e6817d02dd2239255d9969632778bd4ba606c1b8f101c69cfefb8579726505cf0f2fb7742c3ca727619393d8076c9945367e4e9234348e840040f9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3c75fcfa5852b25761b4f3d71652bc0

SHA1
9f4c7727e6cc0b90a5812a23f6944dfe48dee952

SHA256
a2f3892b4bd7ee4ac3c4fa854116a10fc298e7bf5a79a61ec1af3e577d3a9b59

SHA512
53d1693461bbec6c648d9d2811067ea491dcd9cc7b42802d399de67642113324aa3dc9db70e83604005f603d86be484febc595308ce7a1d0a30e24292dfbb3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4401aea2224d190280095d5c1e11206

SHA1
7ca8a8d8e15bc1be74c4370ee3d49ab6b96e1fd5

SHA256
7603a0f239af4962225b6f1054b5efd5eaeec9fa99a871eddb29d67f0537e0a5

SHA512
80656324c45b31136bd1cd116f8a5f2a4e7747f2f9ca17dc7dfc867fe9da25aa064a1d061850712c947ec86212fb3efff024c1f2bcc5dd2ecf7422c5c7f907df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbf48c28cb3319e4048c49a960fa845d

SHA1
1107c80f19c878edc6061e464ab7336f35232eff

SHA256
e459330b8b4237a1c5a17f29dbaddc9110102cde88a92a8ef7000aa45318ade2

SHA512
1d91e647dd04e8072ee71be5c9339fe6c8661062309eba344546f43a5431a1a6a17f31f55477c977237063b20291ba504121e7e8eec563a7d981615b250de2ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35419e09086511dbf11abc35c231a342

SHA1
1f9167fbeff5b7c7ef282876f8b384e510ca6f2f

SHA256
b8b07714e34199ea820b11e49ada419257d8539233b2dd8ca005a6fb4785415c

SHA512
e5f9c9cfbb9bc695bc18bb9dd336fb6645d9049b78331cc077239b697678fa4d47797b968ef38135f3d27471e550939549a1f1e0f11454d78f156158c4d7185a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2UNMO2B\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab937B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar94C7.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7H8PNGXZ.txt

Filesize
608B

MD5
6d1023b171c0029ad56bceeae9731897

SHA1
d68aa12d120c0c8fa62e3081e719c21df7eefcc6

SHA256
7a3120ea9b331dbfe1684f1bb0b25c9d0835d69caa6e23b93934febccd32dad1

SHA512
a083a29abc7a038b1cb0a0c902fb5737347f1bc92219f77f4fa6bdff7b1e452e8da49f4a0b34cccdaabc979846cef7b7c476a368ded335997fd6dbb25fb14c4e

Download Submit