b6afe64ae4567147667d6e8e1ad9a2532ea376f1e9cdeb37b1bdb64030c9ed16

Analysis

max time kernel
120s
max time network
171s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

billing-ce-cp/.xml
Size

1KB
MD5

c2d2d379399605b0f66ddaa0c61ece75
SHA1

61b566679865bc72336715822f2c5713caf24ed8
SHA256

626a5742001e53d55afa2ee9629c84be8d557b28987487c64f526da11851cec2
SHA512

bb376ced293757387a4a5e37ab018f25de06ac330a716da6c1b5e8884777527a0acf28e68b3d21167bc9bb0413c92bc76b113a135e8bba4443fe4314676d2991

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1881FB1-354B-11EE-B714-FA427F214E3D} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c00000000020000000000106600000001000020000000eadd084c828f6b6355e1a9a83cea664056db8f4eddc986f9bf2e2cfdb3c46cca000000000e8000000002000020000000c4bf517acdf683be27bc1e0639a65b49b1c9a82a26213b3b51db36f35ffda9122000000060bba6ee91eb68bd5d2ca2f14c5540b062636eb98af2c912a31d468f34a36483400000001a3dd229aad7941fef1609434ced791cc88da1496ac5c5d55b0e4d566d4230c66b437bff3ab48e49678fbe03f82da100fa6de8cd0a9bf75c5a6b83382094a69a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000002cd55138643dd05aedf0c4307691e60475d8363c815b3e826748844340c70433000000000e80000000020000200000002baca5377b23fabdb286efbbcf2fb16289b8876883ed9387d0f877cda5c85fba90000000905b5541f8e074f5bb8bc86852d42b83531f0447903cfa6b6a873eb9d9d12a5c5f3395300ff79c3ee6838e5e55f22ee869d4e0e11cf3e9481f8c5b442135b13fe4b6244d2226ab67df0e52a5376ae44f3a496845fd610abd810acf5cf05dc3102339e6f532d392b2b77fe73bf5420b22ed68cdd7b8509c61990f4be7b0c37efdae5c2faee847d7d904760a1d406bc5cd40000000f0e5db274798ae68a05c2b1a22c66a77c3f8d51b6d9d3544b73ee9596957eaea1e32c9983e044794594ef45442b1db81f8ab55a06c68c13709d8510b286f6ff0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70119cbc58c9d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397592921"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2108 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2108 IEXPLORE.EXE
2108 IEXPLORE.EXE
2688 IEXPLORE.EXE
2688 IEXPLORE.EXE
2688 IEXPLORE.EXE
2688 IEXPLORE.EXE

pid	process
2108	IEXPLORE.EXE

pid	process
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2312 wrote to memory of 2548	2312	MSOXMLED.EXE	iexplore.exe
PID 2312 wrote to memory of 2548	2312	MSOXMLED.EXE	iexplore.exe
PID 2312 wrote to memory of 2548	2312	MSOXMLED.EXE	iexplore.exe
PID 2312 wrote to memory of 2548	2312	MSOXMLED.EXE	iexplore.exe
PID 2548 wrote to memory of 2108	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2108	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2108	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2108	2548	iexplore.exe	IEXPLORE.EXE
PID 2108 wrote to memory of 2688	2108	IEXPLORE.EXE	IEXPLORE.EXE
PID 2108 wrote to memory of 2688	2108	IEXPLORE.EXE	IEXPLORE.EXE
PID 2108 wrote to memory of 2688	2108	IEXPLORE.EXE	IEXPLORE.EXE
PID 2108 wrote to memory of 2688	2108	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\billing-ce-cp\.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
035f0edb2640315ebaff27cc9385d2b0

SHA1
0bdbd19de27af5bf36082418418732da9ff13512

SHA256
686976ae0c2b712b32767bcb95e82b122d9961ff78beac48f9bd6c14aedeb8a4

SHA512
434e7dea480ffb5aba93f4da8a77fda613acfe676c0d126f41729376e3c1368fbc899551f02ed6809fa2f4aa6d145fbd91c4838d6b5a17c6b3f3bbf13a0403c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
fd690b3d9e3233dbbd738436fa125cfc

SHA1
b535731b012bdf5c451b14fe7b6fe9a5df0a6483

SHA256
9c69beed03dc3fd3d239728e65139582f055b8e54a50f79ac5e7eb2a2050a7a0

SHA512
97e157893bb9f1e1d5aaab0834cc6a1e17046990e2cf245719aff33c84024f81f593eb558fbac98f65bf0371dc2631b1baa644c8c7b2dd032f0c73f759c001a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
7d6d72d012e473aada2a220acaa9cb74

SHA1
bdb0e4ca931b14248925a8de5b873bd3145c8ae1

SHA256
45386e345d78d20a20fff121006f4e9c41448f4db55528bf156da19fb80e7bda

SHA512
8d7a9a2ecaaf0b9a1b787f612a37bf35db238617848f2320540202db31817809b6483991716be8840793c68a310840efd832f8fcaf4df16500cb328ec51ec7e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e68de792c5df8c9fafd16dd8468b5e30

SHA1
e246827a320d22895e2c3512ce06124ddace02fb

SHA256
6eeb6b7a8513f27bd63256c97c851de6852cef901e5d83e216d364ece45911ef

SHA512
36a00d4db9add2dbfc36bb111fff00e6fed4ffd0b681a8d436e0a833b1417a7f21c654a3e7aeada571560c313a852fe50b4ece8c37d1c4a0565b69a78b617d38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
a35e0dce68bd0c8520d2f09090bbaf47

SHA1
0602fac0ecb1a0be509af25bbf7de592651813b1

SHA256
f3d02105448be300bd82f2159e9ccf268df2729a86cd61e14e6b96cf78244531

SHA512
cd5fe78e1510a65d82d1fd9a85d41ca845608d4b4c65746eb6dcbb65f2bc0b698e33b79570837efda1c6417ee0a32a10503c2f0a84d45402e98a24042d877604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3f8e4346b44492f0ee6673f110b2b7f1

SHA1
9641a4ca9c629dee61a241788f9eb32eac1e434d

SHA256
7289be930e78f401d3eebd77ab63c026ef196d358d8007c99c1257f0f369b4b8

SHA512
d52e4c712b5fa292ac9c51ee3a3bc3b990d48abdb420bf93d35f9be2e95c1e4c4727b7fc57dd8eb51f773684b9a90f63d2ec133c076bf517084119cdc384acc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
a24a7f9cf3389ab0ec5236e7483ed38f

SHA1
8851d6a95401773a7163d722fc26532d4f02ca40

SHA256
f9067fa800510874b9f3fcb05efe0ca57114925ca2d7e3dae57695d5027d9d3c

SHA512
1cd4cfb9a1d856c563ee101272367509ccb1529ae514205e3d63743b1f89dbbe760353a45b7e15752611c0292fdddc0e8e50d9d0274e4f08e3a90dd6ac929b88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
71363625ab67082e1fc60f649c2df7f8

SHA1
3d89faf38bb21519fd952519fd5f4a85f8c9d42f

SHA256
edfe284237e9330d857c4b9ac087127512bf11371de0a2c66b3f3f45596d28dd

SHA512
9ab2caa66e07f18d2d760edff781e0b5d7b9f6dff3d668b8ed9d50e78699da32ee15e9d9498bf6e2f53a818b66f7d484181948399547d29f6d69fe2a0b9d1b42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
26723d2abcbf5eae2c0a3836269258fb

SHA1
549cc453585a682b9455d8546fd366b355006870

SHA256
5f745210145a742f811343987ecddadad2743cec49afb98c7c8ec3327df78adb

SHA512
65301b145a8e465c3539ea843e1cbb9118cac44e3a33568f779f50a089b22392b439da107fe287a9ca057482c73ab2ed188ebfd59ca9d50e31638e331770b48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
c9f713cf35da5df2ae62544e37134dc0

SHA1
c32ee01d1441761de43e436f7a2d3e903f9ec76a

SHA256
99fe42cc15c3babf20f2b5ddd1d17d2dcf0bf87d5122042b3ff38ce45ca03cc6

SHA512
aa0d1bbc3d63b363ce98aec6ee99331ee074de938fe9eeb1809337ab2e72a3938065ca2a46ab12822415a83841916f6fa95682d9d267a4ae1dc52499492d0970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3856b75d1c9ba1b27a900e1685010d13

SHA1
0b917ce85db3ae931953ad7a16f92f05461dc811

SHA256
53a5a530cb8a6ff6243e10834d3f0cbbac7aeb8ea95987c2541cf6eee1223f99

SHA512
d021c26b856e1b0646ff91e4ae546dbc61bc6e3c0d70ce36bff802ef13e53020b2636f29dcf5dd4b882580d82669fc62829768eda66b087c1984770dda4dbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9944.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9997.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit