b6afe64ae4567147667d6e8e1ad9a2532ea376f1e9cdeb37b1bdb64030c9ed16

Analysis

max time kernel
132s
max time network
169s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

billing-ce-cp/.svn/pristine/37/372924d0e561e64f1200690be39f3c797dbf95b8.xml
Size

3KB
MD5

8642914ad244f675b1bde9ef67106dbb
SHA1

372924d0e561e64f1200690be39f3c797dbf95b8
SHA256

1b1913d822e3f5c47cb0d9e6b3f9ba0bd625dae3cbba3a33f26fae31418b987a
SHA512

fa4c72386f553837d55c315211868043c7507610660ac866dd0b112646c0905ee7dab980f6f94c29e9662a9812aae3c794d5fdb405d60f4690757d6349eab03b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c00000000020000000000106600000001000020000000bdcb41b0902b1fc5cc3359adb7500279fc43c63754df2a1c26b57bb8b8f7548f000000000e8000000002000020000000be8bfae6472abc3cda0015b54cc082d47c8573500f208f49b33f83c90168fc352000000001980f8c6a4b5ed80163859d0cae9bbfc5a0573112f51d642748e29357707f3940000000869afe98571e6daf78e9c57a8aa352cf167676044e811bec06ed62b25188502db689a7ae0feaa067ee4ff38f14494ceda56ff69f3ce354a5dbabb0e88d6b330b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0DAB141-354B-11EE-9AA3-FA28F6AD3DBC} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c02b4abd58c9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000004eb4edf2dac353b2c705dae1bd79b4c05c5e080faba2129fe76eb16028967c91000000000e80000000020000200000008ae18570762b6ad034318797017d3d8a520d0573086053c21bfbbba995a2e10390000000ea7907f9c365232316ff759fb777d5269040c02be348c47299af6a262e247a1a4311ea8e20dea14f01b571cb3d4f1971fabb158a4b25bd9b80b8c6452463360fd29bdbf8416212dd17adb3b4bd607a87c245bb2db1d0125c896717f93e21e7b5b3fbc864a86840c0d2e4731281f9b50238bdbfc9e42ac3f49f175d95ce0682e44ca9af8a413eec054f89916da95469ec4000000052f5ad3dec6e08ac897f7aca320c21a2d87b57575f428d6cda258d5448aaeb960f041413b53ad2735ca7b15f5bd4289f74e08d3cbc3ad70ded57aca50de8018f	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397592918"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1540 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1540 IEXPLORE.EXE
1540 IEXPLORE.EXE
2864 IEXPLORE.EXE
2864 IEXPLORE.EXE
2864 IEXPLORE.EXE
2864 IEXPLORE.EXE

pid	process
1540	IEXPLORE.EXE

pid	process
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2224 wrote to memory of 2364	2224	MSOXMLED.EXE	iexplore.exe
PID 2224 wrote to memory of 2364	2224	MSOXMLED.EXE	iexplore.exe
PID 2224 wrote to memory of 2364	2224	MSOXMLED.EXE	iexplore.exe
PID 2224 wrote to memory of 2364	2224	MSOXMLED.EXE	iexplore.exe
PID 2364 wrote to memory of 1540	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 1540	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 1540	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 1540	2364	iexplore.exe	IEXPLORE.EXE
PID 1540 wrote to memory of 2864	1540	IEXPLORE.EXE	IEXPLORE.EXE
PID 1540 wrote to memory of 2864	1540	IEXPLORE.EXE	IEXPLORE.EXE
PID 1540 wrote to memory of 2864	1540	IEXPLORE.EXE	IEXPLORE.EXE
PID 1540 wrote to memory of 2864	1540	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\billing-ce-cp\.svn\pristine\37\372924d0e561e64f1200690be39f3c797dbf95b8.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
38698b3b49f604de845dd1c002e441d2

SHA1
5f47047899ac2652f0c3b5bfd96f9abe9b2975bb

SHA256
889ddf20ea200a8b3408265b9ff6b9aa7ed2bf7abcebe64acbd9977189bcedc8

SHA512
e9189dfa64b3a74491ac5ea27459c3830759fdc32d16de4270a6058cf15de39bf48707c7d1678d4e2c256fe317e58a0f48f6dc11437a786591f73d284da561d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ef89db557e9ae2274d9c753db4e7702b

SHA1
ebba6360ce0f6adf8f2eb29085d169b68e4aadb5

SHA256
57b8a558e266f6e136d2e1a3648e509396954ef0bf5add36ad550c55759a6cad

SHA512
a3e653c67978ef997a385e3785237d45ba3e77271fa62f3209f0a71c410c14b10c4998fec5c5e6ca467a3560f713df2323679b123b57ada6f87b4d869026af0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d4cad1583c2b9c9f59609a2035b3c492

SHA1
72585682a3de13c179d5da86b87508c65e2b04a0

SHA256
4bc86a789b77bf1257594be39859fa5e44fb11279383e7c13ad95ed4b7bd56c0

SHA512
fb83ac2f4df11e7f514678bff6780cd16ed09156491c0c3a19c4b3844d6c67c43cb000dbfe3040603719c1ab0ea67c8618df8e17831df2049a7f4ea2c6730e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4c7955ca0b36dc074db855ee4ff42b0e

SHA1
78fc237eed555bf2b081ab9c3b528b828fc54665

SHA256
ee2621d92545f2fefd3c16af21203f81f6748115273bc33c5dc544405a958535

SHA512
8f795b420882eaa6af93420c0c930d9fb0ae7ad1217eef48994dc0714269f36bbfe6a65952372113ccd8d70d431762b3a5437ca4ca59d58ffd00a35306646ba2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
108ca4777a10ccc977ac342ef031f451

SHA1
1ca6a3d9df1edca47e8176666df1cca3a220280b

SHA256
2855ea3f6302e68a54e3dd9e07efb28d862e4c110fdb4d3629da96c6034ea0c2

SHA512
244a03732f763cefac504bdbed4b11424aa5135613b1f50978b932f30809a90ec4d5602264ba2a76bb25fecb00139f3e5279bb3ffa4427bb374b5c367ce6f661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2f4c019423192ea45ea002dbe96b918c

SHA1
adeb5a4a7db6cc748627a1c3394023fcd122bfec

SHA256
79e91f1b93afd9a1be0747902b580c332d19339a01ecb803febb394001ea0543

SHA512
53983e32d1d7e689365483785390b17a00dda06207315f9656fa432061f6c81d16cafc41abbe590e786b9087a1020705da7a5b975facae0b9c297ecd114f5d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
98bdd48fea5793d7252475212048ee08

SHA1
23e0d35159fef6d51a7e9c67a432252765be5252

SHA256
14fcb1255b9f0cb01ff83ddcf1cb1c80443493d8c41f62a66057d085eb348358

SHA512
4e0fea5e37a994689b321b162362cff9393b17db5bff7acdaff5a4865b58a9ff0d97a752b76a8f52fe48c1e7fe6c54ae91cbd59d0eee18bf11a4239f7f587c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
89e3dd5275403ab02d2d53afdb7f0761

SHA1
89f60adf1bd880817afe115d83166c1203e553b5

SHA256
915ede7a213413e8917a947d66779c172b7953766e306ad103a2ae71ba28ea0d

SHA512
8dff195a40f3aff7ed2d90baf37ee1378f3a6b2076783528bcd8995a7257c8309fdc0fe75a01570b150a3bbe4b1f87284c172bef20d1fdda35d6af10c3e9a253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2e2a1528878df635660bc2d5574ae059

SHA1
619316eaff6bb970663a2b712a8c6f4a828cc5db

SHA256
78cfe5e5d067067daec9fbc53c21b66b100fc539adeeed0bbcb548291d7a0e79

SHA512
2851d79d7d1b4fcb6d0979fcd729a1853c518f08ee42b7b233b0a7ce082d7c417952ead921673e237d1a7413db132426662f194c216048287d412590629bb45c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
74301d38120d9200d3df065f38df29d9

SHA1
ffb17cc1899a4095ed4b5f8e9fd90ae4c21b2ac5

SHA256
91574531db35edcac242f346d264a11f80f011bab8e82317b008377df033fc11

SHA512
28a6d76cd9ef1992198ce51d0cd993323f715253177093f0ae83ad403c6fa8930657a363cb116e61f26c5386ad5573960a942a7e60cd14d2e6e92a2a53caaae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB83.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC13.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit