b6afe64ae4567147667d6e8e1ad9a2532ea376f1e9cdeb37b1bdb64030c9ed16

Analysis

max time kernel
135s
max time network
146s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

billing-ce-cp/.xml
Size

718B
MD5

3dba8c709e82ee3e4df8526963efef45
SHA1

0e5ec3ce511ed20d4adf01abf3fe8b4de3caf23d
SHA256

903cb3cb8ea1f8f420226b400108ea65c332bad585c8c2bae14eb18409efeeba
SHA512

b503acb9f695861d839f391225032a27f1da6638de8ab71cd44380ff57ad0a62939ae80222b120145749b4b9dbab989e632315d6658e183a3935111faec73f55

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397592893"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae000000000200000000001066000000010000200000002da82803c9566639410fcdc17fc3c662f1905324f00c731c6c164548ddffdcbc000000000e800000000200002000000038b26d553de352cf26368a922b2649df1fd1a1321c997eced1e67ba1e782b022900000005de7bac546fe8318a7c38814f0f430cbd09e7e99a62704d696340c7cf727a4631502357c9231beafa0c2501e74058ff83d875a49c1984156c5f280d9a161beebbafacdd4096c09c23479230e905038a4135c44318f71c29719a3408e36fef23b94702ee8d634175d8c9890c2c02339d298205dc31a0329b8faa598ba6553597e6b9f610f47f5b57c0fd719f52ca88acf4000000023352f644fe374d4ef50fc8a932d1c93b5c112d3c83985f70b08bf9d05270ee1517840756ac593485f01ca7a80519d13b6914e2f3fb5fc6a1b164cf7ee15a31b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00062aa558c9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000e204cf65103fb5f71bcfb5c3b856af55fb82cb6225aec858a640b1840097ff0b000000000e8000000002000020000000dbfcc47da9d4a33653481a126ace62f674d98a62e05b31526e5a7796b4be601f20000000f7cdf8d8b9450eda87924680f6d70c9cb7274410000f05376ca419c256115186400000007e6c3c117adfdcc8dc087aa1cbe43ef3a478898d462e29f83dc0823d3660727e9d0ed6da953c15ddaeb0fba8043493bb06cb2ff04d3c4086b52a59f52837c124	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CFC6DDC1-354B-11EE-BCDC-FA28F6AD3DBC} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2776 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2776 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2776 IEXPLORE.EXE
2776 IEXPLORE.EXE
2804 IEXPLORE.EXE
2804 IEXPLORE.EXE
2804 IEXPLORE.EXE
2804 IEXPLORE.EXE

pid	process
2776	IEXPLORE.EXE

pid	process
2776	IEXPLORE.EXE

pid	process
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2152 wrote to memory of 2296	2152	MSOXMLED.EXE	iexplore.exe
PID 2152 wrote to memory of 2296	2152	MSOXMLED.EXE	iexplore.exe
PID 2152 wrote to memory of 2296	2152	MSOXMLED.EXE	iexplore.exe
PID 2152 wrote to memory of 2296	2152	MSOXMLED.EXE	iexplore.exe
PID 2296 wrote to memory of 2776	2296	iexplore.exe	IEXPLORE.EXE
PID 2296 wrote to memory of 2776	2296	iexplore.exe	IEXPLORE.EXE
PID 2296 wrote to memory of 2776	2296	iexplore.exe	IEXPLORE.EXE
PID 2296 wrote to memory of 2776	2296	iexplore.exe	IEXPLORE.EXE
PID 2776 wrote to memory of 2804	2776	IEXPLORE.EXE	IEXPLORE.EXE
PID 2776 wrote to memory of 2804	2776	IEXPLORE.EXE	IEXPLORE.EXE
PID 2776 wrote to memory of 2804	2776	IEXPLORE.EXE	IEXPLORE.EXE
PID 2776 wrote to memory of 2804	2776	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\billing-ce-cp\.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
be064a237350fea00e7129522ffee63d

SHA1
53d3a418f34e8a9d47e21e58b97297b437b925f3

SHA256
261ecf6188568a07dec6816417244a875854c62762363806a00c08f12419b6bb

SHA512
6e3c8212487edca41e00bb910558d568a6a51244a33992411d6919014ae978d436ec8342c431f68602d6d1e722c3e43c1ba46f9f350999c65133c39ccff75e5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1c82d7d23ccfd28ee5e0ec09163bda94

SHA1
ddfe1e471f70f1566545a8698d63bd3a6328ca6c

SHA256
6b1b730b54729196096c67e86a333ec7633b2900019c50cfb8f114deb1e63e91

SHA512
1f12226d5c0ed5245ecfe3a702f15a71395ca1d5ca11fe4a39f4773f77f927d53b33c62d4eda327a829cc8c02d0c998a90d02c88544f2bbfd29694e2cd2d7f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f80c4843668a36c83f0437935c147df9

SHA1
d58eae760361d7af78156df791bfb2b1d930efb1

SHA256
076ecb25d8da4c28a526283d3897776436ee70330a9acf0ab8524999e043b81c

SHA512
34ae8070dcd88a34f2a3ccd89c5a0db6d0aaa8ff8b3f7f38409ebbfd0eb2861f5797a06afc44da9a046572bb8b8a8a83de0c7a1e6ade06183e28580044e5b5ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f967beee0bfddd32e49d2f924008fad8

SHA1
7ac677666eac7bd47d7ce1efb4ee36d4bd5a4237

SHA256
9b1092c2005078408ee0669024a9eac6c3f67ac6e63cb616066eacd7f701fc01

SHA512
890fd84e35ce01b4182f3c0f4a8ca7db5ed177c9eadd19b4084a344d1c90cc4da476b31a551c0b61955cdc8a0a28be7479e1798f3792e61a929dd9f37422c52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0db02a3718490542c1b0d2db782a2371

SHA1
2c1fa8acdb1d97d700a99fe8e7bbb215cdeebfc6

SHA256
e7c4dc9b07f382d3991bc27e395910283846874ac4285df8370dbb7c2a378247

SHA512
2554ace84cc952202e6605e42111fbf057db0a0774bea865fa42f87200894cae530b67044fe3ad184a56a4092d616d0fec15c1a37639e7e052489ee83e97dc3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c11f599869ecb32a931fb9509a12ecfb

SHA1
0131825839d2ceeaae7b744209756f64e9b8b615

SHA256
6bc8e1841a5f0b1f63dec427c4fb37711c822f6545c83f6dfb8ff3af72b10b26

SHA512
e1087a4d038b89229e34b4ce9318d2f686173e6f21ea53b3c6330b3554ec179669873352a8ebff8b1f51ce587097fca248dfa2f5b2650c6675795fcc2addcdca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
07abdc96577a070a22be7d6a5384a037

SHA1
264b9fedd37d135081ccfb6a209227834df8a383

SHA256
14d360510e1e982c91ce1891e41cd3030f30f87d2ddbf3f1edda33d81e5ca516

SHA512
bdfa66e89d0a114640a6eb179dff3abda66f57b1326fb5c35e5fefafa89532db4b4504f2a0bd8c769f53068591a7e73e36ebd66acf2d9dbb44e6384ac296220e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3e22850b088f629aec63a56b26192bce

SHA1
5e143bf3ff22691ed196eec51aa9c1fcf6f5d6a6

SHA256
e4d956adf05ecc1089cfc406c1b3bf3ed9f70331be04982816e1073337313b9d

SHA512
43c4599e5adf48d8f2a2821ea95eee3f3df4478600e325650e97f9b8468fa4ffefc506c5e967c1aba7eda74c33ff20e36ba468d9da7d100a77993e5a6fa6cba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3ad83d282579186471720eb99a85ae0b

SHA1
4875cbdce9ddf5ed00cd685fb0c931e8716b6cef

SHA256
46ff3be93df63699436c83b5470dd3b5a3bf16732d62059ae912255441b77dcc

SHA512
602cd8a5bee753624cd5bf9aa05091d25e86dca2a717d21c9a4afcbcbfaee10c50ed90302f2b416bdf5e2952195bce50798570b02bfc28f00279a02560033920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
81b27a045f704a17597eaccdf545ceed

SHA1
0bccfb126f155d3bac97f842be79cbe207ddd99e

SHA256
d66ea2c0f28f37c48064a12aef98e3073b0ba065279f0919e7fb8281a3fbe0ba

SHA512
cb902125c8360b09f4baaa988c069dd17b15788e5431e10868b67b8f2ae6cb05080d62ca79a4b66bab14dcf82bf028d8c6ddb355035a43e3182afb9d9a8cb81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
41b29df5d45855909c935d1a6d724838

SHA1
75435932a411ca62328e82ea16779188c1b4d437

SHA256
31853d68d9aafd38650cd54faad645f9f0c8fd4da16a7c8027ee326a7fd68063

SHA512
7b5c9af5ad032d97afcc92607474a622792a5976ffe4f67356480be9b670929c91c2195793f64e75a1e7849739102f9ae1b1cca19b4830ccb22bbc9c3976bd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB686.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB706.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit