9a58928021619edf547ba8793a91c219b4fdd4b6d1cb8ccbbd840ea2c8596c94

Analysis

max time kernel
134s
max time network
137s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout.xml
Size

557B
MD5

e754f3032bf46c6d8d97140622f7cd43
SHA1

c3b07417ea1eb6101ced7ffe4fd1b52822863a6d
SHA256

6a05056f555e8ede6117732f3fa4ba5b538b0bd81fbfa2e665f7109a535e78f5
SHA512

8beeec4db830502e0963276512e50513ac3d47da758e3e4b9567736ce3ef3552ee84c81ecc5657822c70adc921181e95ef1e8ba909c9dfd4828ef41fd2972e8f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000006ceced706e51aeff1db4b86591c98dee0388c96734a8bccbd843c552c05194dc000000000e80000000020000200000003bc5af7f7a1f57c37e846d9a53317566033cddac5612eff7f2d6a1f3a602af4920000000776ef1500cb981f23b15d0f16da3de3793e7b80d9661d6be3daba6e475895d4840000000f58d3af1bb36e15fe2d1b16cb2611abf767e3b5190f1403899ed157db5cf6c90a452068af6cef18cffd18fe58201f753c90643ee89e0a3a438d2e30faa075f8a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000008824f32bf10c1bad06f75038181d490e4d1d3ac675dbabf0633dc33ac198d81f000000000e80000000020000200000007cca0a64736e7d33aa6e9a17ad0fb70ededca39d3893a29a459a52620cac2a39900000000865e8befa36bfb754b4444070037492bc676c06cdb471879cea321ddc48b8908980d2ce7790813c8fd149fd2b98e0dde3baa023eb900da240aaeb634c8543ec0576aa3278d5ad6b2282ad799203e684bc4003bbc0b196d47830f6e6684651de35b634350b07aea444939de7d7983b8fe93525b2c04f7f2a6e0718b2b0242e8497df1169479722b99f8cc79eebdb3ccf4000000057e5c6fcbd2f9237aef4f018da3b7cf02e33f370c32fd270ca3480e536971c52776a2e5617cfac9cd06e1131ea735e85cd8b512bbfb6acda62764b58a87c1e7a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10307a1e6ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49789091-3561-11EE-BE2D-CEA1BEF6F4E2} = "0"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2836 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2836 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2836 IEXPLORE.EXE
2836 IEXPLORE.EXE
2156 IEXPLORE.EXE
2156 IEXPLORE.EXE
2156 IEXPLORE.EXE
2156 IEXPLORE.EXE

pid	process
2836	IEXPLORE.EXE

pid	process
2836	IEXPLORE.EXE

pid	process
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2024 wrote to memory of 2848	2024	MSOXMLED.EXE	iexplore.exe
PID 2024 wrote to memory of 2848	2024	MSOXMLED.EXE	iexplore.exe
PID 2024 wrote to memory of 2848	2024	MSOXMLED.EXE	iexplore.exe
PID 2024 wrote to memory of 2848	2024	MSOXMLED.EXE	iexplore.exe
PID 2848 wrote to memory of 2836	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2836	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2836	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2836	2848	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 2156	2836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2836 wrote to memory of 2156	2836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2836 wrote to memory of 2156	2836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2836 wrote to memory of 2156	2836	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98b456ac3fa2092eec5927f8f3d2d594

SHA1
aeb6fec959aad87413e9c8981e326b54a019b1fb

SHA256
cc1386274be06fc82ac683ee7dbbacff4b5ee666b1405b13503b394d3cf6f22b

SHA512
bed252209ebd945b02cee65e841ffcd819c66adcbc7fbf6ea4a70e43ecadd3f2a966e48356e20981a1b222c52a431c2fec246032ff87d2987e73ef4111a240db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de25b4189ebade63e73730a56b2b482d

SHA1
d707c30ff19ef0f8f41a255fc90db9f721fdaa6e

SHA256
c1d7894e0bb07ab060704a0aef9444b7cb4c39eba996e39b27e68d199002f01d

SHA512
21e2187e1a98c3a06f4ee1ed42d11d0988d25fa59b6606474dc4cfea06e6cc892ae03a2f6c69fe317eb98e2a03cdc0604a76acc9ae42d0cd1b547c9359482f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1870fd7af28be3d4e1fc17099db37e1e

SHA1
88bb15aa11dcab5beffafe4b72c152fd1c78a5df

SHA256
6046c0d36e1d3e4da51cb4b83a2e0903fb630fc7d3d5a5f5383e937b50f96936

SHA512
09372dd3b97b290727be4a0b151a249a1e4525c77e7589a919a567d78b943742ebfc6bddb03bea656af2764e0715979fc7b657c46fb6e60ab4c2a1b83204183c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f0bb9aa00e75a17fd4e26846ecccf6b

SHA1
1f480dc6e44184333fc150fe084455fffbceecc6

SHA256
823c0513a47a5a6ae3565fdceb1f8ec8ef935b9196aa00e14b712b4912ce248c

SHA512
ee494752c3c4b75a7ef76e4d2489f6ca8e4d7b5fb39162d7d6848daf3cba5cc30c5d74865d3e22bb514671354a4828b60968449ebbd8fcb166cd787c6234125b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc2a451ccbfa932ba0218dd8a2c8aadb

SHA1
5dfb5713abca9f9f1f52edf8eb4189f324053fe8

SHA256
4247dff7289c61e51157f092191edc1a0b8b59b99435861a79a8a806c19c2aab

SHA512
2867c3c159b96cc18053aa079f86740fd1b77533d963648ef5a1a73ba3c27d5763b0397cec1ff6ec429304ef1ef374447fcbb52a7a2165af66ae0cd954667482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc0925de047b66071923d2fe129879a9

SHA1
62ef590053d48e09992cc107a425c6b0bf45fa26

SHA256
9fc2605b73e4366fbefccb3dd67acc24026baeb94f180ade409b2751f2ed4f25

SHA512
8eb339a4fda00c0fa3f0054d82b2aa703422d9a859c0f3e9946726603451a3430fde2d9a39c0dae44407c2e07ae95f3498738259bc288df35259f215dfc77f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abd48c92574658968e8cf3301f62e79c

SHA1
0c6ed3751b3099c4fd2a58a8b94f3bd4ab0641bf

SHA256
695652b7c2d3a5506d13dd41cfe8ce497c1a49744a657647c238ea6ab10d885d

SHA512
d9b922d28b3108f85c25eb5c857a8d6228642196fa28039f072ea9f9ca264831facb9de7c2cd8d063a9ad68294d2834211a55b7539ec60c6d6af5fe0606212c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b08c17a6a2a9a235cbb2bc510809c3bb

SHA1
a74aae956a8064a56d16a34d39277db6ddd6d438

SHA256
aa10253a14d453b349f89d7b0f56e67a5b759b7fbafa788a2b0d0aae793577de

SHA512
2455963e512f2c92828f2589a223b65947ddfe868f664db034ff081ebb766828d1618314d8d2521ed3dbbccf6a2a7269a433f133c870d708ccec7b8ed34385eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cd0196ddbddb6635685396c47a7f4fa

SHA1
1e3603d8a9dcac4b1f27ff0f737e0d2672de48bb

SHA256
aedf1cf0f2acd67b5140430489d3de416df4613c9f3252d169f1b37a4ee4a48c

SHA512
b844bd7a2729fe89db3199f222e0bc99039d0bb805fbf4a42ddedf9d1e317f1d927c97979ff3223c3d204e4f2f0022c61f871e75dc17bde51eb6310fa3c854aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
40eba1927e40c9091ec20f8e09700ad9

SHA1
47616b9e7c51bb52d9c2a6c03cf6722072e20e66

SHA256
db5838858b4da17cedbf465fbfb0c5de995e0824c056b5a4adf1aef76ea23866

SHA512
b13abfe9efbb3a63a688d6a675d1f88313956dd247d23dceb0dd37393335be6ce500f76a5bf121ff52751698e9fcffa53474e2d9f92493493b6edb80e13112db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8A67.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8CCB.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit