9a58928021619edf547ba8793a91c219b4fdd4b6d1cb8ccbbd840ea2c8596c94

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_8_overlay.xml
Size

2KB
MD5

65a2809f038ffa4146cf59a57e6bb32d
SHA1

3b5e30bf5de229cbeb085e1ea355288d63ebea51
SHA256

8dc35b01684c284e85275509e698edea94e73f6e328732993a96b881f20eaaff
SHA512

2f792059b6aa0a1dd32924169fb9176e9c6523c6f17b17cbaa2486bb246b6f726e01717b47372d9558501cb2dc5f51c1564b7ce195bcde1769e07b3fb8a7879b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BB22511-3561-11EE-8C62-6AF15B915EED} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000d90659942d45e970d3c6ba734a0846b4bb595884be6e3c5265b0d1631a18a3ff000000000e80000000020000200000007c838206aa849e3e9f315b8a64f602ec8dd3366b346f4d9fb28cc75faef5795d200000001024e2e898b77b13bfb27c6b23b210fa324abb0b872dde07511b3db816b53d8f40000000253b295d95c69f36b57d62c1d59f433c46db4cbd6e635a3c912e40c808e48890de86bc613c397a0f39afeee1340ed0ade3b664ade7c7d64b706f0762da02a380	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000c177a3b658f794399ae6c06caef58602d90e5302adb85626f6720029151a377e000000000e80000000020000200000009e9c4c45c2897a5d60c3675e7b603048089008e1cf72ca63f178cf15f869d45a90000000e98030063233f1a34cde82c62edc4e4b85fb9a90a8ee55fb271c1d2308a324981115f4f85858f791433bea20720fb4929710e4c1b4e1dfd47917809249d926dc0979b44c6fae82b5c769c8d99553ae4a0329e84ad3ed9a881397472c0fc14e93a6592d315f1d722c96afc47807d77e137750f6348bd0768be067be3c64f02d29b5100a9902222050857645701a7067334000000072a6cedec9d2eba231706fd5b20bd8bab1b5795d91af0b75f8434357bba49ca546af1d26dcc405536d5797f3cadb357fe6eadd3af44690de214d938864207428	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400b5e206ec9d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602117"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2976 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2976 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2976 IEXPLORE.EXE
2976 IEXPLORE.EXE
2868 IEXPLORE.EXE
2868 IEXPLORE.EXE
2868 IEXPLORE.EXE
2868 IEXPLORE.EXE

pid	process
2976	IEXPLORE.EXE

pid	process
2976	IEXPLORE.EXE

pid	process
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2332 wrote to memory of 2960	2332	MSOXMLED.EXE	iexplore.exe
PID 2332 wrote to memory of 2960	2332	MSOXMLED.EXE	iexplore.exe
PID 2332 wrote to memory of 2960	2332	MSOXMLED.EXE	iexplore.exe
PID 2332 wrote to memory of 2960	2332	MSOXMLED.EXE	iexplore.exe
PID 2960 wrote to memory of 2976	2960	iexplore.exe	IEXPLORE.EXE
PID 2960 wrote to memory of 2976	2960	iexplore.exe	IEXPLORE.EXE
PID 2960 wrote to memory of 2976	2960	iexplore.exe	IEXPLORE.EXE
PID 2960 wrote to memory of 2976	2960	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2868	2976	IEXPLORE.EXE	IEXPLORE.EXE
PID 2976 wrote to memory of 2868	2976	IEXPLORE.EXE	IEXPLORE.EXE
PID 2976 wrote to memory of 2868	2976	IEXPLORE.EXE	IEXPLORE.EXE
PID 2976 wrote to memory of 2868	2976	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_8_overlay.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ae565412db3d37d10c1391bff7fd075

SHA1
f66c095ca6aef03ef9eaeb037dcb06515e03fcf8

SHA256
1db136373bcedb2ac3ed1378897de1ddef9026b9e4f215ffe180bf1cdba736e9

SHA512
892ac48a3da27d6a7594b0f189807ba26451edce90a7c3d826d06a2c0f0825e7ec51cadec46a8cf0c634ab004d3427b6fd7b89c7b0a716715299d23a5245d2b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bd68b5788d56413c4eca876a65a6e23

SHA1
b9f716be740b0d0e8f081a677e2f974e84bea0f6

SHA256
e28108561c5791111018091ca366ab0623abdf95b9293f93b56d384e0bce39ec

SHA512
ad2b8927db6919e8b5bbf17ef381aa964c9fb0de8706cc0d2b8749a135c536c232e21b5ce8ab0561756f0c94eddedbf47e8dfe13d2f2ac074afd99e9f5801607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f77aa1d1b033c6cad29a3fd6d8ae6663

SHA1
a0a570544cfa54d5e63f2a51eab88e74ef5a9989

SHA256
54c80b6f1c620e6c88becc0c0262df27d7aa42773818d3b820d26fc7fbc597cb

SHA512
a9d102bfe6bd54da74e96e711f2e39e706529fc93f006077e34c1ee80a33ff7b88494580f7173b586e368da32de2dc5346ce084638d4f9c9bcb784975e5f400d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea49392cde873aff739bbec0bf84b92f

SHA1
e0d35ccf38377bc0097f0a6685fce0e0eecec153

SHA256
337d789093faab0eb3360c7c4eec2e1219ac9dc6213693c9d68a60f509277e9f

SHA512
0ad9a1a973ac8094be90853380c5ae896fa3317385d78b5c2cad778ca46bb9f947e3a5e83b7e627b1cbc6a1057a682383cce6d9c4f08154de7b5a3fb3194406a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
815941352c43d02199a90cc6bea891fc

SHA1
012bd6bfe1d4a563e336fc2079828baa50929703

SHA256
c045fc1b239e23168a14cf2c00b016eb5d7614def59870e06b87bf204b387288

SHA512
68e35b9fad817ad9c75f4537edfbca96b78e10d3a7933637fe0b147e4209b2cbdb29fecf4deb8f6a5b55b386e96a3523d4041fc760bf44fd390e7699a653ea49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb61fbb48109092b58cc75dece636793

SHA1
a05059cf127a426c043929a279bb0dbd9a4fdc09

SHA256
6f2de07f74c03e3cbbdd8c677593d31c38c72cbfbaceea9c01d9c2694d3c8659

SHA512
227a787fc61f1f58f86b76cca1402f08604e4ed43611c3f130ff5a754c728e589850e43a4f2fc4026eb36aa170be8b7b12d9d1064fd794c1f28d01725afb465d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c45193d820e96820d8b2f85bab944785

SHA1
eaf41ed69293ba55c949d6ff3a593aed5460a387

SHA256
5362bc29ecc6d91e94fa340358843d7c26a842a6fddc51d7271b0917280ed28a

SHA512
c7a998f222d1f2d9a096c1cc213b814b1f2570d499752efa6cf3041856e10ede28f07d52ea9207e89a01e5b94fb79bf17c44ac45e5d41e9aed1b721a728edd02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a98001f8c4ad03986b45a6f67d35dd8

SHA1
29706c08b07d17f212f9cc5356d9607b09a933f4

SHA256
436674befab617517598d0e726d781f04ae4df460e5b91e9ec3d9023169ae289

SHA512
ca56731d3617d4d6a27a60d6487a0bc713ed53b9cdf40ac2f0928cdfa3b1b24da78d2c58fdd4e2e2c7afa3ebb7810ca4e0f6d63076c5611132b58e2fec32d4f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b90c04ecacba584b943426730416aab6

SHA1
21d5321cb0ecc04f92cebe6c133c66d096632280

SHA256
5d931b91397e67d77058c849a2338f970710b1bba71945b6e4af4925694df73e

SHA512
d3094dfbcd214c00657c26e14f45bd2882c142e656cccabd892af4c48856ffeb52f101d32737f76ee0059c01172e3a366bca57bb43009b8d07381ef15ab531b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
874944ec03437081a460ab39a2b1041c

SHA1
150f3483f207218e9e5c1ed114dd2f5b50836ccf

SHA256
d94bb80338f9fa9d850cfd67d6117a99444c75557de957a60514fbcd4d0e4cca

SHA512
61e4098800ef52614e3940f35d08cb5e16ff36f7d4678e141446b0160069e65818d8a3505a5e0b3f93203e30939f2565611887ad48105526db33b4e49211a63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab916A.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar919B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit