332231ca3fb405b7621611bd22e7016cc73c32d90318753424ca598833775d76

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arrow.xml
Size

407B
MD5

307d6a9e22b99a773d19844db37d9b53
SHA1

eff273c09417599dd35a4d89b48141355a85eda5
SHA256

4b20ca0905f62f5f33380063a9d569286aea83fe8e6a2d8584d5c0d4b6e03f87
SHA512

3cb2e0dd467bb5c4b7eb049b62c5fec2547eac119d2c3756fb225ddf2057c5b1930142714d8a4c0ddb657f3e6c06e937e6ddaa245d6a8e5ddb62e5e6554110ee

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60738e1245cad901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000af2d64effb36b4d99faff73dfdb2685643258fb515c554b759f208bd247063d5000000000e800000000200002000000011bde619b83f9b690a32d73322d046445df08bbb7d2078aa8ba00d1275ae4421900000006b615ae00c65af75b456dc7794139a155d813f6c1b000b9eff679eb67a8d3ecbeeeb3efa1bdaad056b49fe4697b51f674b79fd133b6e3d738832c46ef6a2afc3e7ea2b8cb393d19639b96dfd98da1d84d349ac20bcf1de6949c56f3f246a1d0dd7af6621283d21ed02a03b8932d4ed92ec895f6e295e1d2d0db9ec9a61acff150aa3fd31090fb930ead4f1f2e66aacc2400000009755951680249d466f84476c00c24d0e3722cb7a00d7edb5178948a150e032c1ec6d79d25636fae238e9fe341083c11f5ae355d0b1a13489dfae271ad9384caf	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694440"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DCD28A1-3638-11EE-B469-EE35A7B3029D} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000a344129041edc4674d56989b7832c91d4aff4ce7c445c14b23edad310ae81a50000000000e80000000020000200000002c9fedbc4f8b082f8cce31881be0407e68972e8902d4ec30edd56cbdca2ed2ac200000003b7506e47760eece95362656c05d03060cc8863d1a193bfc9abda1b95ddc17fb4000000038f926f49faad06090b527be354d2b90687af716e2946b0e80cbbe6c7d42f41f3f96bffe14578787f952342b675a7ab4f928116db968cb05878dc16ba58b579a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2836 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2836 IEXPLORE.EXE
2836 IEXPLORE.EXE
3016 IEXPLORE.EXE
3016 IEXPLORE.EXE
3016 IEXPLORE.EXE
3016 IEXPLORE.EXE

pid	process
2836	IEXPLORE.EXE

pid	process
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1716 wrote to memory of 2828	1716	MSOXMLED.EXE	iexplore.exe
PID 1716 wrote to memory of 2828	1716	MSOXMLED.EXE	iexplore.exe
PID 1716 wrote to memory of 2828	1716	MSOXMLED.EXE	iexplore.exe
PID 1716 wrote to memory of 2828	1716	MSOXMLED.EXE	iexplore.exe
PID 2828 wrote to memory of 2836	2828	iexplore.exe	IEXPLORE.EXE
PID 2828 wrote to memory of 2836	2828	iexplore.exe	IEXPLORE.EXE
PID 2828 wrote to memory of 2836	2828	iexplore.exe	IEXPLORE.EXE
PID 2828 wrote to memory of 2836	2828	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 3016	2836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2836 wrote to memory of 3016	2836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2836 wrote to memory of 3016	2836	IEXPLORE.EXE	IEXPLORE.EXE
PID 2836 wrote to memory of 3016	2836	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\arrow.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2b6b7856f9b5f05fa207d989aaf3375

SHA1
e60f9e32bf1971cd551231490ca27b5f4b10430a

SHA256
5d1f35980558e073f13bd709bff216123cbdda04e92db2c4b50860b3238d07e3

SHA512
097cf24e1a27045beaa737d232dcb209faceffa32aab9ec594eedf6455f1172409fdbdaa1e0e0c7f87fdb548699dbea80a4e0fd6e83a5956a2fc59639eaf24bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2e300bab2e15fb60a3589fd196a9bc8

SHA1
828589c9bd7435d2c4098acc71ca2e37b2c524dd

SHA256
18d3104976b5a95c15e0a66e6f4d87d212927f89399fc63f21e76d95e7877ebc

SHA512
949f6b1203624d75098b946aea0e801676077bcbb19b9a5bd151f54a8dac256284fc874e596b977c108343db07aa6a33afe9e33fd264b73d1a0cc059738853c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db97ad5bf7523e356f4669a877746f4e

SHA1
f66183400a92f8bde13c39e5b3e51f7fc65a3814

SHA256
bdb4b7b698aa58a13f1ec85dfa9e57b0ec2c2b5b37a1b626b83e8fbd1632e7d3

SHA512
883268b34ce05ba880d00c8bdfb302f0f7610cfe53483e5be838342a158e4f5c7efa939e2f595be4e5e858eead5b6c5e37663c71090bb0fd794081cb5c8bd324

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbc0df481be1b3ae70eddf34e97b70d0

SHA1
e86bbc3ea62cab77634dd71667029dcc2d5ac06d

SHA256
7b2825b104e7c1a0d6c58d1fabf5ba43247bbdb9d679c3fb5616120de75f3ce1

SHA512
57708057d30ba37b84e745f7a41a7e7a4ed0d7532b291dfbbdf909cee9fac39220ec32de1b58bac16916fc9a304404f8f458ef9f7d6d866bb365dd11275ca1a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0bcd1079450e40251e585bb845129fe8

SHA1
6a2cade9f30b779714923ad0693e483becf0fb11

SHA256
b758d7e27e48993e6be687f87654351275294af716789154ccf1dfd511247a14

SHA512
aa03e7cac6c2f06a3d842899709b524560233bf5158770940db576a928a38b15a541d0278083a4e6e51eb18cd0c62033b5dc9899810c2ac3ad43462ee659f566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f4a2504853271ab51dece64b7189a7d

SHA1
84096f2f8143a086f7cf2de0b5cc1b266e578db5

SHA256
6884dce839333d644f4009e73a949b54574ab37515fbe2a691bf6f827ce446da

SHA512
c076e239a84f773ae67ccc90c82daf4d82dc16e9879944d4f472ff9c02f3bb0358947e88cda3c4c2f8a450be0ebb64f1508d2c49532bcdaf6bc2490b027690a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21680d8076118ffe3f1c535f3356e174

SHA1
820afe15c0ddc57913476f8db101095bd62579d7

SHA256
a267b2377d6c1caec06eb715a6057501e8176869424f64474ef9c0a83e974a45

SHA512
29b6d0762cfe42b456fbb45e2d0d99848c59cc471ba426b7397b56b72a9300beb1af87f42c9461257bcaeb874b740d61d19a7054bf951d73ff12fb1ee305c2f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e06f95432544debcecd495991708bf1c

SHA1
91b231e1ab2fd4b181eb4750d92e434e25f745b7

SHA256
feceacd7bdbb35985469e7eeefa736e7f4da64d0aed755c1f115ec211ecddf87

SHA512
72487a205667c3fe500c19a48fb2fe4d45134faed2377b1a9adc4e782059962691c203cc79e800dcea2672e5e129562497dbe8765b25d92e8987801b2c135631

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84893d71a3d7f60be267124c5b355575

SHA1
e868c365885d1a4a3ea9bc793d5663f8ff920587

SHA256
79ec016bb364e422f3affe1040a06b7f8adc918c12c63a7c1286652471a22001

SHA512
83fbdf3a43589118b2db55d7ceff67abdc5069b67020befcedcae5129129bf3446cfb99f8071a07b5a075a8b0c4fefe3b72bc37ab1c0e740e23f4baf7b037365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2f13bc1916968648ab7f4b8c9d2e0b6

SHA1
b72fcfa47b978f073dbb8fcce86456489392df36

SHA256
b1cef57be8d6a8692e8c31873aec22ac6ce1e06a1896e34acbd057fbf4c62c50

SHA512
350d076a7587db86579affaaaecb9cf22410fb995ea1656ff006614bb4aeafd1ed107194cadc5935ef50c9b23ffb5d2202c8c22f38fc68fdc03a373fae6257fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3DC.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6ED.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit