332231ca3fb405b7621611bd22e7016cc73c32d90318753424ca598833775d76

Analysis

max time kernel
139s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout.xml
Size

557B
MD5

e754f3032bf46c6d8d97140622f7cd43
SHA1

c3b07417ea1eb6101ced7ffe4fd1b52822863a6d
SHA256

6a05056f555e8ede6117732f3fa4ba5b538b0bd81fbfa2e665f7109a535e78f5
SHA512

8beeec4db830502e0963276512e50513ac3d47da758e3e4b9567736ce3ef3552ee84c81ecc5657822c70adc921181e95ef1e8ba909c9dfd4828ef41fd2972e8f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694409"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000047373ab3415b4b71a42f4857ae1f5712f2ca5d3e632571361a4269afd166badf000000000e8000000002000020000000c2198430ed9188a044c6c481f6239675272d70b7ecce9d1bdbc6e308f302ed8c20000000dad04437658a710a0c053aaafc634e1a83609598674ff7548737ef177c6bbef040000000dc031b9975b38e9063510e5ca44936ae4564fd4133980998560aeb7528cbe4d8dd9076fb60db99d5b691bead0ae2a3acca735118ab8d0a20709b327ab0121d1b	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d9410045cad901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000f6ec062e44423234409fe613f95e755e9509f3960ecc94cb3f7cc808c384348b000000000e8000000002000020000000381eed03b196c1642a1acf05ced879a8638aec581708a6a2c9fd40ffbb678e4190000000a35afccabc5ddf1a26d121b8786dea6a8c2dc7edf2cadc3703b13a2baf32de72ad485e5caf636b720d5ca6a3375963b757198ac5b774ee1fa0ff449274afb4a8b0dd4cf1ae4dc7c81eddcfb0ef82ad05fa46d3812f920440c31cd4efffb0dbfab3039a5a899713f2b4097fa43f51c310a77527abce5c5bc32f438f98efe107b4ab4c12efec8b5e8ce13d12d5cab0394e40000000a7041b340003a67fed95592f71c77d0709e684a74ee1374d8294ca1d3d9a7a36c61fc877506bacc41101a9aa49f8a26eb3250fb32ba282c845f183abd3a8d7c0	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B8C7D81-3638-11EE-852D-724B81B1CE5D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1524	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1524	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1396	2508	MSOXMLED.EXE	28
PID 2508 wrote to memory of 1396	2508	MSOXMLED.EXE	28
PID 2508 wrote to memory of 1396	2508	MSOXMLED.EXE	28
PID 2508 wrote to memory of 1396	2508	MSOXMLED.EXE	28
PID 1396 wrote to memory of 1524	1396	iexplore.exe	29
PID 1396 wrote to memory of 1524	1396	iexplore.exe	29
PID 1396 wrote to memory of 1524	1396	iexplore.exe	29
PID 1396 wrote to memory of 1524	1396	iexplore.exe	29
PID 1524 wrote to memory of 3028	1524	IEXPLORE.EXE	30
PID 1524 wrote to memory of 3028	1524	IEXPLORE.EXE	30
PID 1524 wrote to memory of 3028	1524	IEXPLORE.EXE	30
PID 1524 wrote to memory of 3028	1524	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe0a5e97b8880c6803a9ed7df339580d

SHA1
dde28b56f8961337d4cfd9b16b290600030bd407

SHA256
2a525c092b0199f1bb12af66dc86530fc3255d9978b5565409219147cbd288b9

SHA512
098ed7098d98ae8d8c01af507b1fbfa1d098c40b35ced38194fc5e78578c953d63e5810ea40d0a3cd71689c51e2cb9493acf7748da8c7ac99082bba225e62519

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3442e0b1149ed2a69c855f2ff40cd442

SHA1
1abf7a6374d82e49f7ddffab10268f469cb489b6

SHA256
c0720f9ab2e303f78d51428c5d33bedd760b74a6c3be3cb0bc1068237ac59620

SHA512
2d255817bdf7cea95cfcef098d6855d57d94f5c229a5b35cff5b0678c62065efca814f20dc0abeb3f5beecd493584f32b574bc3edacae869798a8c01acaa5220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1b421b3be2b4c96bd5b8ed4d6e2a624

SHA1
c20bbdee43373d9e713178431b3f9e2a17a943dc

SHA256
44eefe17ca359f5fa3be3c99701ce33be026217a279f8f01a9d6f7ae3bebb7a9

SHA512
46ca3c554709e13cf57155926a124811e7aa810d90e126e5e9e19a820d6606384cf5c3c806757517293f6e19c31bcc68fb327ac7aa78b3f72f91ccfeeaf48dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ca3e08697830a0df964235c7af1272c

SHA1
80bf7a3001453865c646e84c03d9b58a2690bc01

SHA256
1b01c09ccc2bd3f76a03bf83b554457cff6c09b602582ebcc79c29b0ae6efa39

SHA512
37df8d6089b7fd37a62b2e586e95e4a25bb2a6539e5b3f8e335c52d2d594ebe259852ae1020fbf8802de58d746a5aec701a5d7e71e0033717a93de237398be5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c11208cf7748c9764a74456bb9589f3

SHA1
624a232bd21242ac5ea593a3b4872fd03f3263c0

SHA256
e6c4a5ac52f2694aa174734f9a6748c0113546dd49553c4f29359dffd3ec7c03

SHA512
cf2976259df8c4e07533964adebafeef70fc09bb0b93ac002ac6fbe251e9b64d996a1d458cfc469743557fadb97fe185afbd4059c673f217db9d4166846f4b5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3aebff320af5123934a58f095cba5c1

SHA1
7191bce10e3e70096e37f214fe2ac683047d017c

SHA256
ecf820835ad6ab549b09dc9720a7a3cba8635454f93f0d36454b019e557b2129

SHA512
b3ae30abf7f1712f47d5a9928d85cde740eccb57769cd8e93b09233ddc00fdf444202a6883037d9d0ba879a16cea381c36fd16d13b68612e453a34e74abb5f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ffd70c33e6a7b7d3099821aa20ac7e4

SHA1
b8abc60013c45c023db90a85f89792776f42f349

SHA256
c91c66ec9786e691b9e300898a7466f715507866d4ea6d7e66030f4a9aa986c4

SHA512
84ef040203431a2d6f27d6bea3e8adb300fc57fc180898898cf13cc15c1cbce64c840e599cd11e4c189ea666eb37d8f457e8a8b491cd5e514263eb7d280313db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1798d70f22d631219ddf53477e56d3f

SHA1
0a5a942b56b26cac0ba4861dbf143b93ed8f7c5e

SHA256
59e686040b6360397eaa430e5adeac17f8ce8d827949a5c4150973fc7adf0887

SHA512
4dd993577a1f345f5cfa9bbd6f5148b23e077028e156cbed9ff340a37b00f2026cbba1d4b7f55f77ea97c0a3f62aafe7689d6b666851bd4f6eea943cb4ff5a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae6ed33f6fd4348100b95c7786878bcb

SHA1
f2047dc3b8e436f9d5e5c9d5b874065720da1f81

SHA256
ad17ee2e599694e511a973b0c1e1f513d8560e394d7b78e0500b87d91088db17

SHA512
16e0b760a2ab20cbe8a13527790823f67b7f8dd981ca8c18521490b5ac41f3e26dee7379f432e21bb2a0bf53a2556e417abc0bcb73f04d8d9a9e124c87be2dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f69f6895ec3792cd296fa175ce33c1a5

SHA1
619fe959fbb262efb18d0b5ba57b649a7313cf83

SHA256
953d7cb2892f6fdc6eb659eff5a95b1f412fe48fa3f1d4622372dad4a23f1dee

SHA512
4d9cbf26040cb55742f4881aaf302966c352b95a9cc0304cf917be970087d82ccca2ffaae5704d850b98b724f7820168c58e96393eaec6071dda6ec31eac9161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
527f3baa4efda2c16989d58a9e553b26

SHA1
393f61f52e65260447a9af19d494960f197e1586

SHA256
a3d6dc40b542eb622b171deb4f046b1975fc82bb617ac345fb84c590a4e80f4b

SHA512
292bfefd95326bda099fe3d3e51411cbb620e2077502be042e06b671850a973d6883048473cee60ec2e8bec03ad933f258729a192ea4889b31b0407077f458e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab93DA.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar941B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit