332231ca3fb405b7621611bd22e7016cc73c32d90318753424ca598833775d76

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_7_overlay.xml
Size

1KB
MD5

13da4f83c32b6af839f40448ad4093dd
SHA1

2dd817cbb6c2198c9b622bf8a4a4bd0f58c5980d
SHA256

22a5b339c8e15d0b1393e540966b414ca577f1e6c2c4682bef22e98f74e5a5d3
SHA512

3c5e37b7638099495ca3773edd1b4c780ceced0db68749c7c7437ad460ae765f1e3f952e146f7851a778f9dd32a5c7cce57ee616c0f015231b0071c9a39013cb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd690000000002000000000010660000000100002000000091faf1466ae442fa3eb4f1f2e4e8d4f64199672a8d2ff3e700d4daabbbb58a91000000000e8000000002000020000000cd51e3c3058b3432317081c442d0ac627f25fe1cc77d96245ffcfbfcbb8f602090000000f4c289beb617871f511e9d35315d64e868e1d71f3631bf611dd9b2f0695f149192987abe56ac40120983b53d667d57a93d672419face7f8e6f00a90a2a3040084f15405ebe33e631923fb4daeb8b95f1a4935404988f46fd2a41e6442d64233f914511f1d83ee2bc9c6b1b261a1e0485d4f5b157afb5e1025c0ca887381adb2bfcb72d4f1df30e203385b08e6538abb2400000007e3814fdc7be3a4e7f5d8fa6fa11e2a2e7216e0fa2b29859d7e09c8afbda91c14c2832a8fc76a5bb3b804dedb30a04c64492ddfdf813152ccfd5f26ad8c902e6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B67BF41-3638-11EE-B899-72E7016CB537} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd6900000000020000000000106600000001000020000000a164f70a1bd5b3301ae95ec521797ba8f3ef76a6a01ffd870db898486f7f3447000000000e8000000002000020000000f141108cb311e93afac811ae0325b6e6768c647aee57164ef7db91be029061b320000000bc37c12bb6d0b903fcf5d11bdee09d0b972e6086a233dee4b8c1ec57134cb2d84000000023bb4f5fd0405f9ff1f88c9f8160b8ef13e819c6dd7db75b94e7fecf80bd4e9abfb29d8ce3eee9971b67562d269f3205b68b2618f594997c6430226f71ad8d47	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a063700045cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694430"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2416 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2416 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2416 IEXPLORE.EXE
2416 IEXPLORE.EXE
296 IEXPLORE.EXE
296 IEXPLORE.EXE
296 IEXPLORE.EXE
296 IEXPLORE.EXE

pid	process
2416	IEXPLORE.EXE

pid	process
2416	IEXPLORE.EXE

pid	process
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
296	IEXPLORE.EXE
296	IEXPLORE.EXE
296	IEXPLORE.EXE
296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2584 wrote to memory of 2456	2584	MSOXMLED.EXE	iexplore.exe
PID 2584 wrote to memory of 2456	2584	MSOXMLED.EXE	iexplore.exe
PID 2584 wrote to memory of 2456	2584	MSOXMLED.EXE	iexplore.exe
PID 2584 wrote to memory of 2456	2584	MSOXMLED.EXE	iexplore.exe
PID 2456 wrote to memory of 2416	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2416	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2416	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2416	2456	iexplore.exe	IEXPLORE.EXE
PID 2416 wrote to memory of 296	2416	IEXPLORE.EXE	IEXPLORE.EXE
PID 2416 wrote to memory of 296	2416	IEXPLORE.EXE	IEXPLORE.EXE
PID 2416 wrote to memory of 296	2416	IEXPLORE.EXE	IEXPLORE.EXE
PID 2416 wrote to memory of 296	2416	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_7_overlay.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
460ae94587a4c00cb4c0f87f4b56a4bf

SHA1
ee3741605473ac69a2d89c4f8d4ff1df9ed40a0e

SHA256
c6af6a34a3d20a350547e7edc679bbab17711773b3420c217bc8243a4825c5f5

SHA512
39bbfa8ada3e1a4ed7e8fd59fd2983df737c17b7eff4127719308ae5e5fe883ead06be1240e927f3eadb9095076b44209734f9db788b310f5aa7ecd4e8ec2a0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
611ec3ca1fdb6668001500c0c5da19f5

SHA1
345fd501576c23a90de10348a778221a034e163e

SHA256
e5b5d57aa16d75d3e590e2468c647d1b71b012df74d27edffa3519c41586dd02

SHA512
0447ee0e7b8a33ba11bf1141b4a6a6d9057232fa7c294f2402b8a85bf8a90cda23fa50ee27b7f586821e848a274ff568a04ec36eb38629e15fb9d27ddc4b69db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15df747b34f78ad73b877e342f453060

SHA1
00782b00b836bf3de073b5b61b737e75bbc59a09

SHA256
f5d7bb058955c28e391cd2dbbb1931db6cb086e52b07741a00b7dd7b0856e2a1

SHA512
abcc9e0a7d6acf27e8ab3343b84586eab724d93dd86219f65927cf0ea3af8be291b179f744e7c5c25ec05f9b9362debe6241697d89ac7be759d2eadca11a9ca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
252733be9db6b885ac1d0c09e6eb1aed

SHA1
5f57ba7649d9c939f33d949fa436593d7970c2cc

SHA256
89406f31642896d77ff5ecf2bd470ca5dece7e94477879301e0eb7880efd3321

SHA512
85fd607f020a14571daf591a44a17095303cd907c320e52b8a409ca8b25565b2b31e054034a16108f0e04b277fe57c40aa9aa29d0a77582ad3e94fba92e2d47c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
296359c81a81687f0f9173acdd879475

SHA1
f719a0b50f0cfea7790c6409e2a1cba6a9ddbe53

SHA256
8c6449af0b5f35ed2e85c4fce442c82166a3efcf25d659e8f327f3f29cea61dd

SHA512
ccb35de3af6f71b45e4cd09792cf35df89353070488d35f5a2d217a97a0a5cc2a6f9a692660319c069cf3161dd2edb01ef32df2424e709b9861489b9cd835fe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15ff29ed04f7e97d54278411061491a9

SHA1
b4fb4a93f3c8a6b5b9dc509713c0e7e5495e0a0c

SHA256
73373fed2cec9ce436441ac32637dd507653adc2b6775240802abd88be0088c5

SHA512
66e88021f245d4231f087ca710dee447f9b6e5b3d4d2e26a37549a0bb7433260e672e8d82e2e6525ce0302d8a7b7617d9b613ebfec87927642ba77813fb12297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95c6a616b4b0f9b8927332eebeaf1bf4

SHA1
933668a4bab6198b6732d40a7f8bb8693a039792

SHA256
c2e7615789c8f63249bce2f3cd3e0055c75c7156e5b402a34e5dff2691f5d71c

SHA512
fc02e4343a8e90eee076aff1cf30c4c09cdf648eee0f5d928eb2ffe10e01ddf7ab5724941a5ad6fa673e893d1aa6efb9a6e7193618c6cecac256a088877994a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
930432abee7d3f36b57b40e0ff2a07de

SHA1
ee16362ed11d6bcfd4f938a9dbb5d72b35a81f87

SHA256
075422ce49aab579c19c076f629edcd4a5000afd0494b526c715b2360a198c55

SHA512
0f83ec9b63e4657972a8a78a0d57ee127378202a49ed0d89f106b37d04090675dbe2cffa540e21d6e2a9332299450dcb4e334d9089308d460e9cd322766bda34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11d9c3533358b13e3f616ef685bf5b9f

SHA1
49b24a64686111e7d9fcd7f340a216079db9941a

SHA256
00b0b320f640a4febd18a81e8c7705883138fb3bac095b246dc48a6df22674bf

SHA512
dc481c79926d33dc878fe3be6a087c2516ab39871c929e006d5faa30a5ac291492fb10a4791516bcdeaca6beb00ee226439b937d64f8748da4e5d1df71ecd185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b22f8ffedfb3986b34790be00b19bd62

SHA1
ece07cbe16d902ef589d42e799f4ea89e82e856a

SHA256
1147e769ecd53adb18283f69b5b916fb18ceee939ceda5c961f9b7925993f788

SHA512
2b77daa925fadae6fc88e00de9fa85fb21041f34ce0b01d464edfc16a6ee9266769a0c25ed503922c50a27cc2d8ede3664670344e0ebc13d2c0504fc37722e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA778.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9FB.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit