332231ca3fb405b7621611bd22e7016cc73c32d90318753424ca598833775d76

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_dest_bubble.xml
Size

1KB
MD5

5a1b792bf859e656807fb87228b66416
SHA1

21612430725df233bd8bd7e10ae17a33a7923429
SHA256

07c9841559f933977b9448e4ed5e18e3000666faa8768526136bccebefe8b104
SHA512

e908a8dd836b51193f62b60eda3a5371cb9f2548e0b792e90fe624e012c7d64c20c987ead14f591a1e59b7786eec31221f56148447ba8deb53082c7594462b25

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694421"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33CB3541-3638-11EE-825C-CAEF3BAE7C46} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000003647b3ade7dd55cdb183be99585633b029bba1e9705d18ef2974ed2296770108000000000e800000000200002000000033063e81476d6e0d9e61fff8d637c408cfe78e4f9966f4dd309e3615d89d84e020000000fab4c1c3c438e3e3c12ea5d4a41bb16c7e4e9613bb84cb1bfb70a86f386c16a640000000e41b9e37acbaec51137d69296b6596f35cf799e7e16d1159da92f4ec7cb3d581b0c35af324f65da0f61a619c05a80e4387671655022b3892c15aedbced27a973	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03a910845cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000004396ba903dd4b371cc79a0a0ef97c5bb5fda92065e9b4544606de1c04cbf80c2000000000e800000000200002000000020af4c20e26908646efa8f51b9065eade459a5d3b28e75b91975d4f5a47d9bab90000000d8bbc932104fab883b4712c228100df5e45d917e81668a8f6517d060f2bcfb0e53c7314212aee2a6a03e393a23fab8a7ae0a189b973b61393325e220dcb96fc1c13cc670d9a28523e26b6b6a16d04225f98bbc913faa82f230481c9ec3eb268b9e9a0359a926787c08cb573973278805adabdd493d8b30b6da0cc44180b40b5d01f12c715b28177a831195ab572fa8764000000058776c2b6e101dc01514f9cc2a7bd269ff0fc3e5de3b1d30b2b1fa313b6effb44409c138d782a1287e25feb953abc9ed142dd85db4d22dae2bd97e4bc053235d	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2352 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2352 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2352 IEXPLORE.EXE
2352 IEXPLORE.EXE
1860 IEXPLORE.EXE
1860 IEXPLORE.EXE
1860 IEXPLORE.EXE
1860 IEXPLORE.EXE

pid	process
2352	IEXPLORE.EXE

pid	process
2352	IEXPLORE.EXE

pid	process
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2412 wrote to memory of 932	2412	MSOXMLED.EXE	iexplore.exe
PID 2412 wrote to memory of 932	2412	MSOXMLED.EXE	iexplore.exe
PID 2412 wrote to memory of 932	2412	MSOXMLED.EXE	iexplore.exe
PID 2412 wrote to memory of 932	2412	MSOXMLED.EXE	iexplore.exe
PID 932 wrote to memory of 2352	932	iexplore.exe	IEXPLORE.EXE
PID 932 wrote to memory of 2352	932	iexplore.exe	IEXPLORE.EXE
PID 932 wrote to memory of 2352	932	iexplore.exe	IEXPLORE.EXE
PID 932 wrote to memory of 2352	932	iexplore.exe	IEXPLORE.EXE
PID 2352 wrote to memory of 1860	2352	IEXPLORE.EXE	IEXPLORE.EXE
PID 2352 wrote to memory of 1860	2352	IEXPLORE.EXE	IEXPLORE.EXE
PID 2352 wrote to memory of 1860	2352	IEXPLORE.EXE	IEXPLORE.EXE
PID 2352 wrote to memory of 1860	2352	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_dest_bubble.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5eb1d4b10e75bc7347186e7a2689149

SHA1
5d305acffbdbd7291aa4956ca58b0cfdf1f13ba5

SHA256
748790cc5d8e5929d192009fdd0f302f65d40ef4262fe6879db2063277bafbe7

SHA512
5566a3d08072916a38a7f4d0048a4f61f9789ba2245dc22febbc8bcb0e1ecae0aba68942a15c47549a5b36c735036b3a70a67fd90df0e101cdeb7ab71c7351f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50be9e785b0854befd64df995338581a

SHA1
6b788041ef933899fc436c3fa21d4ea9080051c2

SHA256
f4941118e06ce96467929d9a3f6d72b7818879c356eca61d82fd07ac342ce3d0

SHA512
f7269f603a331b94df14632a26d783311863de7ed57b6a63f0cb43912c510850069ea97d19e620fe1d434a9a3a7a26970325a27500ada2fff8f7848beea84520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23f36213be5cfb1104951ac76beb130e

SHA1
b23559124e42171e030882bca4364a0ff74673c4

SHA256
07d4ef32bd06b14b0f2d95fde2b884939f8c68d54bb5f048bd5d92efc8fe4f9f

SHA512
be8cfa7a18d636792b9af4854b1c7c70d12117063e7afe759fa2391f0bfe6b4c84b6aceb9056ec64271d67eaeaa49c13b13794364823b5d7a640d597a89eff05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1767f34c34540cd22c22e8faa80db65

SHA1
ad753318b3427492065a2467f56bb8a70a3bde27

SHA256
f96fec7ac1a928fb6c119d312fbaa798f672d21d9b0494caf0033679b9d6c5fd

SHA512
c079b80c76488800551db24bc1d0428836952bb061e3a0d95bc6890ca5c2b0b05441bd1770277caf4746fb78b869a9ebf119c7b0b417ec16887673badfb8d9e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc1582723dea34d66c82cffc05d7e0ac

SHA1
aa62c4a698a5446da5d17bac4dd3c0457222a71f

SHA256
3c7b8a9a66c96b15df5ad2a7b2c7c005473b85b01bd0a80b66dcd311ee2ff56e

SHA512
6110cd5ecfbdf5e7d064443d0ccfac608838e030d428c648ef2f975c95d857f3ed14ce08aee009968701708b6eecb523cdd1ffaad43755698aec3f0d244c6ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90caac3751a289a37f0bbc75b068ab81

SHA1
1c7b2363318976dbeca87673a7bad2fb36a6b5a4

SHA256
90da747e4a3c7c97d7014f16aa5b8822954a5aeb598a4b3501d4d82436c49054

SHA512
78264fe31016a58d843c04cd87a431e12bc428c312312a03f30d5028cddd3a6a2d2fa0e48066d87be6a515d6aa42bbe188d2292c3c2b76bc2211554212ccd214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe6cacbaf495f71d07b5f9559b96b254

SHA1
bf785db2f3971431c0d7c323507436a2a10d4d6f

SHA256
f1c514c0c402985c0daae9c6d7f18678dabcc68c95200ddc4860f5021561b5dc

SHA512
0c4a82b3872c649181c5671a675fc13a468931da2ccf9acc9dddbd63d8fc394314e684f470179d50de28ef8b1f798d62f9fa2c76255c1bb3b113b29b90e49c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b79a38b4595abb3d3d9e596a4b7a5cb1

SHA1
25d4d52fc9306ad9a7dc261b5b8ae2fe16a689a7

SHA256
e1c9fc8b19b4483fbba62dad131157b9d7feaf076af8c3d6e45c0915e9b24fc6

SHA512
4550daf74179c1b50f25d0f18568e2c8b4cacd51a6bb044349d256f389917f265375b6c1c2c2cb152a15df7c16e00c7db3f673ce42a1a053db6ac79ed7910166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e500270c5f4d6a227d27028b9fc5019

SHA1
8456d6a9917dd4c5dbba22c6729d334357093095

SHA256
e7adf82c8993070459626f43d7089e8440f817843abc24936d2e66a8b88674a9

SHA512
491ebccef32d4f8d15fcd4886b4ce6e27c5d195cb132a60309f17bd99539d4c980342103067a7e66a7a32a27e00ef7e14c0acd2609a26d6d3e099fb6fe3a4f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f762b2b6ef65386da6a99727ee065d91

SHA1
e29888764eed361486b6dfb62c07330da921bd66

SHA256
9523573a423d8a2551ee992c1ea3dd619b97336e8706009c208916fbfe2e6aec

SHA512
e9e93e81a621d52cf4f81cbd8bacabf71ce2488341f7dfa9a0f8951692b5c4cba7966b20de8bf005c94323d3ac219ec0b1a2dc91adcab6674a1b63827ea73d1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a75aaf6d09239ccbcc38c0b29ae946b

SHA1
e6c834e6937800023cbbb6093c09cb9aaf6aab3e

SHA256
90b0e1953a528efb3125322c5944dc2658f80d93915baf18d3d377a1505b70ba

SHA512
f11e18809be8c04dff96448643492e6a5080880ccf5330770e8cefb4df8381ed49bab918d04f99c18682d6082a0ccbd617c7d482605cf3df011a6709847c96fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE55.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1126.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit