1c310cd242a87be5cfc15ead92cbeccadd3d14de3a03fb043286ca11c8afe05d

Analysis

max time kernel
139s
max time network
136s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boost_03_effect.xml
Size

2KB
MD5

d122c045b6e8adcb983a09bc7a02ca71
SHA1

6a38519ac6f268c9dcbcee37cbeca327c3381c85
SHA256

8bfc68dead941eda0b73218e872d9fb31a8bfca9e448486771748316b545c60d
SHA512

0d8bbc2583e98a17362658e3535f59ddd8b012d1a12df23c63d15d3139c8bec8a93f4312aabd17ec025c9cc150a1692c413c56b53558acc6c94207c2878d9e9b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ff5a7d45cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A84191D1-3638-11EE-852D-724B81B1CE5D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000028896c872a0954d1c85536b06521550c1b95d2ce0238fae79c124f2b9609e111000000000e8000000002000020000000f7fe8324eb33f19d89e002640f8736cb86e50de390b2093a9434810c9dab66e220000000aca6a2b81324afbb580eebb7ccc5c10b1024e3f855dc966677507e1259bd8ca540000000feadaf8ef044cfed36fa0406d1d7febcf373859151b4f6909151f24c021b06de01d1ad592d6ffd00faae5b298120096a48643fdf575ecf4207058e0354944d0d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694618"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000023488b72f3a4f777c60f97c08bc50475498700deeb717d637c7684e98f0bcac7000000000e8000000002000020000000f478944a05e024a11526791d9d665d7a75f7cf8ac2c3ba122a8d8f7b3f7e37d590000000c7e3537e7d06a4105d424e03f840f82055ba661038a9a781a7084f9211a8bb7b3b617207f69afd661dcd743480b2ed9848907795141a610b001cce4adc48414df6b7caef480c1b77f8c803c0e0763b19f2221187b4d6a7166f70dcface25bb940f1fee085c974a5c361cd5dcd3f3bb79b0e6e50a8eb93d565b00848dbe33a1104e45092b7590fb036b83931db2e451ca400000006e35037cde85d3c62cea42d9b5c10b1ffc5df1c2aa9749249e4456ac10f7932531fb487de59a40df84ba9166fd799b420abeafeb16536af47135afd5ec6cfbfe	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2352	1900	MSOXMLED.EXE	28
PID 1900 wrote to memory of 2352	1900	MSOXMLED.EXE	28
PID 1900 wrote to memory of 2352	1900	MSOXMLED.EXE	28
PID 1900 wrote to memory of 2352	1900	MSOXMLED.EXE	28
PID 2352 wrote to memory of 2432	2352	iexplore.exe	29
PID 2352 wrote to memory of 2432	2352	iexplore.exe	29
PID 2352 wrote to memory of 2432	2352	iexplore.exe	29
PID 2352 wrote to memory of 2432	2352	iexplore.exe	29
PID 2432 wrote to memory of 3024	2432	IEXPLORE.EXE	30
PID 2432 wrote to memory of 3024	2432	IEXPLORE.EXE	30
PID 2432 wrote to memory of 3024	2432	IEXPLORE.EXE	30
PID 2432 wrote to memory of 3024	2432	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\boost_03_effect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0685ab43ee91d02a9409eb0eea7ec679

SHA1
06faef2e1caf06dc3de313ef262006a4b2a391fd

SHA256
c873bdf946a731680005c4cfb8d23095b155be08bb4442108aa3fa4205e9baf9

SHA512
e369fd8406e8b35f0e969597024b3f07533678b8e99a7e87140dc76ecad29410c889fee353a552fd75172f01c949ac659795c41798027d77b6a78681d21d2d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29f5e4125663aeb115600fb0120db0e7

SHA1
8d4802fb3504c9c2460f6141472d7cfafe30f0e3

SHA256
cd93d34d134c67332c7ae1df8c5b88828d1123a86f8937f2c4c949915114a53f

SHA512
a6220ba02e9181d6611712237a4ec6bcbe9239438632b259f36842a2f1e8b1348c0fd2b9e02b6dbba61687257e2a173add65814916692915795d4f04ce3f7a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73c1b1066b7421aed012e865e75590d8

SHA1
2b98ac6b913310718136584aefb98da3c9fc5c4a

SHA256
e0cf6701b2dc600ab644506af60b84ef1ba21c4aa023068a6f95dbc33b635897

SHA512
43b65b2602712d47207cd6b989eba518c28ee2887590333d30dfaaab53e91ff8a5195510a28398735df2fe86726d43f81341f672c83a6bea3f94454018fb8add

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02757e9c20f7ddc4b69b760ac7dad9c8

SHA1
17116bc21a6daf818fe780d6e23a022bfa12c6d1

SHA256
0f17840584105bff3ae5eb0c97c7c86705a37f430c34aff2f7dfc9c54bce8134

SHA512
b89e293de4b83b972d0e6bad666381457fededa46fbfcc1358a17b73dbfcdf19976a4fbcd37e9f24a20af25b35cacd91d6a1164d2465dbd873bbcb5feda9deca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5c889a38f48dff9ad52c23b964e8562

SHA1
f5775fa526445c1b677d74ffefe34e930322564c

SHA256
24444823f48f2f441dfaf3eb03def6f8aa36ddc0f9f6f0d441e86ed45d586cd4

SHA512
b0d2e1baf7c19defbd7fb828c730b69ce03a36659f2541428ca977c548147060e9be0c12185075216ecb28ee07a19c7b91e89ce504eb8cbfcfdc2504161d0820

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
724e860e3d77dfda4014289d58128c98

SHA1
dae74d4440e66f8b6b8458ecb13859527602ecce

SHA256
66e9a3eae8389b127f05a457650210531cf8dc60e3b2f85077e4f370f4310619

SHA512
1121bd65631a1f8edc0c8e106abd97dddc89cdb3fe5a4585d10dbf255e1a158c314637596449d91fb3f085fd3b54538371985123abc6e601aac6a172c4bde090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b372a21a733b7a85c07bc93c2c596d41

SHA1
53f393f4dca647f4fa31ca587efd71645a705858

SHA256
71a55f7ee584957551418531699f76558dd6f67138dbd799e11d408aeb4e95c2

SHA512
c161a2c58ff43e7bd9d0a05b0d216fa16c5cd47df08236f2bce00537f17bea245b0eb0d06d86703eee7fba4f8075231843cf1b2523abdbf5dfd790924f63b14b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a2252a1cf2a163e9143a68d77d03073

SHA1
357cd33bfa5d247b1e9f8e8977f9e20f0fce98d7

SHA256
cb34ee27cc6e47589c1807a03b528608eba789ee2e76b1d5dfafb71ecbdb3e6b

SHA512
6ee39d4f635c17999d1f3cfee047ee57c3d7720fbde4481e91dc3b0e1867900cbc4262f0435cff4f06efc3f79976daff36ac1bda2dcdc42a1019cfa8e63c2f3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c8249e47f908ea1fcbdfd3d27c66db2

SHA1
23a31f216952352303f1c3126edf7d07659d3340

SHA256
8899a5cc4f25a83bccb51a659c4eb8eb375749743c13a1d0f882e9b20b2eec72

SHA512
a787e94ca404153c3f51546ffd94471d09d66345252332143b9ef247b3aea028a0901f86fea652d284ff8cf54ae126b5dc65e16fa04bd48f12f8a7c595e8eafe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a401ec5f78930ffbe7f6dce360b63d5c

SHA1
f3141f2f31f512e4a070c095ee86e3d672c427e6

SHA256
d0c43ce3e847b1fdd26de7c6b3bba655919a3aaeecc20aec202f076fa1c4b9d1

SHA512
079dd1654adfe6a78029a966279d79a773ef11959a9257bcd105086776366072588c6f7f2d092be5b1714f856a918d140d839818f9e6934376344a5d048f89ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d99fbd38e491c9ef413351189eda918

SHA1
8253e18ac35911585b3c35a5eafe9ea3baa3a572

SHA256
7def6cba8ceb22f467e12907edf134a23b3e3bbb85f3324f24ea4a8fad2cfcd0

SHA512
ec4152b1f5ed12775ed427f70496688b91a28ff2ae2cf457dd63d79d4531d3734da5864ec3b24293c2f52142d20466bf390b5df0587bf768dd8ee1418c7a32a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
618d30e69fe1414882311bee5712d8ae

SHA1
d5a6d73cb3019dbc92dce32dbbdac3e188eaae5c

SHA256
bb63d14ac7f5da5329cc43ffb1e7be7fdbfd95a791d6819187c62a52db0a9c0c

SHA512
714f00d3fcbd79fb93a4bc3074c6f284d2b3c2d462b5da476abe46be74407e5cbcaf71ed9b8f0135393a0ddd2f7e8890bc507ddb25ff0878f9f8cd71ad645b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9447.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar966C.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit