1c310cd242a87be5cfc15ead92cbeccadd3d14de3a03fb043286ca11c8afe05d

Analysis

max time kernel
137s
max time network
135s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boost_04_effect.xml
Size

2KB
MD5

80168c7967ce56123eaae7c1c3ec71ea
SHA1

73994ab3c4a3da5b55460ee25dcfc2f45f5f7a5a
SHA256

e1a98040443675a42fb01354aa39f74a2256b1445e0249268677f6b01bcb1639
SHA512

f32153e91355d0848bdca3082d28e6d198b8887bd5d1ccd2f3afedf9c2a2b0054fb8eaba02c01df450f4652f1d729fc9fa30150aefd74d08c036dece549511a1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694570"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C853281-3638-11EE-9806-F2F391FB7C16} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000d6b37b72458d303a8f49c54aa541415ab11ee03b1649b9cef509a658fd9f9a12000000000e800000000200002000000076ba501c94520a571cca5cc404e38e3e93cb4c7f14456ccab99cbec4ea7395b2200000002f654bb419e943d265fdc4cf2738af0868b73831da5aa95849d3686731c946fc4000000097cf80008ea3fe0bd06d8885eb68cbdbf215313c89b54a51d901cd39c80a87120099f061ce9e9d5ca8e5b0257035d4a500deb695506c5c41ef9313108b03875d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10357d6145cad901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000edd7cdd722e5689648d09850f97a5be85801b0641ccf75f7b641d5d626f08aea000000000e8000000002000020000000ebfc31c704915b1f30aaff2956338e4f3482b3486ea00f6da977163e5a747361900000009e1d8499d74f6d5da98408947f5828387ae2a263a628c8be4101a023eca35687a22d369dc3852b7ab74e16fb9c5b245cd21724c172d176f1d66d9700210a479ca5ed14ed0d2d32085ed1526eee3a9b4d71272ee3aa28f7bb3ef6a1a7909a5b73a493a454db700b447f69c2baf9b6b35d8ca72465bf23c8af77150bbe39e0198824d4385f4e318830d59467dc011d68bb40000000b4f7b9a76205f8301542a201aa93081d269b9783fd9fb70348de6c10d4d0f43693dfca1e220557ea70c171c45448bcdf15b6de0422652679178ee4e47f3e6605	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2628	2164	MSOXMLED.EXE	28
PID 2164 wrote to memory of 2628	2164	MSOXMLED.EXE	28
PID 2164 wrote to memory of 2628	2164	MSOXMLED.EXE	28
PID 2164 wrote to memory of 2628	2164	MSOXMLED.EXE	28
PID 2628 wrote to memory of 2156	2628	iexplore.exe	29
PID 2628 wrote to memory of 2156	2628	iexplore.exe	29
PID 2628 wrote to memory of 2156	2628	iexplore.exe	29
PID 2628 wrote to memory of 2156	2628	iexplore.exe	29
PID 2156 wrote to memory of 2760	2156	IEXPLORE.EXE	30
PID 2156 wrote to memory of 2760	2156	IEXPLORE.EXE	30
PID 2156 wrote to memory of 2760	2156	IEXPLORE.EXE	30
PID 2156 wrote to memory of 2760	2156	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\boost_04_effect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45d84aca8727666bb68381718dd1a7a0

SHA1
1c8d51fd5b6449ec478842f05f26075219c31621

SHA256
cab41b5a7c09d82c09d9156010c17a28efdbc3eb4dd7abb8d98d4caf918aee86

SHA512
f9543d958bbbd82af0b35ccadd1f216b22cedd1c3a9782ff1f85ec3f705c6336636459e10c8e734bb842c7b043a3bbfcff8b027c5f31a5de17a25f905082c877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2650ed5c19128805759b6d8600e30d4

SHA1
59e6ef7ffa3891a82a53d13982aa4290d5a743e9

SHA256
1a924d1aef0663033c153782b4b3e1eae3508109fdc49d1e4888d82fc9d43808

SHA512
4a487a8ff2c1a8ad8708983b3f1b657754ed55b01523802d0236ddf4d27c7a17e2b679db4ac933d90fbd3271667a5574454c9f8b8820359f1695234fbb3fad27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f26bd3e40d6e01f84410eca61e4521e6

SHA1
cee408cc0a3cdecfa13a54bf5bb9b4e2484c14eb

SHA256
c6b6c2f5bda98ec672c5882b8cff14e82cda80663fe9cff8dd9b040880585e6c

SHA512
591099418c2948a153e5a43190ecab5a16b0639364c092f95323d5ab99741852e758483b8fd17687f7b0fcc398d60a6f4b15f3a2286e84ddf33f4dfa01ccf8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42df7f9626eee804f6ab1767ff0ff2f9

SHA1
1a4fac9150c0ed8e4f9ba657a91be5b55a609ca2

SHA256
0150e2a64aa900284c306a64c2cc28f29ff20404856b4ed81b34f4be0cee1df7

SHA512
cc440cf288c5d6e7831ae4b4a17f635e13adc08a634313fe5c442527f9ab52eb9819b7342d70a5b818449e543827d138e75db13348fbd38126297af650194d7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d42e2ce258c1475c15ba198d8b90a95

SHA1
be8ae0f1a0bd02339c053fd3710a2b146637e9ab

SHA256
51881468d85048881a06fab3e41f158ab1b83e1a3d5b90c874ed228bce0fc7a7

SHA512
71738961406da2df1d5d1f1532fd9c091f02793bfe645ba720a0f745fc36d1ddf88eed0c7c85f22675f977e0514752c987183efbfcdb4863fb080b333ffd5bda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
593228eaf791eb4485d4314de8a4607e

SHA1
7486d7519d2bd7314087e7993a838af883ef2432

SHA256
e6309f313dbb8689193b53e7ed25df3607d08f00c02ee2eaa67c1343931968f9

SHA512
76c6353a7b6bf39db67845ccc4420d2340bef758d1e1e00a5ae3b46bf3dfa6c67e7daa1947869801a325a729065e9d25626e33bdcdb6d4f21d33fa0bbe0e5bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6044af0721e753e2474aa9f48011c62e

SHA1
b54a7d4eef9de07d6e9128cb98cc0e7f11a0a26d

SHA256
9f755be3c2134fb6c17690e91ff3fcee9ccd454af9700cbafcb7f9b59ac425ad

SHA512
4283d3572aa7c626d14a30a214dc3ba283f8cfe9a8a48789c263c2a4c891679c9add09357382f52ed606851f94be56f352cad817cfca6120c5edd089ead5d1af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a695dbc9f6c55a705c805f2cee434eb6

SHA1
6457f41ab59af63eeca16a88317e6ea0020946b6

SHA256
9c48928c206e87b54e12f6c82aa72bccec389cc98109e90e9be3817f8c31fa88

SHA512
deec46a0d058e3a8ed521ab22f38eb50d703a68bcf40567a050f03dd524bd832338663b51d3f5c3eea279b33723f727bfcd58d580c8de263427c76e640fc6baf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a3f9e568b04631404d0bb839d2bd825

SHA1
bd5f3a98577688e0c39f67fe87228e8cf31160b9

SHA256
304c9d36197c735d496e8616c37b232c25884c24598060c22394479bf64b068c

SHA512
96abdafd5249f308df649909ee70132db073faa9b9c4db428f4f2301a58c40248b05e2922ec6271a5ae3a641fa7936b8c07a49727a280c1e3e6f2dee8f77ab0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE51.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF389.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit