1c310cd242a87be5cfc15ead92cbeccadd3d14de3a03fb043286ca11c8afe05d

Analysis

max time kernel
134s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dragEffect.xml
Size

2KB
MD5

6de0ee2cd3360b7a56c053235c495a18
SHA1

3003297bd7e617ec83c94cbf8b7d02ef76327c61
SHA256

c7e03b52f30719841186b1f740ed584164573785bf19bc5fac46a0ac813784b7
SHA512

5d2586c94713df8fb24599c523e745a9a34c247e4028c6f51b09fe1f6e7a0338f714a322731143e2cc68c281e26bb73c1cd382fde2a43d4122c017eb7aac6f65

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C5EFD41-3638-11EE-92AA-D2B7D0620653} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f039846145cad901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000608116ce64217cf2a723dfe8fe87fa7129d290fb188303b5ae46ada38661330a000000000e8000000002000020000000955f8844b78e692d1f6ac8f882e9729dd50c80a1a34d35afa878b34a947ab48a90000000cfd5714a71bf3e619d46fbe6c000389fd797cd7f66fd9f392830cde628ce38482187c6e9bedae977a42272bcd69171f7d10fba190d3ca8539cd6031241189ed78a3176ebe9f8a2eff64560ec88bf2c5bacae5735f30edeab8e169ac03e9d80729dfea80656fe677e27dd267bfbff6ac880feb0727cbd3a0f2599e45a14fd0f1ae59c63ff84f6f05aaeef9d8cfa0bd5eb40000000a072e596fb5a8f1a7df4809ab237428d6fce8e6eb897329c6cdc4d05f6b972e29fdd63997329738c6b29744b096f65ef00f95efe80ef97c6a688b375a20600bf	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000e8dfc725cdf3ea241a3ff0e52a5610ddc64651ca14288ed021de1309cafe5c3a000000000e8000000002000020000000b1c0fc0b60c17854aa3b520ed6d84632beedf3e2cb4ecd31241bff7893f0832b20000000c95b97ac26605370ac5a47411e236409a41da9061f8fafaab643f225e2bc5bdf40000000d34fd5cb107ed3bf8713556a1ccbecd2eccadfa4df5b6ec13129d65fd3a94ef0d7df8271d720b8da0a742deab2c8156e8b7136a213aab219426278637f0239be	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694568"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2960	2196	MSOXMLED.EXE	28
PID 2196 wrote to memory of 2960	2196	MSOXMLED.EXE	28
PID 2196 wrote to memory of 2960	2196	MSOXMLED.EXE	28
PID 2196 wrote to memory of 2960	2196	MSOXMLED.EXE	28
PID 2960 wrote to memory of 2976	2960	iexplore.exe	29
PID 2960 wrote to memory of 2976	2960	iexplore.exe	29
PID 2960 wrote to memory of 2976	2960	iexplore.exe	29
PID 2960 wrote to memory of 2976	2960	iexplore.exe	29
PID 2976 wrote to memory of 2808	2976	IEXPLORE.EXE	30
PID 2976 wrote to memory of 2808	2976	IEXPLORE.EXE	30
PID 2976 wrote to memory of 2808	2976	IEXPLORE.EXE	30
PID 2976 wrote to memory of 2808	2976	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\dragEffect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3aca63f4d7ddd72fd7a2250cbb7d2586

SHA1
b4c17842ac1623ea65758eb85b42d0d6c184cd91

SHA256
d1586f42e4f3bd51671d1e78c48ed821a688e1488cbd8761ac794d9fd8193d64

SHA512
8d7ae88f73e7867ab5358bc508751089063170ce02887536280079e21f8c51db076fa9708a2c0e6382538659c79d7707e0875f9e0d3da77cce351188ce97a137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
310d5908ec386614bd003e86172627f6

SHA1
7ecb5f5c02b979b48c93d6d94180924f66ea0ffc

SHA256
dca03a09ba3b270ffa949da58458a6d558ac2e8781cb2a25fdba24918aec39da

SHA512
19bf5cd51368294215bdf135b552d503e64d42ee387c48fd27994be569f331f1c56266de0ddf988c72bbc09e3a23ff77b1151198b3ab869de6b949aa273f0244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fcb7f36f0b15896488725356ccc5bfc

SHA1
5b58b773b4b373bd3e0b26d51e7e8e51677ad4cd

SHA256
ba0def27f18c9358a51aa49f900b61d6b92d1c76cd49df0ef8f4a3edd81d12e3

SHA512
7235288b37a6708aae155ef975ae0e4dccaa55c7eb3ccf7a855b26699b4679782ffa2e620f75ebd2f6ff6dd5c9e9a7f32d412ae442f1c635c2cd65af9f14c7f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
143d0a77f3ba9c3eb2633fc4ae618a2b

SHA1
837a1b49ac7917f97339df13d18ae9efa7e5a34f

SHA256
75f2c93a6ed7f004bfb7e82040c05be79ee6fcd55b65e5f22b547ba5ac5d6e4d

SHA512
f7aff96baf683eb3103d2b2eb2984bd99a2cf129d1a2aef47d6ba7ecdc018263ce2e3ccdf0e5e17884f3798ab035e4264c21f54ee8e3ae0252f353924f0ec270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4faa92f52b6247027e99b720ceb7eb8e

SHA1
1bac56df4ce0edec28067a1de8fe366eaad79946

SHA256
01885e3466b79ccb35d8744a066e131f69c9435350873b22d5e6dc508db9b9a9

SHA512
90176becfc80339440da7ac9d03f64e964842f9d5186f7d1fcc1a8bb72ed04c371e10e3a406dd081f858a6c7d019decd3d5030187710432da5165ff28f64999b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa6a0198aec301e63f22e01307a1df07

SHA1
d4f7012f0e521ecc04e6a6ea0645435c2cd51a5e

SHA256
144a2bd903d7e5f2f3ee5e1508367fab0fe216d824b53d963bd0a11eb977237e

SHA512
e8209fda0a61d1272dfd00872684f363dc512c14b66c3cccab6ab1b5d7f3469322774db85ba229c3acd5c7262fb3f16e77f739d6a66f345c2b6d2a5e7573d800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ef1984ea65ace12a6c619784eb86586

SHA1
9f8aa4351437f501263ee6ffafc82542354fe209

SHA256
83f697abc6ea85d0de23ce226ea1397cca89aa0475ee3792d623b38510b63e3a

SHA512
1b8e250c1b04cd70cfaeae852f989914abfb63f298c4cb124121461f8cbf0218b86da60405b1f264d5b769a1f0613e4d4f5df3791f98f79a24d632f8339952a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffc74aa159d6b4b688f1f9fb165c95dd

SHA1
3f2a71421aa47283a17c1f522e825724ac89ba26

SHA256
7111e608a6dcc55e75dbb1c15685e7a8a7d24aa10f045900a793b0b01467b643

SHA512
da947c71812c44c32e20d570d17c6d1c70ad5cb9eca04ddeb745913e382bb0fdc507166a02380ab8685e7b37f2c9381a86b2a13f41661e0ce44fce7b071e9c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0d98087e613928beb91b6a099f4a4c3

SHA1
44a2e1a18968925b46c95d1a8c53dab05a8cd7c5

SHA256
ee4040d9b928dea319871a4e6ca5e61be63af61d53f3cae5869557e863af6e48

SHA512
3c6b4777c32499c99d490ce026c57a77b25021539af5e8a2ecb2b5ddb90693f3ea5d46649966339e5b42effcdd2ff20389efa9a6b13174039ef805d3d94917e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23bbbb93518faabdec1e78594153fc0e

SHA1
4ffc9e59f67d20ed6b365d33e55d8a7e69c2704f

SHA256
2667c8594629ada9dd48554ec089a0243fcf20dd0e048b74e743d1b49754519a

SHA512
49894852bd4412bca2dc6249d140924d1db3c8134b632a87f736efde4c6488425992de24b3a4400842e8229d0f78991c6b2a0641af9e910f67f704d50f48e724

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabACA7.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD36.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit