1c310cd242a87be5cfc15ead92cbeccadd3d14de3a03fb043286ca11c8afe05d

Analysis

max time kernel
137s
max time network
135s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boost_02_effect.xml
Size

2KB
MD5

f45467db6500a27f2756cdda60947df8
SHA1

2ec869aa0e2c2fc3512857ddd351609f1d53afc2
SHA256

00afe2aaca87cafe9ccebf3d45c11b9017273c94b52f6e9c3c038c3cb1c4cf4c
SHA512

6e1d9401aa92a88d92d2cb75244125c7e06b4572dd88213627bc445a0df87b23dd5c26b48fc6c8ae60f24c3d764276fc1d271fcef2876828b2106fe3e7c80347

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000b12defcd3d4d53a012f0fd4165fca4c17f7b92608417fa87667a9fdaed5847e7000000000e8000000002000020000000cfbd3992d81e052ad4fe153153c573aa98b7f2b9f905c47816d59673c19a7701900000000e6cc31c9489ae0a1a6f21e83aebb0ee400c67d867a4a8a661dd35c66de254b6e711e1bbf1c13e4426fa830796c88333e09b238c71478d44adca74b39aef41767844ae6d06309734ffcda4f9eeb768d267d79664b690d7086a09456d5a2bf426080f8a2f1b6c2d8695badd8222d4b78e15b5a6c74f01f0f0790e704458f2251871a4eff7f09965fa69f19a89f8a0ad4640000000440479f5f65f32ffb530f294d7542effe11aa4efc05dbb0e816088f7dd0953dd5d294acb5217334128e25b8c388345544ca30f43189958ad8a769d6c59fa5d15	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A48EE81-3638-11EE-8D08-D63E05CE97E8} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2020165f45cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000ac691fbc26b37f3b1305d34a7dfcea8b8430d03b03b43b78820127c57a04cc1b000000000e8000000002000020000000ac29d593c07ace722a28d592ba2933ffc63d2728646489edfd4254fd485c0882200000005c8866670f1386d2ac59cfa73ca27839e843f21b76c2aa1217e1c30e9c619a0540000000d759048aaf0f963b255caafc1042ef69529e55fe46d23be378c1a2bd88a0762a8a500928ea625eafd41da904836c004634fe4e164456d22863d29654c3af59ab	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694565"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2920	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2920	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2836	1932	MSOXMLED.EXE	28
PID 1932 wrote to memory of 2836	1932	MSOXMLED.EXE	28
PID 1932 wrote to memory of 2836	1932	MSOXMLED.EXE	28
PID 1932 wrote to memory of 2836	1932	MSOXMLED.EXE	28
PID 2836 wrote to memory of 2920	2836	iexplore.exe	29
PID 2836 wrote to memory of 2920	2836	iexplore.exe	29
PID 2836 wrote to memory of 2920	2836	iexplore.exe	29
PID 2836 wrote to memory of 2920	2836	iexplore.exe	29
PID 2920 wrote to memory of 2844	2920	IEXPLORE.EXE	30
PID 2920 wrote to memory of 2844	2920	IEXPLORE.EXE	30
PID 2920 wrote to memory of 2844	2920	IEXPLORE.EXE	30
PID 2920 wrote to memory of 2844	2920	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\boost_02_effect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b50557236430a412920430790c6bb63

SHA1
29f723bd05f4030736a36d604db3dc0c25344b46

SHA256
7a68a234b1ef761686a8a2c58cd0bc33c82729e6f877d98a452108ffa2d4f7b9

SHA512
3d8725d817d8aaf1bbbf9af5e4d411d54ae6d15d97754a821d85cb19385fd684b21d3b77e7370de0c880f4ea7438b44fb311267727741410589eccc080d11c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a89e83d6755c30d5b7f19a1109c2dd0

SHA1
92d80aafd0b99cfc4c5003e901290d7d58622a1d

SHA256
dcb85b7bb388b6fc79f37d17bbe1029c2b3d38f041c74d25f691ec997d6ff3a9

SHA512
b5635f0a635519a443e3d8d6cfe7992f06d44670914b82072a63afc37df008ff6c2ca40db89e73e47828c5a0bae9498315db76afe600b07d6c6853cb71c43809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62b4a71c35e7bd4a8b883860b829a517

SHA1
1ee9eb1b8147702931b944e3ce6dce49e67b018a

SHA256
2938f6feb8f143f1f9302d39b7be509571f88b94df6b657e18f45d2f80c10186

SHA512
0138493a9eccf175f1b1c696de977a3c4459db6b15fca7550220e9c5fea0ab7f7a8a2355eabd9c9824d3415773db514d510dab8850274e58520aed408286a71d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80d7d40c596b39c45047f91cecbabe09

SHA1
3141e56677eddddf36a9cbf41f6a06992d8022c3

SHA256
27e1ae80337fde6a1388fa88de3a7cc9c836299d77c9368e12b7412ac969a6ac

SHA512
da5ac0d3c43cbceda78f5554f6f9724578353b744f4d8950b850325b82ad6496cf34483174e953337164147335b56e4714a8904fc7b1ee54d4a01de2ecf30606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
477b78f876b97a7017f394f092ac4f9c

SHA1
eb43234e8fca9afa88f83e93d76bbac725c21636

SHA256
38370e63e3abd2eb53ebb48123c3ce14a7c4aa5698e988ece9517a823fe8ffb0

SHA512
6c2e6bb34ca64df65fb1134b8fcde05f0081f53590e1aa2e044622114e874abe2c7b8213a16c941644acc190ffc9f882f8174197eba51392ad0da24994297f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97a915251d9c66c6fb1be81c7be9d0ed

SHA1
71a47678159f2ba5aedb01bb732b081b19bc4022

SHA256
a4a466e7fee30491db26d839b9c44283f093082ff6b4591efdedf3a6ba871f88

SHA512
a955bcdf1a0843dd31bfc0ade7abcbcce2743e67362acf0d2d12ed2e31b6974c74e7cca1f2b417a79688cb5ec92e91d2b8aeac91e82a10ab7431fa856ff4ecd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
282844d08be24efdd6b1ffbec47d09a3

SHA1
7ee6680a635349f4758814e1b655196244617af1

SHA256
c8f3af5ed3d437861ab9d719e76ca8f9e9414c5c943e5dfc8bfc06dfa806b539

SHA512
18d0a8f58af5299b85ba90d25cdcea12de6e25fb307517e37c99a6e408628d5a1fe0fac314984c06975ab90a2acc23ecd6def97975bf647c1dbc1aa83f88f7c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fb39700af555a4b0eacb9d9ab667608

SHA1
b31eb59bd1798b268e6617c032afe792eef89eec

SHA256
09f141b20ef1ed2b9c2e84df2f3a62448c2d214b3bb424e7c4ed9ae42bcb0000

SHA512
486b11de48bdc9452f6518ad59a9b07e3aafce50231ae467968791b488c4a60989a04850c89907d34ace23d7759727b262fbde69645402acc098455d739f3cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec13688e957a117adfa045e855c95315

SHA1
b2b35f6329511225c125cc63c1fb4a33a92c2af9

SHA256
8040d82f9649fadcdb75203065e05472f6ccad9b19ec7e85c3f925fed067ec03

SHA512
7667cc42e24b5361b36a8dbe1697d32d028b249b4748d0dd5d8034b9b3eed0c98a3830ececfbb644d8d6d41c1e4ccef743c173e70f4abe06750178e99c25f671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79665cd50bb9ede2454d6d7c3be413a8

SHA1
6b3ebe675b4dad9d2308ede1bb84a93f5008c317

SHA256
03f05684fd03d2f46726647c31da163df298288571dd848d555a1fa7d2598ebf

SHA512
bd61570f7d5d10170cffdb94a086daba34b85142f9787fa82cd9dadb79f0814d70eae40a9fcb6f647c5290e7bea8aa2f73dc2cc931b50d9722d579e0f0bf2853

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA3E0.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA412.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit