749d18b3f9c65379e96a28db1af0a52a4196749682a7b4e1c00cf3fd37498171

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bear.xml
Size

2KB
MD5

a3b81d60e065ed84bf23746ff5dd6b39
SHA1

7420fe1744bcc51399be1efc8331d6a808335243
SHA256

7bd2c80b5ed3cbf4a70706e9a07f68eb9be108cfb3046caa02362455d0896096
SHA512

56987ee2776451b55eb99b13fc0981f65e824fcc61852e1a5e481e4e94c4509e058337718960640e6caa52c6a1c5db28b6a14ae5c356abae57689a6b6221f750

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B1F746D1-3637-11EE-AAA1-4E44D8A05677} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000197c8ce0a26d8eb6bbc5506ffd4904d26e9097b3d36ceefa2d284a3578b2a92b000000000e800000000200002000000047fb9bfac3cb0e50385e1c80be5930a6d8a0a68a4c807f81023f368023b5d24a20000000eaa4cc19efc9a045d7e594507b43e1348e8cc2ab246d5d06151b287f31de6101400000005dff07515042b4f95940b003d020c40dc0d6de515daf986711d87d6bb0a4a77e8277d736e21041369dcaf920f98e996e71429aa6f3fd7873f056106d20500e78	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694201"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000003bfc907b410fa8650d7840f1e1d0c8b774bf1fe1c1726c489a45428baddfe72000000000e8000000002000020000000ad800734c8474e230f28db11ba2b2b9e7f2f3ccbe06de0942b100c227feaba7f90000000a6ce5527e2a750fefcfe5db0bf6b3536e2fb55cc4e4b989b5fba424273a61f974830ef5fa103ede4a5a1b48b612d84cfc1a3508d285c07c0ddabec1ef1ff417d730829eb6b778a82bde238b61e3e7d7c93f61e1947fa6c217b68ff05e36fd1d01529a121660cd6d513087de2c5b4eac888386f7bb1c6f6d43456190c30237825521e2c467ee45fbe8942d1026b7a52b3400000006530bce7bc87d8eb1f6598e42257cc01c1cf1560842d576fb0f4eae2c1c63a3512621f4b37181002ebe6ea8cd39ecece3b819dfd14a346f38b1c877fd25daa62	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0089c8644cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2536	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1688 wrote to memory of 2116	1688	MSOXMLED.EXE	28
PID 1688 wrote to memory of 2116	1688	MSOXMLED.EXE	28
PID 1688 wrote to memory of 2116	1688	MSOXMLED.EXE	28
PID 1688 wrote to memory of 2116	1688	MSOXMLED.EXE	28
PID 2116 wrote to memory of 2536	2116	iexplore.exe	29
PID 2116 wrote to memory of 2536	2116	iexplore.exe	29
PID 2116 wrote to memory of 2536	2116	iexplore.exe	29
PID 2116 wrote to memory of 2536	2116	iexplore.exe	29
PID 2536 wrote to memory of 2988	2536	IEXPLORE.EXE	30
PID 2536 wrote to memory of 2988	2536	IEXPLORE.EXE	30
PID 2536 wrote to memory of 2988	2536	IEXPLORE.EXE	30
PID 2536 wrote to memory of 2988	2536	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\bear.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
724295dc127f42aa98af41a7278d9633

SHA1
49084a45efab50870adecf066e9952c968528832

SHA256
e8d3778f36ebee205eef360289c5233d0267d12af05b4c2bdb039b1aae991bb3

SHA512
aee8cdeacc67092eb3746d39e215ba87e605de07b5341acd432e4cee8f7ddfe29b134f0c68c42b77e28efe9a2279b65db6f5af6b6549bb1cc7d09acbb57f5c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fce26b8eb1c92ee1ec7ed6f203bc92e

SHA1
bc9a0caca14ba124fa97269d22674e8705c56186

SHA256
01dfecf761727abedb996b1e758f071301727bbe7bdc12d650a675ebfec81f41

SHA512
be9b98b6a89da932767f6bc59e1d8292e6e91c086f6eac961546236aaa3760211e781112c89ca41ed0fd42824dbbed43f09a72604bf3201d51b5077f53d4f2ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7df4c84779b3687214730a07ffa7bfea

SHA1
adff627168cf35f6ff7b196d515344c9c3bbccdb

SHA256
dfa7bda4477ba9eff3473ea1492e5d54d1530bc1aaafb5c0e2013437ed4f0d5a

SHA512
4a6e9645efa3194b5e4fc9c759ac463fef355468204220d4dd6e22919b2419ea4ac96dd13c4f7ed80d99991f4cd7b2826cb5985990bdbb9f6d0e50fdf914b5bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f51ab346b23607db6faa41aa06fef3b

SHA1
89d333cdbae8051eb02b6f1e3f27b413c14635d8

SHA256
e859f2746b33db669f630df6778e0ad2d657f86b383b05db5090c53f0dcd3287

SHA512
ac791a2ccbcbd0bbe5a4a5fa8160f3c1999a20212e34ffd1a56e186e1133a0b3a0a9f750c08ff1aab552204b5117b342e7248abef34b059f2675f2b2b9c98c51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7150fb5430f0081c75b4903bc138d82

SHA1
dac2c6fab522ab45206b2e412f18deb84fd44b03

SHA256
e42101bf8aa9e08449efaf877f18a2057f21958e5688310635132986053fdccb

SHA512
6d754034c8d4368fa3c27f49272e98b9f0d8b082223c0913a94d11f29fd63f9927eb8ef1c47733c90ec11b9845cef1fd29ed5ee67a2744fc064240e1e922f34d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1170e25d372feb135063dd073f7c6343

SHA1
ad9f97e4996f5c7d8e54a4109d52b6b336883955

SHA256
faf386b4c6cc7eec2860aa226438b2c55287cda255ac1841178c23ded4945b91

SHA512
b4e01f6b35d15c4639e8ab046af126717dfed60500b047cb8f555036cebb457e0d9ec1e86b2c546ce085c4ed8b1caee9f1828cf1da557cbc60c495d25984b80f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbe1bd1f2a49e90eeef50d0cc5d3bc39

SHA1
ab5e3131cbad9343719448c612b59d5326bef03c

SHA256
b9c138a6c49ee77753c399200733391f133ada0b8696aeed0b615c7c9a6e33ed

SHA512
912652899768e424afef047a9a0d26d866603949a60540f8f3b21ac96ecf636ac9961722453a15d4da5f2e8c51f97bebf935af6ac221c26ff5cb2a5cf19aa498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b58f883efa400e120bf795d218d1f801

SHA1
775666862181bcc8d6b3e0924b7ee1942b94e201

SHA256
e6532342548e3e747941950c084c61ab3432f4b98551ab0261218dac35f2063c

SHA512
953267bcc7665feff0ec1099c0f05d3428e4bdbf27252e9970e4d017fd67a40900826ce40c6f0c84c40ba56913d67e66df628c1ed4a57824b992b7468a43b7a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20ed271db2bb946d624c3acf9273e4ee

SHA1
de357142d6208bf98793635bfb0c8e7433d4650f

SHA256
7d63cc4597e56996f7a5548079b6dc0bc7064fda95e7cade8f22a6acdffe2913

SHA512
dc1e1544c98e7274f3f0e05b33bb3ad1f6b228dcf11f2c0f3a35d3368024de25e02e1bfa561517df18824f346a62bb471fbf3d006c79e3f5f8c544884fd75871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fb92228dde4beb736b58d6b2a3940dd

SHA1
94f4ec43cdb6135e8bb253b2db65a0d5fb84f32f

SHA256
4dcc32f8453d7c35488d58fd87b105327d5e4ecda77295778a2e526fb72daab0

SHA512
9d78ebe4191e9f1532d107e3ab0b09631c7a95954074c66af6b33ba9ff9f1f5e2f073d18532d945fcc9c700c82ed63e4d07cd7199a076bfeaf0a463703b7491c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFEF.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD040.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit