749d18b3f9c65379e96a28db1af0a52a4196749682a7b4e1c00cf3fd37498171

Analysis

max time kernel
134s
max time network
137s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_8_overlay.xml
Size

2KB
MD5

65a2809f038ffa4146cf59a57e6bb32d
SHA1

3b5e30bf5de229cbeb085e1ea355288d63ebea51
SHA256

8dc35b01684c284e85275509e698edea94e73f6e328732993a96b881f20eaaff
SHA512

2f792059b6aa0a1dd32924169fb9176e9c6523c6f17b17cbaa2486bb246b6f726e01717b47372d9558501cb2dc5f51c1564b7ce195bcde1769e07b3fb8a7879b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000005f170047d3224bbc760c4245d8bed71c8f4dc3f4d80f23ad1886a1c363d387c6000000000e80000000020000200000007aaba1850a7b1eb660264a30def6f47845d87a3219f47593c8f1cc0642aac06b900000004fbf9245464c3d84d967551e2640eecdad2fca6b37914e128193475591f788d4bdcf4087269e4822f3a2859273ba4395f74a5fe9e6882637d3df8c84fb3da0544add7fbbb663fd1ba9577e8757a42b44c8d43742490e0a31db8b367dd54898414fa869a3e2d743c72f8fc439f39271313dd669d057fb793374ef0cd05126033024fc8ed86189f69fb1b0846bf61106414000000030c223b49ceb86c9fef739bdd4e2eabf1be1cd9e3b314105e05df8c25d7692030140dea8c92ecbd3e69771bea884973d1ba8a736abef41363d0093ed3e40c8b4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000000192fbd2cecbd6aa2d523560ec0b169a40b65189ce43fbfaa91da0bb8dbf0f6000000000e80000000020000200000003796d94edd609bd0456772ff8433ebc19d63d6753d8b25d8282d123fb3f42be02000000081c1b17cbf7be9290a0b516ed749e1596c863f853858695782d30431c0cd6a3c400000005a762ec9e6d635b6d0368e233fa76b0767301e4f2c4fd5345e78f57c7637afc0eef56b8fe4d16e8c3ddbe239b3b47e0b1ca82aa57b3478d7dbd9b705924c2cfa	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9227931-3637-11EE-95A5-F612EC4A90C2} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20430c7e44cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694191"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2840 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2840 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2840 IEXPLORE.EXE
2840 IEXPLORE.EXE
2836 IEXPLORE.EXE
2836 IEXPLORE.EXE
2836 IEXPLORE.EXE
2836 IEXPLORE.EXE

pid	process
2840	IEXPLORE.EXE

pid	process
2840	IEXPLORE.EXE

pid	process
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 3028 wrote to memory of 2832	3028	MSOXMLED.EXE	iexplore.exe
PID 3028 wrote to memory of 2832	3028	MSOXMLED.EXE	iexplore.exe
PID 3028 wrote to memory of 2832	3028	MSOXMLED.EXE	iexplore.exe
PID 3028 wrote to memory of 2832	3028	MSOXMLED.EXE	iexplore.exe
PID 2832 wrote to memory of 2840	2832	iexplore.exe	IEXPLORE.EXE
PID 2832 wrote to memory of 2840	2832	iexplore.exe	IEXPLORE.EXE
PID 2832 wrote to memory of 2840	2832	iexplore.exe	IEXPLORE.EXE
PID 2832 wrote to memory of 2840	2832	iexplore.exe	IEXPLORE.EXE
PID 2840 wrote to memory of 2836	2840	IEXPLORE.EXE	IEXPLORE.EXE
PID 2840 wrote to memory of 2836	2840	IEXPLORE.EXE	IEXPLORE.EXE
PID 2840 wrote to memory of 2836	2840	IEXPLORE.EXE	IEXPLORE.EXE
PID 2840 wrote to memory of 2836	2840	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_8_overlay.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f78015937dcb60bf95ab6d77819f1f5

SHA1
10a3bcc0fb6b4b03fd0d7cd2453c08c1337b32ee

SHA256
86f4d5c3ef984c45fbc03e74d4df148bd86859b90facbfa9c682f4acc8677d61

SHA512
5af67f130f1c6ea6e25d2b7cc7f3058ae312cb1add6b2fee05a8feed9295d7a1e41077c78ed32df6f17814bf58eda66882f004e8199604abbfedbf86da86d4bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3284bbb48f46344af691610eacf04c69

SHA1
b59977e01085dcf0b8c3c7d8956ca1c3f9796c30

SHA256
5fc8158d1fc22e23576913098350460b7b24e0ddf3a4ce1a77eda0c8a6df122f

SHA512
fb1c03fc1d5082bf914624aa37b667e20d47fafa119f80eccb16ebd7132d8b415eb09e59898b513d8ec9cb2698567b066b69eb3bbaa34ff5051b20a510dc1c13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
063467075e147b095bd9ed34284f8e5f

SHA1
c70dbd0c86b95539e243ddbca4acfd0b280b25a5

SHA256
7a564ac73bdeb915fa5266940a0b0b12bab7cef17afff1b2ec25e8608b12c260

SHA512
1e2c21c6c65dcda17dec06b3a1d30e1dbebd42b518d1d5a2b11009cd0f7444e16123487b67567ac9211ff8a329002a11e3afe7b91476555f884524a23d216cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45354ef9df0123ca50749db9af7878a1

SHA1
f6d8e9930e6a1ca30d1407471b4031fc09498f85

SHA256
f21faf0310a8e1e3f0fda7c2a7bd9d19e2cdedb268451f68305c6453e9a565a2

SHA512
64f54905a9decfe23a54f59b24c939a3fda03fa99b96a5bbddd91404afc133cb3f3f5ce504c9f89899b30ab5c37392c6efad4349baed5de373a0af0edfe064c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afc5a12b48349805302d92316a5cfd1e

SHA1
c94a66eaad2edaddee729c0b823cc79b91d17ab8

SHA256
46882e992103077a70d9cad1d771d1b62c05d392c832eed5c1aefeec1f834b3f

SHA512
e76be54a77ef21e85f480d5186ab6d7dcc84c4395c6209d97f81e36dda612bc96e0c24273e25559e3323fa4111ee0d2e3d4c2c0e41af565be47201ad5594d622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9133ddcbdd79e202e4bd7a4cdad54562

SHA1
d6e82ce2212c49cbfbb71b9b08d2d34689015c02

SHA256
1ab5b5f05282cce710ca0294bcef556e8e5636d28899a567c7ec77fe1666da33

SHA512
03e22038463a9482c7a03fbe71e9575dd11a8c05e028f5f52e796e06003eae4dd5228a500bbb540ba3da4d8d2996ac76c6d032a219a398ff94413dab74e007ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a1ec9f303a76da53cb6ed2d6a92d6e2

SHA1
632ab14a114e1cdf727e154530b29272b0d72a15

SHA256
14c51eca0a0f71f9b4dd74dca11b9aac5dbc2fa81a6414604ba893ef7f3da36b

SHA512
bc6577566fa19c81df9bfc2685f672f98aa81a105c61e2541af56ec8c80322e00a418460f0815d3295acb9ade4ed923962d3bd2d47e2d17920f75aff88802cb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9443629d9d913899ad04fa4dfb1389e

SHA1
9fd4d7af3e7481136bf76d356ef32b199dd1139a

SHA256
a814492a5a01f6948afe4a1924ed1aebebd8095e62980d9ebaa24ad6626792b5

SHA512
b5892c2f6957426a3fd21579ed3e86f3821b2568dcd93157bb5fc92c3b70871da36bb8b1c806cbb9ab8434b8c344493e992e7de8c4cf661bb381dcb603477267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d70cfe83a7f352c02c2e2099df6aad0c

SHA1
f5cfcd05e306cbe4997f32ffae1d6d90f4924a3c

SHA256
64509ebb2c211d26771775f876fc3786ce9d46941303e7f58cca3d34eb6563b8

SHA512
196435a9ce7f4303888083c8e2c22b83360dc34adcf010ae42a223884fd184f91593f955240d82d27c5ff7dbfcc4a40451ab8bf12dd9f2689a499f2c2ada809d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e65e057b872b118cb9384ab7e09004cc

SHA1
ce0bfd764ab65daf6148410a0ca3a0480d86c8d5

SHA256
2870239f32666c5d346380868cbda5a24ef661c3e924f85bc784e4d9184f99a2

SHA512
92462a0df098d6fb350bb035bed4c14bed5852f2b3d67111f81acdfde0a593f52d13b0a753dfc2ea82a2a958e08a566e85523b405eb5b4289b7f8b0e50c2f1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE737.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE768.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit