749d18b3f9c65379e96a28db1af0a52a4196749682a7b4e1c00cf3fd37498171

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_cloud.xml
Size

4KB
MD5

cd47d4b3192545c91fdddeae5adb3d8a
SHA1

8d389882bb4a501bd8d2c9690a023d0c808213d7
SHA256

8ec8ca9e56edab13c9b45aa0dc21a4970398ba6917efb981e4533cd510c56d58
SHA512

58f8482402652807229c3d5a563c785f4f85d6f768592521b951ade7555826f49f45e41881b1012c0350ee5aa77e0e4daa22f207e0fa3ddf3f06c16e49817ddc
SSDEEP

96:7OKfETG9jU7aGyVS0/K4TL+uhBj0HPDYKnCZB4qdP9:SoZuaGyg01TPhUzMd1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9F52AB1-3637-11EE-ADF5-F2F391FB7C16} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000069eb45410bb62e23a151ff1ae8e3b005f1724eae0440ef66a6f529e0d317de89000000000e8000000002000020000000a3fc99ef546e43e37514b0b4a24a35683f88a542fc4e503d9ce37c0aaf2234c890000000578feb155c3bf021ba7522e5d046187571433f5cf46a0cff6984f3689540e464c437b802e1d7d74381426c626690c016dc5d900ba4b68b96a2519808cdd56436546e584a7f29c813e9fb0ce2b97674a49af51efa7ae09100092b6d30ad20d44a3a643075c1a8ad5b32e2d7b72d7d5962a4c29f3729861f759b01274da0d291e48e34656109d974f8e5100e160410f5b040000000e96d5421d8d96782b780bb9230b1e3dc294185b01e2df56b69aea131da76fb157a6e5095ce859b149f9f2acdf55007d2aaff4d00200871df389175268cfa46b4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000c7bd32c842b0c3a71115d9ac7b3662f8d09bf6dd3ce944f1e1e76cab7e64641d000000000e8000000002000020000000b355bded8a8a26635023be71b1f2a86c8f98fc9873baa18a5af797bedf1085b220000000ae2215a5e95d2b8de6ab6ace3d64a022690efe7420220560c458c1efe4af793d400000001642834380017f6c28c1afcb2a0c7f5ef1e0a5559fcdbdcddee30398594dfd34f2a81f075bfa266e34c9576cd90080ac0fac5d28046240dc6393896983a3d5bf	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694188"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600f827e44cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2488 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2488 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2488 IEXPLORE.EXE
2488 IEXPLORE.EXE
2956 IEXPLORE.EXE
2956 IEXPLORE.EXE
2956 IEXPLORE.EXE
2956 IEXPLORE.EXE

pid	process
2488	IEXPLORE.EXE

pid	process
2488	IEXPLORE.EXE

pid	process
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2528 wrote to memory of 2804	2528	MSOXMLED.EXE	iexplore.exe
PID 2528 wrote to memory of 2804	2528	MSOXMLED.EXE	iexplore.exe
PID 2528 wrote to memory of 2804	2528	MSOXMLED.EXE	iexplore.exe
PID 2528 wrote to memory of 2804	2528	MSOXMLED.EXE	iexplore.exe
PID 2804 wrote to memory of 2488	2804	iexplore.exe	IEXPLORE.EXE
PID 2804 wrote to memory of 2488	2804	iexplore.exe	IEXPLORE.EXE
PID 2804 wrote to memory of 2488	2804	iexplore.exe	IEXPLORE.EXE
PID 2804 wrote to memory of 2488	2804	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 2956	2488	IEXPLORE.EXE	IEXPLORE.EXE
PID 2488 wrote to memory of 2956	2488	IEXPLORE.EXE	IEXPLORE.EXE
PID 2488 wrote to memory of 2956	2488	IEXPLORE.EXE	IEXPLORE.EXE
PID 2488 wrote to memory of 2956	2488	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_cloud.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15d821aa9eb668e4c4282e2c4efb655a

SHA1
2a260cd78067ce409db12b8ab02454154e118601

SHA256
fc0bde57cf429a20f236102ddba6e3111e2e9a08d2832a429b1ede3849b28ef3

SHA512
d95e4115d03f62b26dca54c83c82f408ac630bd49d290079cf1e95fd7d899cd2b44e9c864d5b333d262306b83ade1226d2e52a83d077546276139848e611a48b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8e4581074745e68a1acc5430f2ea431

SHA1
4b6144a701126a035e1c8139ad90dd900e87bc24

SHA256
52f82b7abcab002f906f12b7c3c68d96c504a65473ae127088319c04ab441d58

SHA512
86b934772f8bbb1acd5d70140354dce10254251d5248bfbd4ac2afaa692cdee5d689844852056baa5c59f2bdd8fe8548381c5064e7686efb00a35231f4688999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f61da4add1282dfd4a331aaf52bf76cb

SHA1
ca83308b86aeba721bfee185a58a2f850d7f7570

SHA256
12506cac99d36e2cde0a988305f52efc10ae5a680737833b1146a1bf213e3eb4

SHA512
668b02f56596b4437b09910c623ff40bb8a8a72ba45d2cd62a99c9c6947453cd5e450ab93ccd0f121afcfc1b699431c4334065d969a1fd55a43ab7830c290e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2ee4cfda4f5ec3823ff101f7161974d

SHA1
a6c4af119e42eac0b8cfb6c0df586582afdbfaa6

SHA256
5f0933ce2fe6183845e05cbe0faaefffac42a67936c420c72525354ceace9e07

SHA512
53946c3234d2af2b5ab7e2c23105af2d096bade4ccfe7b7ee9e77493d091f34126e363c2edf4af04c4dc5c23325e39a491d9a1f4f7e2aa04c359236a110565ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc58d8f9dd282142bbe491f4fc0c1f21

SHA1
938b454a6c90a321d0ec41cafdc050a81f03b155

SHA256
82cc51ff4b23d5003571714d9e10999fff38a653e02f6fed6b181943ef841a8e

SHA512
b849e400813d56e3de9d7c4813234024f88470a0245aa4220c71961b2e3e9015bb218ccbbb94c0a09bd82155c837b93343697252f519a362320622cde0e24f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
304023e1b12316c051542ef9b82d1cb8

SHA1
e22e03b6b8afff499c1eb620bb0484112de36e0a

SHA256
47fec93fa0ca4bf1a54f8e4f4b71c9d2d2d7c470abee2150813fabca35406b5f

SHA512
15af0a5af6c536b4c1a6f991df5e69259606fd4e7c9780c13ae8c9a0c2cf886c10485c3b2828da452fb8476c0ee0b12131adc11a36f134b8b0a29187cd6cc053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0832cfb544d0cf48d294d8b8e651123

SHA1
77e2bcb993e4be2445c94ad3131217b94fe61278

SHA256
a0d8598398f4b57fcf191f45bc309ef4f0a383a9ec9d8faa340cc0ce63d1f6f7

SHA512
cf7218393d7266d55e80a70f1922e569bd07e875db5ce8d5772c16a3923d0a938b98d5c83acd86a0106beead20b1707acde35e705766e46400557cbd1518b805

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03b9c8e7bb2913ad528d9ff067ece7c2

SHA1
789d03ffef35df4ca0897cc3a76cf795f660f47f

SHA256
55edcb513b0d0901f07ff73b4a26691438708af3462d3e1735efcac25905734f

SHA512
b76d7a303b1677da8d24ef859a9b2681ed3c237339737c96fb4e4d6cac03f496fd8d5178ed7adc8749182255dde1cbbf9a6aac19d6d3ccabdb6ad937a2047d3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3054eaec03164c82387fbc5f33056c2d

SHA1
71784d9af541aac5ae9e1e4bce28bccd5e49d090

SHA256
66a8d95f6ed508adbbf0998252ebf4dbdd01da239df05291157676a60aa7de05

SHA512
1ed8b6b45b5d88127efb96d74a00b0e2c7e2065d2f9f63c436d8592ea6d91759cf110eee2131db343aa4594a4f8eb6016e76adfec01bcf68cd4f2c653732f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A2F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A61.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit