d1daa8dcbbe3cdbe4ff97598d8b93c7c2562229c5c081f35068d6a66a8591035

Analysis

max time kernel
134s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factorial_sub.xml
Size

701B
MD5

42b28d156719df282309756a34c0a5bd
SHA1

c1ba8f4a5be9a80da380901b4a377bfcbcc7b9fb
SHA256

4ff932dab9bfc11b6547349bf0687eba5c093852ec21e41c4e7fc8815ee8f348
SHA512

f0b11389dd20aef4e9d291b60ee5501eefbe1f62da4b66ae49104733e70e0bb3ed97fb676982e908f3bd9d1b450e0d222ce7e856270ef1171aaaab399c1c8962

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae0000000002000000000010660000000100002000000051ca82f2262802e402f65ee8308d87ff1b588e53e7af2f6f29cb46faff882005000000000e800000000200002000000055015325e18493be2a18358f153c322ba359280938d74ffa6c89bd089845b0449000000062ef9620a3b576982c48a6ad9e6f20b475cd2c68866a059db3181584288633df2148f257692a014f6888e35879a306dab4c1c3767f86179bb4229860573183d37675154a4e825ff966d07e4ec2036528f68627f6822b8ca0f7e9c0f59e6df59520efd4ac9b647988b36d0707e7775ea3829993f6f7519984a61dfae4de9584bcf9178f089c5486a88473ba89e480322e40000000c792316eabf0986b2e76ef90e65065203c9d6d3552689909499d16d47524a18ab7b6ef45b57c0955b084f9ab7bc1823d5695cd9d1d5c869977877411622dfc9f	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000e94dfdce993eae55936763a14c369bd0c9ef70f180880617224abb6585b9a96a000000000e800000000200002000000064f3b69f2f7e32ea7f310651930f7fcf8eaa989d243bb21c99f467aa367c05c220000000c4fea8c6b3ea035a0b6ead83f4f9f1d2485877c1beebc4bed6a34c97931c7e9040000000985c72d744b982fcd13bf74d3a220f1b678334e747692e9e32d27d8cf8a70c550e2cc75425bde825afe1eb162a9e51cf52cba7c4da28ddcab830899b1c1391ac	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e030eb0cc4cfd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3835CD01-3BB7-11EE-AA18-76E02A742FF7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398298731"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

3028 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

3028 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

3028 IEXPLORE.EXE
3028 IEXPLORE.EXE
2988 IEXPLORE.EXE
2988 IEXPLORE.EXE
2988 IEXPLORE.EXE
2988 IEXPLORE.EXE

pid	process
3028	IEXPLORE.EXE

pid	process
3028	IEXPLORE.EXE

pid	process
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2456 wrote to memory of 2984	2456	MSOXMLED.EXE	iexplore.exe
PID 2456 wrote to memory of 2984	2456	MSOXMLED.EXE	iexplore.exe
PID 2456 wrote to memory of 2984	2456	MSOXMLED.EXE	iexplore.exe
PID 2456 wrote to memory of 2984	2456	MSOXMLED.EXE	iexplore.exe
PID 2984 wrote to memory of 3028	2984	iexplore.exe	IEXPLORE.EXE
PID 2984 wrote to memory of 3028	2984	iexplore.exe	IEXPLORE.EXE
PID 2984 wrote to memory of 3028	2984	iexplore.exe	IEXPLORE.EXE
PID 2984 wrote to memory of 3028	2984	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 2988	3028	IEXPLORE.EXE	IEXPLORE.EXE
PID 3028 wrote to memory of 2988	3028	IEXPLORE.EXE	IEXPLORE.EXE
PID 3028 wrote to memory of 2988	3028	IEXPLORE.EXE	IEXPLORE.EXE
PID 3028 wrote to memory of 2988	3028	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Factorial_sub.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8b19b15f9940839dac9e833c548477e

SHA1
34094c7538f025e8aff8a8446a02da7e3fa8548e

SHA256
9dc42fd8f8446b9a4ef004159e2596a4095f45afb2202e43ab20f86fa56d106d

SHA512
408d4fe7dcc8c290798ff4c6dc47b3e4a3796337df593455672d80aaaf79c246222294024531b248b49c2e03f5908c3e6e663591d1c114d75833736718940262

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc5294b0d8609cb4be264cff92e17b0d

SHA1
70964665bdfb0d250c460ffdd85c2aa46db966a4

SHA256
1dbcd26b7e278b35f6d732f6db61e1a6d8a4f1f6874d9dfd7b01440f20370aa6

SHA512
f6e6efe2d689b4e3d1abd4968f74f34b12acbc7ccc657f306e570c9bdb4bcc4556c739cc4bbf027df584aaec12cc612c9468143bb4d96465ee161e38c49cd872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d4fe3c71ccf0f1a7430d3677da6448c

SHA1
034a9ed04a7780d5424f0164099c4a8faa5eee2c

SHA256
acd3cb405dd61671988c5e036a4967a7f66bad0e9c693a4dd9e5dc681f40d775

SHA512
c9d11a32db61599c6f1d1bee76eef13f6fd6ab859c0412104a9514978067398b71b69d6f98f7d9da7643b585ab1ad9e873d3b5d4692ebf8d3b223e9ea33ddfb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d8dfabd38a1464ff308768f31331fee

SHA1
17db4a1f78f5412d88b990765ff89889dcac7d11

SHA256
c59ea262e8af759a1c1ffa68d6398c43b3c90d955036529b0d9540e144f1efba

SHA512
a4f3c9c2feb14838d7618bf448e543ed7ae77792674303444a1d323a8524ad3c1b99cafa127daf3d5bdfb5c8d34a9c4a8ae1f03087980006de6f02f2e167d5ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad1892f995d1900a40d6b2ea9ac6bf95

SHA1
040fbf6194b9daef3a2b5966ce20fb6587d9aee3

SHA256
6b2e7491bc586db4f932ed2dce54d8114674e0251194ea7b81987eaacfca7b11

SHA512
a0ee9c7842ebd256f0f2b000f7919df642ef838643da960f06909f24ebf3331605100fb577e36513e65c2bb415150e8e3957d462bc9b59794c89bcae0e9165d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d54f837f0b24c396c1eea08bbca58df4

SHA1
321dfaef2f20499bd83591c273b4b05aa49e429c

SHA256
6dc228b1666326597bffb2970d18f00927ddb1b9ab1166ff7062593398d0caf1

SHA512
e75b2e36297b08bbec931f439cd882854839baabe71331ff9ac83b5d7bfd185c4dede6ea01a81c45178692b2d25070a4f19d3fee1663f33974e70a6a7fb47a90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce8be4209878100fb88a200e780687d7

SHA1
3898175b5aaa4b1135a660e23996fda6c61de62c

SHA256
e5e15f3eb6a288cd850595ccdee8729100aab3c9be9061aac23cabd5e868d41e

SHA512
416948156bb68f85903baad2408111b4eed3f0ae7f001427bd83ee7a708e880eb696c3e552fe6acadafc9568bb0da0c89a44dc7f52f9960d28b7553949c0b7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA335.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA3C4.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit