d1daa8dcbbe3cdbe4ff97598d8b93c7c2562229c5c081f35068d6a66a8591035

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fraction_sub.xml
Size

494B
MD5

d4a949fdf52952cc148069a5ab1cda09
SHA1

9bc68bfe31966146161e4f1d3904fe2837f9f1f4
SHA256

b25ebc2a6abee5348d57ad2252e356b421315d3134c4269b13a221320cc4f4eb
SHA512

d43e6e1cbd47d3a75cfe821b2cd6836f4e000f482567cea9f97ec5f949fcc690610d3b9f59c5acabbf5ed222658faba0e604fe5859de6a94faece50e2b1845b8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3985A591-3BB7-11EE-AB11-E66BF7DF47AF} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6035420ec4cfd901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398298735"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd6900000000020000000000106600000001000020000000dacec790b5e18d908beba82540d3d194a2062e4b32b93b647cbff2eebd147627000000000e8000000002000020000000de56a4332abc013ab00506cc92aa795e4176ed89ea0b0f45e63d52a4b13461d29000000048b597f8c48bbbcbbd0a146a5cca3bee52fc8988d287eb8a09f47fe2cbd1f6a6df147382f74d5c7e61bed8bf9247ea3125b86ac4f1d01396ff61453cc322da47b8fc761dc8b01fc3e4966e88b111708992b1c93f0b9d6f283f0967ac92bdd7a8a872f2d309db8eb5a33d715fe7378f58e9ff3d70dc322921691cfead6e2d80a67eed717175baf49f201c904f84d078f240000000263c0de2efef61612b145a05633d63d1585922602c0720f44abb359392a871aeef7c50046601d726d3476afce3aee14a73e557e57799c0964a4945b603eae516	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd690000000002000000000010660000000100002000000041326d96189a8017064455a1eaaecaba75f291d5b951f94e3e6499a5171230e1000000000e80000000020000200000003f782b1ad3ee42c2099cacb2c17d3dba5af28b17175a4857fa848cb07df808a6200000001dd668b6f7d44b528854f3e9b806c679fa698310630d40bed4fa8ff6952740a040000000fcf23b478c802a60c9d8f69eeeb4a6de62ae278bb95218ab537bd4397013e7c88224a4e15fe33da4256128d59b63f4c725adcc20a399f29252a533bb3bb395af	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1356 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1356 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1356 IEXPLORE.EXE
1356 IEXPLORE.EXE
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE

pid	process
1356	IEXPLORE.EXE

pid	process
1356	IEXPLORE.EXE

pid	process
1356	IEXPLORE.EXE
1356	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2580 wrote to memory of 2368	2580	MSOXMLED.EXE	iexplore.exe
PID 2580 wrote to memory of 2368	2580	MSOXMLED.EXE	iexplore.exe
PID 2580 wrote to memory of 2368	2580	MSOXMLED.EXE	iexplore.exe
PID 2580 wrote to memory of 2368	2580	MSOXMLED.EXE	iexplore.exe
PID 2368 wrote to memory of 1356	2368	iexplore.exe	IEXPLORE.EXE
PID 2368 wrote to memory of 1356	2368	iexplore.exe	IEXPLORE.EXE
PID 2368 wrote to memory of 1356	2368	iexplore.exe	IEXPLORE.EXE
PID 2368 wrote to memory of 1356	2368	iexplore.exe	IEXPLORE.EXE
PID 1356 wrote to memory of 2764	1356	IEXPLORE.EXE	IEXPLORE.EXE
PID 1356 wrote to memory of 2764	1356	IEXPLORE.EXE	IEXPLORE.EXE
PID 1356 wrote to memory of 2764	1356	IEXPLORE.EXE	IEXPLORE.EXE
PID 1356 wrote to memory of 2764	1356	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Fraction_sub.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
98ab65730257c52c659d065326658a60

SHA1
aeab895964197e2200d686f38854650020c43695

SHA256
7f72c7e3b58c2e770623f4185b71eb2ce5d25ae1d30c2cb9464cd474de577d88

SHA512
e800a1fef9b5c0d2dfd3071d46cc5983ee88aa1410709b4a9a74e7544d62dc9feb503c7c13a21834fe1a74b71299c114c9ac853ece2fe98e19dbc69c55516476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac1be2b91e2978aa53561733202c47f3

SHA1
b396de5751abf8dbf18a83ccbb27be7591546413

SHA256
fde36b5ab664f01fbdaf252b05b87ffe10cfd8c35f784370964d3851cb820222

SHA512
4bb0dc41c74decb169e8db50e72d7c43f18141e4bc8062a47faf82eff61141573cb366b23edbef289ff92616b8681bbe402363d1c1ec9b6b48d286bab827ebba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c46d69a67b33ddc7fa5cd93fdbc73048

SHA1
470be652d12e8cc114f5bc7cc82a8bb04eed4fb5

SHA256
a7263a083dd82cbfe08a8f5bd462befff8572c017f22e1b12684a585182d9909

SHA512
5e32035782ba40ce9cf225deb7f151a8c2e7ae8a1efbc48e1b58188d2b16d6c5bfbb36e8b800937b457a582074d87acbf339772a4d71f4007cf4765e549f4192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
238ab358d7f4b0b2551b84e35d8e3a5d

SHA1
78b55f56b1097f07de1cfe49aa6afc015928a48b

SHA256
3e583551d5d9fdead6ccae9a3b82bc92cd652bd994628e933129ba1edda21933

SHA512
fbe3e63b77be53f6303991d4fbdcaa9bb45b2575da03270ee3894227d520f1c1bea87df7cf4bed040760e0bab03ec8f2321da88a59fa212589cac98b510e5ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6935d812caf461a97cc89ebc3daaa6f

SHA1
a73e92cf5e09adeff47a2daa2762fba59be74eb2

SHA256
59302d286dc28b51519021ddd042a29a02eaa4d0db9c3febebfbb8e112d673ad

SHA512
417a03dc548fe72a12b85ad5a03db77f6c6a82174a0e3fe8ceca8566edd6795010912d9ac6b9c51be038c979ac5e04a881894206b39a826451f24504af0e306e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b38d95bcefd0274f6cf9d99b9570c575

SHA1
83208b3176eebfbe15ac68481525a2451ff2a217

SHA256
124f15eaa180af4d4be3360b867d04dbaa1828c0f7782e4616ab632ac3ad93c5

SHA512
feb91a6459a3f588d9d06d0791c482dd03d16d37ed3e8b8a6063a55391136a5f72e275e805558fa3047653428845e415a5a8aeef50539e3ffef7d471fb400d14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52a7537fbd6e5228c15b864f78ea4a8e

SHA1
03e2dbe140090d9004665e08f829e684c117a13d

SHA256
79512b3d7996077939cef95dead93d36cdd92fa25c3f7a09e028595dd60dfc02

SHA512
a932fd4887610d3d1544646a5d5ed3fe8d26fee92ca378b66f41ce86a41cc4e1d8ae3f44436ad628f31a0272da7e42cdcca11851eb77dce61eb554d5ae5d445e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57693f7a0c6610c0c66eceb62fbfaeea

SHA1
8033b533e6fe5ba87dbead1cffb266183da49cf0

SHA256
286c77d7244711f26a13cf6942b6aa9d367bd42c4597ab2dde822063323555f4

SHA512
1b94f2bdb35f702215d5a6dbfbf6af566d684dd85bb58bacee0edb47eb03bea4f3e23f9b9d48dc9d3efaeb3b8179597e7d631b314296f5659c8f606e1bef1d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccd9c595b75087b20a1cfe71193f0175

SHA1
946d2f5ceb38e556ed4ccdcc1061e44be3b858e6

SHA256
3a7ddb42322106444737d967278afee4f5826b72dd9bd4d0a824c0faa712cf2d

SHA512
2dc11804f3dfdfdb3b357c011b75ecff147616fcafb2103798dbb945a49abda07174f829a2e051feef533f0abc475be479c00bcf9bd10a6cfbdd7b65b4bff88b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e1fb52bde6a8ffd362af256f40e2b26

SHA1
8d299c104cd11018b3221d4615c45f714275876e

SHA256
11ec0da82cf16d1246648c803d833f6a9f618266d17853e2dce322562c952ea2

SHA512
0bcf7ea31f70ba3af943d782fe3ce44678f116d58394b3678a8f4d3b03a587c4ddf9589598e42c663f346300daef743297b5cd0f78925564fd9eb70ed65fcd35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f37a7b70fee661d26f7745165e5adf3

SHA1
f22a997e7dd1029071de607e6245a0bc9e1ebba5

SHA256
f64eb6a0d6be5f08104d7c0665f450fe6ab606ac52fcfff9a37d49339df55cee

SHA512
17bdec38f51db00993bf6cd45f5b29acdf8404dec5b1dbfc9ee67d991c6b3aeaf4e391af227dd81cf6d1aa916ebf9c399debc784fe298f520b363def743d3842

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC342.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC43F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit