6dda51e294cc343b50106676ad5708face3cfc7f16d99f69a34e4b3b85c632cc

Analysis

max time kernel
159s
max time network
181s
platform
windows7_x64
resource
win7-20230712-en
submitted
18-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

floating-sticky-note-selected.xml

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000661b20a3f935fbe9f2dd9641e453c33d43f29735cff7351dd68f9f4405c3b7fc000000000e8000000002000020000000dc2529d82e84a8955f41ea3daa8cd8fbe14e9ffd8e06f9c9825bdd2c23c1660a20000000729498619a7cdd6e9517824d0d87f983ab47476da6bfc8c7abb2c68a1d5b7f0c4000000062baa55a8430777c963e6d9f62e522b6e327683030256b8faafe5e469619c30f5ca4622a397417066fa491ffe1b5184b9af41f67189e3ef66d72dcd632858be6	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203ff18c1fd2d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000d93bbfe45a219f9e662c91a12a3c9888d81b19d73c5957d450541a80f401bd62000000000e800000000200002000000034e807ff95fd5174696a10c049577eb1ead443e85a4017300246fc81f363dfa590000000f3e51772dd04a8f2147fb0272259e3f7a17cc4dba1e96a71f160d6e67368a9fac0ae55cb889362f464a6c45451f34cfd021b52fe426768384bac8ff6f5f57337e7b5be2901363f29a3a97682c4344003e16ef0a782d22e897bdbd9ea6cf1f91be9ec5164751d1488f9df5aea4ee78becfdd7fe17bddff9051c742f99ac133f28051e7e6e008aa6e1d579a5e7fbe827d240000000ba5c17272978ed6a77ec8d78134d4ad9c6318a6b91cc5c3648f5542518a97c2fc1860049e6377560cd209980b717c14db3271aa81ff1a6f6faa7322b96d2fc0c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398557934"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8586BC1-3E12-11EE-A656-4E44D8A05677} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2700	2836	MSOXMLED.EXE	30
PID 2836 wrote to memory of 2700	2836	MSOXMLED.EXE	30
PID 2836 wrote to memory of 2700	2836	MSOXMLED.EXE	30
PID 2836 wrote to memory of 2700	2836	MSOXMLED.EXE	30
PID 2700 wrote to memory of 1640	2700	iexplore.exe	31
PID 2700 wrote to memory of 1640	2700	iexplore.exe	31
PID 2700 wrote to memory of 1640	2700	iexplore.exe	31
PID 2700 wrote to memory of 1640	2700	iexplore.exe	31
PID 1640 wrote to memory of 2716	1640	IEXPLORE.EXE	32
PID 1640 wrote to memory of 2716	1640	IEXPLORE.EXE	32
PID 1640 wrote to memory of 2716	1640	IEXPLORE.EXE	32
PID 1640 wrote to memory of 2716	1640	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b9f957168e9a74e5006e702a916ff06

SHA1
185eb993d318b5eef703ac7a05e7c06d9c6f5566

SHA256
23f0529c0aba07f6bf9aebd9920be58b343ce1f39a8421bbbd7a04ed0fc2128d

SHA512
5e2b77136aa86a87bf38f2b7db6f696fa2bf25165d44107052c9d47373242c196f3508e221c8fae8d20d0edbeded096214264ccfcaa8c1e4e23a6592064f02de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8896f00107644db6b39e4b57228668a8

SHA1
9049bd185f75942492048c23979be0238dae84d1

SHA256
1e9ea1b728a9f78b9433b99734ca91f370d6d60652d268923ef21116daa6b07f

SHA512
41f6bd60f43ad4bc387516340d16d8afbb6d31ea1452d7cac8da5efb563208fbd6d18493ffb1b2af63ffc5c2ca132a0c62a9b6f711cc74a54b10edc197b86ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be88c2d0372e0419e93044c8ddbd999d

SHA1
f4fee66cae864e1c9be34e2b89328972beb1bf33

SHA256
1a09aa39673de2f7dcd4e05a2afa54030a18544eca2d9ffbf1626c92bef91155

SHA512
fb2fc6759e346d275d8e395c0d09991e1af4fe8500cef97b3e39ffe730aec60d67ee3ff3ef45cbc3d09d822fd65d6ae9175ccd49bf03ba227fb995ef6fed58f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50f45c42228e533fd11faf3fa7df7ef2

SHA1
32cdba461df6a3daa04cb774fb13440ff2cce49d

SHA256
b7a3cf44e6c08a796ed66bf22901ea9847204b66d96840f58bcc6196c5fce16a

SHA512
f5a2510e5f2960d455ba20b5469928826eb7a1ac2d4036f491b889b45550945524a48f21a55a148a15a84a2084dbca614ba2bc6ff17ff706491940a95b3ab46f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b81c87005b60d0175312ab830b3f0c2

SHA1
4016e085dae32d5b16f1aeba2a86ef6663941e99

SHA256
83b1b96bd5e7c8a457336848946cfa91d09fe44e6bdcd464adad7eed6a9180a6

SHA512
24c3f3aeb93e049629e5d4ffc397886473f41c8957bdbe319c88c34ec79049a65ac98950a93125e831201e5b6ccf216e03a68a10e56dd67418ccccfed2ec4f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
180735a072fbc0a741fa0192dd135f67

SHA1
7ee27e8ddcd439cbb5eec832fdb373d194c7ec68

SHA256
434a118aadea9ea9d518c42af2bb62e665870fc7deea982c86028c516ff21290

SHA512
eed4e6a2a8a6e0f11aa790459166c45f6dda1dbc7d7878061ff127895ca7350bb59c8f1dfe9e2c9a1ee5bcd40f379653f8a226c35c2892f93a5491391642e2aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9618d0e7e2bf85942ca2050d40705fc9

SHA1
859f59d95507daf25572752837feb9c707ec7929

SHA256
233755f58f13f22b8edfe608f08aabdcac0bdaa4492ef35ab8dd4b3c864f08bb

SHA512
a3a993f50b7c506a62ebc797e89d550453cb511713d6ef0fb971686f277481db5da12b664f66d890b9df49e246aea95e3241484e6fb9f9c104cee387a7a8e1cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d049542fe50886edbfcf3b4c7c0b50d

SHA1
0787f9dbed70a147013abd701cf2c8d2e7488690

SHA256
0335d67a8c0315fa697fd9be510b5a3ab149f6ad6278459716fa03a73fbe55f9

SHA512
91b3db264f6e283f101b31cf53bc1efb98ca9438a93f0eb6374c9890eed5f47b772c70a6c877b19a04f2825889877a866a632cd20433a3d55c8b5123b72c6b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e61028cc22594d36211a30a6560b00d1

SHA1
a8b19e88f1493423c96c9b7ce856c9cf24459410

SHA256
7b6462c87d0e21e565b59820aa3fa58fafa0167d84866ae5ea190818f4c90328

SHA512
deed49b07cd3dde5a0beca62cc2a444f774993d3a13fa3deb8539e0486ec687a440e302cfdf64f1dd82485bfd78bdefccd19911b0bcba0eb729c3d0ba86e674e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e55c070c6f6332cc5ec5bc5d4acb17a

SHA1
69006e5da19f7fbca45525375d627aee90512045

SHA256
2e944ddf47c493826a949dd74e640325a8fa191ffd48d11a0fce61c53848cdf3

SHA512
11d457445b0e51348c0db888dd4bc4eaeb13048ec14673942652392a7d567256ccdcc0643d9cc665feb3abc6e10200215ff85ab347d853650f1b3b6f54c6437c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffcbce8a57a28fec640e537a127daa42

SHA1
8b827ce06723a1ca53613bb19b785c3fde83116b

SHA256
b2399de8d612154b1e2b0e796a60661fea9bb88b565eee5bd3458492809fde04

SHA512
8cf706b666a44a8026654aa01f01cbb7723957da395b33612b8f6737ada45dbcfa75800bc46ebdd06259f358d0ea645694441d0a5e63996c85f6e353e68e6cd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4eadfd2b06b5bc38cfb3fbc42d76e09

SHA1
3d39ade89c6b7fb147de247073743282cc72c74e

SHA256
fa5397c8a6a0710a8a8c59fd2993c272cee33fb99197c55e43eb1b664070c788

SHA512
be7157d5081266a43a0ccbf88a84dadd8af8c4e4a6b69b2c327e7178022a771cbe3a783197147c1e235b075bd43de0975883bc2796736e5d94d18a21d4831e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0223651c852f8e030c273a68a2b0edec

SHA1
fee1ca5e56c5d550597ce64c11dd8446b57313c1

SHA256
1fd7c7162a712c71e129a4985cf01f5ad38a4d66fc84ffb94dd7b4efdd882a9c

SHA512
e18739b64eaff758ff499a4d3e899d6f27b5ba0c9101925ef1f55870701e3ca6df65d4a315730bf52a8565db7b3a6ab50871623950df34c5a80d84162107ce4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46fadf1f42cae6371b79761608818b53

SHA1
3add487996433447a3d9a0e7c19eb6b9431867db

SHA256
89cb8f2b33eeb91e2ed3ce7ddc1cb7fe31d9c4dd7199c8a979d335b21c6bbac7

SHA512
ae27eb70e3ff003d2b01ae87da34daa92faafd9f03c16c62c708628d5b3dedc9540633fad1ac6c89b4f738c08c5929a07cd2245d41d01b4887539a2a087b3591

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FC8.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar304A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit