6605639c5d04460247a96ce6bd095176060ea77fd5279f8e4ab4a4dfc3e28a06

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Player.xml
Size

232B
MD5

cf4b88644dc76c7c0a55c0ede7c0d66c
SHA1

82ff7e74de6e661e557cc52cda957701f355ac15
SHA256

6605639c5d04460247a96ce6bd095176060ea77fd5279f8e4ab4a4dfc3e28a06
SHA512

03009bbb4ff0facbfef440dbde0e9d068534a752a1da4b7e1cd92ecfc43af5d902a229a9f582843975612071a97d58df49a11b94403eea981d98748cec18a550

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B937121-41CB-11EE-ADD6-5E6847EBFE3A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000007fd21d06f16d3ec154339f399d2d05170ba13a5406bf7a4a5f3217169a6a0663000000000e800000000200002000000068c73a0db3bfcafa484368dde85fff8960f0fd6161b6e27a2ddf3169ddb292da900000005a665d2dd0052e03cd0a2c28cf55cba8ccc50e2a153e6338d918c3f010060ab888a080851b3d4e1bc69634ca859098af9780f8ea2e5b84e6f67f6dc2798701d2721aa626598068ea10f76668d7d6c84b3d6b291a05da9aae0df074011b6c40b6af2c8452688fe6b7770d59603313174e714abe23e8ebadaf07c78c154ad413c5a62fdea81344fe36ee1f18357c3416da400000000838ce7c065315acf32687dd1dea319a6f352c281146cd5e0e7892b0143bad0f70a14dccf16d5430f86c674117b7fa6471210e04c690aca79c590c34f804bbc9	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c055d530d8d5d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c00000000020000000000106600000001000020000000b18aa82902e12f1d7af7904570f1b633708ad5dbd4ac1ceb3349195354981620000000000e8000000002000020000000f39534ce66ea52161ec7808b779fa171a34cfbf510b25f08c5e04cc9dc6a013f200000003a155d0b27498f737ed931130d9280c69f41d3eb7d401e267ac795beb192108240000000bfb37f0595f408d419f41f9819f3e5d797b8b39cfb0bf6758c07b35c6e294c6a09cdc7d86a48fe4feec2d5b85de54aa7dc6637c7dfd5e9134f8492254f5eb59c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "398967086"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2420	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE
2236	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1384	2336	MSOXMLED.EXE	30
PID 2336 wrote to memory of 1384	2336	MSOXMLED.EXE	30
PID 2336 wrote to memory of 1384	2336	MSOXMLED.EXE	30
PID 2336 wrote to memory of 1384	2336	MSOXMLED.EXE	30
PID 1384 wrote to memory of 2420	1384	iexplore.exe	31
PID 1384 wrote to memory of 2420	1384	iexplore.exe	31
PID 1384 wrote to memory of 2420	1384	iexplore.exe	31
PID 1384 wrote to memory of 2420	1384	iexplore.exe	31
PID 2420 wrote to memory of 2236	2420	IEXPLORE.EXE	32
PID 2420 wrote to memory of 2236	2420	IEXPLORE.EXE	32
PID 2420 wrote to memory of 2236	2420	IEXPLORE.EXE	32
PID 2420 wrote to memory of 2236	2420	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Player.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3bd6b72405cb63ee4d8a1e40904e218

SHA1
02339921bf9977ddeb5d6df28c35c2a95ffebbf7

SHA256
860b64256a4840e1c4d4dd7013116d8080c3fc032964715fc095a938fd06172d

SHA512
1a563e92088a2733563a67db101a79b093ff0e2176754d3d4e07bf51a02c9c79b39e03832571dce10bf58d20b64bc46119289e85eba96ffac81141025d2de0f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e104cf369fcb3248e00e055a540244a9

SHA1
1ae22871c5201ec432649010f1a2debfc99b1dae

SHA256
fd3a720733fd0f1ab420d40e0ead589c1c93207de2db232a813df29b8fcfb93c

SHA512
ce85af3bd685f733509a3103821ca82d6ae275ac9c3b4a13563bbafda8d5a914f988b5fad4fadf0491eb65de4ae37fd7110cdb45339d961c090076af8edac0b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
788b85abd67941a6127d50dc7224b488

SHA1
5987bf8b4cbbc99c1a40f52408674bf640786fda

SHA256
bf69d564ad1157f06b26e33db2eabf3dfe9f6efed33f37895c03840df4ac6092

SHA512
81658063431d91f82df823baa9ff5110e156d6af89f1434c178cda070c0f4e192ea334e794138823496d9aea31461fc0023e291253101bb9473966cedc8c7240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22500046aff3d7aa9c3e206deea21845

SHA1
d99e5241655f8e756bb9f104be479e5a40762730

SHA256
562c3e678fd24b0ab69b7fce95c287ccf572b3ff5763513d51c9f3f0893c8874

SHA512
f4e099964b221fd6ca32d663b4f6dd61cca91de59ba9f7639b2650f266c049a8ca54971a512f2b01fe5b0f42ffccf0a1677f2afbdde4a9ecd05131efccfbbf63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cc1bf8752cded3aa1d9fc15f18a7e9e

SHA1
be0a4fad2fdfb3cbdb75c5d7bef27478b838121e

SHA256
14225ce7239be127159868bd0bd256be88f8a7783bf4ea208df56a4a3dbd7b52

SHA512
4e81433b926358653c3579da3e5d10515730b0b2ccb8415f4568d380974fb57b885a78c5fdd3583fb2b103c9336efabf989bb3f7e60e933d2ea3d4873a7c1d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f04b943b5c51a5cbb8cbea6a5b3e1286

SHA1
639a2271cdf4cb818699339610959961696c9370

SHA256
c0cbe128a3df77a5872dd95acc8c16e418601e8ebcf341eeb78120972be5971a

SHA512
1575a54bf0126c5376717c122aa95363acecf33a71eed28a2819a63c47a27077db1713551b805be95bf25594d6a0808d83f1b6f1fb222c79a56c83bea6bb168e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3e86e13ba906cfb21d64fa975fee63a

SHA1
ea6207b9be2c965fd0d6ddb7a6f9e74c6173f515

SHA256
edac8440a39436b91fb3f28c30ec2cd86f610906c73ffe614e3c2caa8fc05a96

SHA512
bfdeb69afe6e021cf157cd3576de11f3f81b48428981d0d9fa68004c59d8cbd6609f87fadba50963ea6ed48c91af67cb3973fa7d74671f2fedf5478834e0c8d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
973c05a9abcb9c95083ac22474d95c52

SHA1
e4b9f885e676035f9080f1795f820c201afd78a6

SHA256
1835172289570d2a7aede40a86d480bd442ee629ce284a6c589c1156b1c8855a

SHA512
3c633a4671036378509fa506d231c1e384d7c01cbce468000e33ee9bcf7124381a629b775845c11db231db1df57be1726173da3b6cf9e70b9eb422a33ee23581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
419b6ff39bb583f62f544f0827282ba5

SHA1
333d304e3bbe650dcefa2f453773884c4639d382

SHA256
fb56486ab76eda5ed31a8aea6970b9365b430bc9e53cb67365fc945b04deeb2b

SHA512
78d136ad24f3e0b8a56b1aa65ef0bd07b58345d8b8562c3d229c0979b03b50cdb4240563b03561d17f453cd8faaa9eebb07b4f716afcb633b1b40a227830ebc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21b9a9728cba8418e8154560ec98b18a

SHA1
f63ee9baf5dbdfdc7ea0b3c4f63bd4818f1f2502

SHA256
e1b4da8f8acedcf7ec115c99e35d45d3d58ae1d908d7ca9eb695924fa05dfc80

SHA512
774e28e4f7e5cdb38ec656dd3eb2b955c72d4194d25cda9d7ab2a8e645021e2bf6f6afea9e3ef6e307efd474272780386a4f3d30f16b1911e06db372194578eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53b3198fbcc5f4cc416e12670baff60f

SHA1
99c2cc68a9879a5e29f22293bc6d71542a816a5e

SHA256
3498ffd18b272c91b4d5df75c081f52c8aaf5a4048cdc37fe48d0903c294dc19

SHA512
499f3f828ea52d4901904c70b51c3188c8c35c7d4ce18e8a7da064ece97e27ea0e292bdb0d6de0d2237fe58cbc72644538065dcc3b6639596df02966cb60c092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d339195dba0675fe9e15ac2cc8ab9370

SHA1
e58ebc55b5b8d42f8711d2f936cbcde5b519f41a

SHA256
a3bb9529f1f8142c4226167f581082d6a5f22d65116555dda366fdfff4135828

SHA512
e7bb01e77b39973ca5fea843e82f2e85b4b49a9258f6f747f958d3fd01e23a06a0828e4ce21bc5f7b82070b2cc47fbc10ccab572ca2df804c969d71b5effa9e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66b885d8f71ed221afe44ab4b72a7732

SHA1
71913871abda95efd9c2aa044c51c82b33c21c4a

SHA256
cb34f0b639273d28c7c87ba3a79924728fd7468a00f0cba9cc22c6e136a12517

SHA512
6229baa0918d5ec7daa193ec6c22c5eb78484499a7b2ff2fc30c163f66b087f56dfa8b6b63041d3331cceb85340b8eecb869fd1b898bebfce3e6d3ab5ad8b900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05bb80fa4e45d52c26e57dbbb1a6661f

SHA1
1ea7fb9427c6371eadf73d790ef538aaefd94bbd

SHA256
3744d3d6dccc8d2c68eba8ec5172c2888d7a429c6b06bb3f61a33d61f681913a

SHA512
c9518bcd2394b1f31c24007e4f5af735a890960f369922a2ce7b68a97ef4f5d483965558e2f4e08cbb6a05a95fea281a6563d820cbb27854f48f4da31cc6c93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB9.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF56.tmp

Filesize
163KB

MD5
19399ab248018076e27957e772bcfbab

SHA1
faef897e02d9501146beb49f75da1caf12967b88

SHA256
326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

SHA512
6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

Download Submit