0bf73ff0ac2e81d23a005b08f8670249528170bfbb249e38a5af809c6a56c7f5

Analysis

max time kernel
138s
max time network
137s
platform
windows7_x64
resource
win7-20230712-en
submitted
26/08/2023, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

floating-sticky-note-selected.xml

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000093cb9980743d26bf34778a49f3266dedb204d48c60012dc15616a21a368c99b3000000000e8000000002000020000000392e0eb0b58777dd64c4c7eb28109b5834dcd49f43d1411f126685ed80042516200000005172b17db0cdd1a68c1b295756f0e1bfb9687e2424ee952d27be94a04733247140000000bb8a58e6d1d32828bc60086416be2c76f98b500d165615aebcc50782f7d8f9b3bea5c6e7fee7024c1400ff8ac08959c032d150589e075303876da212d48691d5	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000006c522f698876749e035680879a53cda17612a1e272b7c8c0a5084f2cfabdbdce000000000e8000000002000020000000799b376d0c7c9bee2bdd5f967e5fa86508c561fb6ab5a1567ed6e0c581cf143b90000000333d1804d2fcb4576ea3996f0adead46bc64bcf37f6d70a23e6ab3fc5a2b2e90e907bc69f116cc2c977bc35dcbfeaa082a3afbfd09caba7b0bbcd5e07c4aad0d6cf61515494fa8e1c390b94b2d417f63b64d23d9afb265b88059081f67ef66c993a9f082cd8120f2b45b9304a7aba6b2f325a76438d83d46f2bef164d3d1b439b781871e92bc89ba6f69c464050541ad40000000b6ea0b0b64828a0fc616bedd4b8f99316d2cfe2d3ab7e143c3113905574f0003bd8b29e2ddc967f13da58e559273398ba20af4f0b96ab825af48f0cca1597111	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399249334"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{839D05D1-445C-11EE-AAA1-4E44D8A05677} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5029895869d8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2904	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2492	1580	MSOXMLED.EXE	28
PID 1580 wrote to memory of 2492	1580	MSOXMLED.EXE	28
PID 1580 wrote to memory of 2492	1580	MSOXMLED.EXE	28
PID 1580 wrote to memory of 2492	1580	MSOXMLED.EXE	28
PID 2492 wrote to memory of 2904	2492	iexplore.exe	29
PID 2492 wrote to memory of 2904	2492	iexplore.exe	29
PID 2492 wrote to memory of 2904	2492	iexplore.exe	29
PID 2492 wrote to memory of 2904	2492	iexplore.exe	29
PID 2904 wrote to memory of 2824	2904	IEXPLORE.EXE	30
PID 2904 wrote to memory of 2824	2904	IEXPLORE.EXE	30
PID 2904 wrote to memory of 2824	2904	IEXPLORE.EXE	30
PID 2904 wrote to memory of 2824	2904	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\floating-sticky-note-selected.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffe1879ccd11c900c4f8dad4cf315160

SHA1
d3095b29b92b7a801fa71c1873eb154ec645f843

SHA256
25ffc686fcb03743b1b0835395e14d7b771672b6599138134b3148bb2ecaa4cd

SHA512
f4b03c5452e9b2533b97d953a4976c377a67ff3e7b7e379cd8c2cf8a44230218d58bc5212547a61bc69f65a2a1cf1a1c5279419a78f5d2fbe0cf03e243bc449b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6bcfc424656a0b53b4c1f1af056ae19

SHA1
62dbe51880598922680a3ba3c7a4b4320ba6e5f4

SHA256
1e070d198409076c8b5fb041d2ff2424b996114fb183c14cc241c45d959ee47d

SHA512
df3986407160f50167cd55cb0fd40564d3f3eaaecb0119162c8cf77063a4f8788a0e84ed4e9bc60d926b9c21de0ca4bc051e4302ba20271de5137eca09929790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16ef276efcf7905f25c42f168fdc742c

SHA1
2a6a8bd17453e9947d3ba92c1a5f62e81e40202f

SHA256
25f4b1dd44079647145712d30adad539fab01a085739de91400285dcfd6020d3

SHA512
7ac5e586791ea7e158eb54d83661caa43a4cec67d95f6abfed734f4e4c256c660049b7ff19005aea380613a136bef0bc29e8ee723c7d35ad84489d600c6be4b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53bba9f8b5aeef79c11c8983bd8c6fca

SHA1
0072905317ba009d4bd933d7e3453cbdafbd51eb

SHA256
53af3c4dce76734f645a77d37bd26fa015affcdf180ea8802a6f5d1a775fa355

SHA512
7e3f12030514ac93208ad9bc36ecac51cef3dbcb1b732574097d597e894a902f9a3bcd8c0ec8ded506e7e7289fa5a9e459a29124255c00ae4e06cf144f9d9c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9731672f1d94968263b6abc9370b7835

SHA1
e7fe2716a31b75cdfa00fb7e36056156f192dda3

SHA256
475cc4b82fe8103072b3a92d3ee348e709fc9e7251ff82398c6d67f78cbf5d9a

SHA512
44aa1f8685967ec2ad76d0d19e30c0ece33110cb678f8d9de8471a58f8c7fa89503e797a83a3b0cdc062d66efcefc142eba8cf1617b50e2a1314e39d0bb93ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa9486c2e08f6a2320402cdf629fdf95

SHA1
a841ceed21cf61e33aa921c9da87a607b1553cea

SHA256
6a62f6a07b95f2dabc8982961ebf6ff5e94392e2dd63892f544c641de23c4e51

SHA512
45dfb022780b87a01d0d4f1d3510ea2b3d84b5a23580bf57dc33c6c5ffa800bce293a2d68461edd34b5192a83ff844d955456e1ef41e5fb718455765b7ccb7fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c83ed1262bfb2c080e3fb60b07d15ff

SHA1
05b76823c730c754ff363fd3d0cc7cf3049f5b7a

SHA256
9fc95ba9cc72d3a58d1e1e7a3efa2ec2a7d4b18a338fcf910e7aff386b7a1f56

SHA512
9ebbe523c954d69cf83178dccf0a695c8f14b393d4d59f105d6333eb81e2ec2d2db0055823b09a89261ef93736eae67e4b4d41678cd15143c965222b548cc4c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a2e5c99de1e60112b790495d7a0d03b

SHA1
5f381821cb3b6004df815cba0889459f8a3b3213

SHA256
5ca71206550217f35088d8db97f5d554492958f53cee0ab30f389e67cc89fb58

SHA512
b99e66e61e51cf07758c33d5782614bace481c6d59d6281e7248c8513c95f8b380a2a955bfc55634d6eba378c89d4527a46622a1567c68e57f6bb60abd24b237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07701a631e505f2ea9c2003c244caf14

SHA1
23ce339ec39983f2ae7fa883b327dd42210e6729

SHA256
5a8eca66310270a7d29909aac230a04ca5ac369739ba4d88cd0325a091a424c7

SHA512
3dc4f56182dbe051385b4a3a3a89bd11e7e4ab0dfb2efd425da5526a86fd2e2d80074446812b74db30498c35e164c9d4c0827d01d434853e2622408eefde10b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A73.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit