6a41f27d45308f281b986b4dfed2989781a0b69cbf069bc84f28e333b56d6dbf

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_cloud.xml
Size

4KB
MD5

cd47d4b3192545c91fdddeae5adb3d8a
SHA1

8d389882bb4a501bd8d2c9690a023d0c808213d7
SHA256

8ec8ca9e56edab13c9b45aa0dc21a4970398ba6917efb981e4533cd510c56d58
SHA512

58f8482402652807229c3d5a563c785f4f85d6f768592521b951ade7555826f49f45e41881b1012c0350ee5aa77e0e4daa22f207e0fa3ddf3f06c16e49817ddc
SSDEEP

96:7OKfETG9jU7aGyVS0/K4TL+uhBj0HPDYKnCZB4qdP9:SoZuaGyg01TPhUzMd1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000373024c3dd95d619ddc7b652d221f35b896da8f219c6f23ec90b6aa0f83c50e8000000000e8000000002000020000000dda3efc8ea6fb56640edacbafff1dcde43b3eb638e68f48f43507477481ae21d20000000b2662c6d9f46dffe232eed50f3deaab454a41db0d38fc758d4e0e04b30ac828140000000e8a8753df45dd9e027eb6339682a09199e63f022ff27ef42e7d5483399f0ca0e551992456afb9c61ebf642ba9e0a3e99063b858ebd657e3d2f2a1c3ccc28fa92	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405e377169d8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BF0C681-445C-11EE-8A04-E23FD76D3CC4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000e8267a3eccdab63d9157a6ed3fdfcda5d5543539e0474048d1a4090dcbf2a016000000000e800000000200002000000007028f290416d916d5dec81d80801fc29c58f0afcb28dcd941309f5c1d10b7269000000065f1269951b34c6b998371d4c04cdd4ba23caa094218b46b176ed5956539876732d4363cb48c1a15b900d1521cede8452104fed92d99c28ddf45b81c740f45474756f7d28593f94a22597e6f86648e4644b5d08d5a12b163db27a4b277b531e41176869d3fc3cbcabae6c4f0942a66e78e30ec7484e5ece2455651eee54514829a99f459d51a4dc85567dacefb6aa046400000001dfe878c5a65698ae8d4af9909731a7a62319613c07c1be2f5ec7dada424350282526678f1838e3776027f76e63e3a6f511c265506ec4c881dd4df51f7a796a5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399249371"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2580	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
1172	IEXPLORE.EXE
1172	IEXPLORE.EXE
1172	IEXPLORE.EXE
1172	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1648	2268	MSOXMLED.EXE	28
PID 2268 wrote to memory of 1648	2268	MSOXMLED.EXE	28
PID 2268 wrote to memory of 1648	2268	MSOXMLED.EXE	28
PID 2268 wrote to memory of 1648	2268	MSOXMLED.EXE	28
PID 1648 wrote to memory of 2580	1648	iexplore.exe	29
PID 1648 wrote to memory of 2580	1648	iexplore.exe	29
PID 1648 wrote to memory of 2580	1648	iexplore.exe	29
PID 1648 wrote to memory of 2580	1648	iexplore.exe	29
PID 2580 wrote to memory of 1172	2580	IEXPLORE.EXE	30
PID 2580 wrote to memory of 1172	2580	IEXPLORE.EXE	30
PID 2580 wrote to memory of 1172	2580	IEXPLORE.EXE	30
PID 2580 wrote to memory of 1172	2580	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_cloud.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
738c71469e4e0703851c0c47f0cbeccd

SHA1
f37df83daf53c3b8164dfaf59fa43f423c25b121

SHA256
747846b5d241a349bc95ca0e7ae45297dc4b1785b8492c639a5d0fcaadc24a74

SHA512
2d4d21a9a9bccd8ff91573a10c1d978bdb96b6206de0c8388a20d7c70b09cc39526317187914260bc4e334940777f3e2e04ff454422104fa6be5b03787252bbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bd9fadfde23ec8527ba04fc46883447

SHA1
a3ee898b68f98e84ab94bf1bc67c240ad2e8ef0d

SHA256
5df4aaca92f7b0c59927f22e139a4e38f96f7b74085064dca67debc79674aa87

SHA512
ab3468972db5b0f6a6c2813674b40c3e1bfc058ed59a35f9abfe24ac9b0571b0805956659b8664876b562252f96b39ed2399f72a0db562a214bd275c0871c420

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
799cb629af02d6c8216770f8e9ce9889

SHA1
b76607d7543504c8ddaba78cb034851c48d3bbf8

SHA256
c506a57ba9d01bb0516d72db8ce3f3049b7b564585f67303c6972201de41fd34

SHA512
bcd2ecbf69e3e4a6672f7672ce74989e2b0a1a5629c950393bc2b1bdb98caa27ab1c4df83c4267e3fce5b244c4b2b699a5391cc72b88c82801514b4a6cd3345e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f7e10197eced08e2b53d61241c64c07

SHA1
ec8500081a6408497eadcedcd5ac95a274a7609c

SHA256
7852b178d0760f041e700b036332f0224729a6b322916abc9ea7e252eec878da

SHA512
4ff1a9671e95c0abc5a62b4bfd0e27dc531209b3b28df11e6c909803533467701c9d1f223895ff21d41a8270c940d9166d480fe45365388947b6317c84bb8c44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95668dba8f5388b326f56946cc5db592

SHA1
b18d22fdfcc17f19a216c2fdec6b6e9541884c08

SHA256
6e576e6ae235074705eced502c67b06a3931a77725f4628cbf8dc0a8b47457ee

SHA512
b6b56f4f91077aff490483d1b795c91e9f6928cb6d94dc716bd7077f194ab43105ca0862a1facb40bf58ff9ca504d4279e5372bfe29410930a8849c33a1f277e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
127333a4bb422eb74bc739ca59a80818

SHA1
25ca0405d6f2e16de27c6594fbee9c72d0abd40f

SHA256
f64797c240a979b452720eaa4da1927edd5c9876d87ae933f38e3c52d344c210

SHA512
442f0ba3dbace88f6bf704c5e4bc95a116ab9678b6aa159d4dab19c440a7bca401c5de7282035a12d770af1efeaffea8decb729ad9c4dac477545808677ed24e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4a3d3ab98e675b69dd5d277a079170c

SHA1
b5a9680a8fb1f937acafdd38a6aa7d1bd6232dde

SHA256
4f76cc4ec2c0ae57fa628d79a5a3ab60f0dfeeb5266bad3e8995559057280dda

SHA512
12bc595b96a0c538618e992aeb6a5243ca28a76e4a696022ecefc428e699b1129126246a93348d04ea055a9fd0041b7f99e63d7bc68303663233610551b92d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca001146d68c99611fdbe167f726d79e

SHA1
b1e2ba6c952730e0d68aff6360ac208c0fafaf1a

SHA256
83ed9b90f3a94aa5d8918cf18ebcdbafb7175d52ca38d2fee7da1cb2e494d795

SHA512
c1b6cc7b6b10ddd1f46c0fbc4085144bda089d5100b6823cd91ea7ab1429beadf2299597b040769986cf2b3d5a082a8be223ef64acbee9615d60cd4961459093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3903e3faa4b887f58d379af611c895c7

SHA1
0911a4e2cf81b4f3e85c7fa0d95ea15d32181e2a

SHA256
36027c3d4640db6b7699ecc156220b75871ff8b32c4c28c9a7f7d0790175e1de

SHA512
a4c3e4310c65726e594fa905f788217904bfe24397cb76e2468349e8ee6ac762d451cf7fec10712773b1b7ffdef12844bad701611ab8d9568813fee681cf38a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit