fd72038524f82d299b58d0b9de0da0cfa10f19eb746ed863fec62345b1044f51

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bird.xml
Size

1KB
MD5

564073fb36287299158db87208c3ef4b
SHA1

d9ea8d3bbeee99b3acdc1fbd5f779d329783852c
SHA256

888e1f6b188d57d2bb5c86656872193e2dc882672c67ac53a1c6828ee95f40b2
SHA512

77ad8ceaa1784c765eb3ac3cd2d8da442d5bcaa8086e67de4baa929d020ffd90895fe61710f285d6668235188b9520203b86c986154815cf5de82b29c4b3ef1f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000e54a2739b6318e0e7f8cf316751c29031b444db4611fa6b8274c7b6d8661ee51000000000e8000000002000020000000089b804183945e37d3119287c2f766513686010516f27b6131eb2844519e767e2000000041500bece1d6dccb6a12781ccd15df17ea2024a2c36d28e1904990d0997846e14000000074a249cf5c3808f83465d7efe62a842054fb335cefbc85efd874daf03bd2fb13356977682d89422c77ac59e98018f85b6c3522541acb37c85a0b62b8bcdabf28	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399249495"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205699b969d8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4D5A231-445C-11EE-AEC3-724B81B1CE5D} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb0000000002000000000010660000000100002000000002db35ae86a88e30dc7e42949e2dae4ee50e65ee8e6b1b7f2101bff18b974ea0000000000e8000000002000020000000a83c324180e42c715840b9ccd36badb50f3cb62760a889e87960fe9892fc62a6900000009e575c842981e7a922a07175b3fa7dc7f4432bbf6a2b2f1fd71cb9f45c9d844ee3fcd0521e9cabf26d69bdc1914470b51819711f02890645dd7717c018bf0124e0666bc064a39caf5e641fdb2c8a968bbe2327100e0d6d1b7611dce6458ad2d096299f72ef28f13ac978f84e51ac5d3618a7026dba54fb75d555c1fe9b9b411a4fd9d45cb6b6bc8c807d2fb82cb9a09d400000001a5de7fbbe30aeef179c585de17cc1e2f37f348767037f419973298d12aad8a3c62ce8687fb22a2931fbd1161d97f7efcfaef80131ead966d0793e4d5373d2cb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

792 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

792 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

792 IEXPLORE.EXE
792 IEXPLORE.EXE
2932 IEXPLORE.EXE
2932 IEXPLORE.EXE
2932 IEXPLORE.EXE
2932 IEXPLORE.EXE

pid	process
792	IEXPLORE.EXE

pid	process
792	IEXPLORE.EXE

pid	process
792	IEXPLORE.EXE
792	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2208 wrote to memory of 3000	2208	MSOXMLED.EXE	iexplore.exe
PID 2208 wrote to memory of 3000	2208	MSOXMLED.EXE	iexplore.exe
PID 2208 wrote to memory of 3000	2208	MSOXMLED.EXE	iexplore.exe
PID 2208 wrote to memory of 3000	2208	MSOXMLED.EXE	iexplore.exe
PID 3000 wrote to memory of 792	3000	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 792	3000	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 792	3000	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 792	3000	iexplore.exe	IEXPLORE.EXE
PID 792 wrote to memory of 2932	792	IEXPLORE.EXE	IEXPLORE.EXE
PID 792 wrote to memory of 2932	792	IEXPLORE.EXE	IEXPLORE.EXE
PID 792 wrote to memory of 2932	792	IEXPLORE.EXE	IEXPLORE.EXE
PID 792 wrote to memory of 2932	792	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\bird.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
86524ae78e930ea4b1837f6bf3b69339

SHA1
929bebfef86f3f2227e65746bfb550efb02658f9

SHA256
c6326530988bd5bd0b6a6bcec39e17348e16f20a9790d04dde0b4b7627b7113d

SHA512
230db15254891236f0206aec5ed8332e671991185b92739759de4497d7f12ff4c0680fad5d64c32d842ff6d382a6e628545f9642f6bdb1a4c4fb167958c1b87a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0270791b45c0534ff57c90d56a28392c

SHA1
5c8d108fed1a7aa65cc7938f0e824d5b534ebb97

SHA256
c484e0e90ac00453beb4fc6c6ee6627765bc3fb97adf3db82942efd74b38fbb6

SHA512
64ab09dc6581caa1d6a650d299e6b790c2f7e955db914cd17ccbdf6c22f052004d1458730c53eb5a30855420b23cbf9d5b2e1fa7396ccb749ffcab45070a4cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1fad191874c54b88c23d3d8bfd07922a

SHA1
1baa2ce44eebbf0d98d1e7ed1de9c0a76b5800db

SHA256
0df5f84ebf1357c0c816b0a237ad775eca6f905d55db1d2c98498bb0733a201f

SHA512
822b10c96a2d458d62468786eb00874fa33b8edb5655e750537c6e95d8b7b08869bc127cd6282a0186393423d63dcce648759abb49417555923ccab9e815f05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c96197e3af4245d6168b1f892caec8a2

SHA1
02117057c62b9b431ad3c7ee1cec1ee80ee4d159

SHA256
5bf404c2918f547870fd351e2a1844ff4f13709f68e2023cf02ffc7095ae1908

SHA512
db13c045bfaa7dbd5bcb4e5ed38508dc735af7b33afa6827ebc1187161d092633bc6898d70b04deefba6eadbbe1f1f56ed8f39234cd42156eef741f3eab22bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
99bcc2bbcace8102cbb0524d93caad8a

SHA1
0efd9f6fbf2223c70496c2704b3ba121a41253b3

SHA256
f6fa8c581e0e3e1fba8b1365557171039a03a631512e3f9f024efc8f9dd8a1a3

SHA512
9d1b7f57b50f28ef019faaa77d822f9564a1d2ffad56743a13fedd5934a358aa4fb41b70148e419b033c7c0aa9c7a59ea5d1170bbbf581807ab73c0060b06032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b3a57ca1f2cf2c9f1c23bb5b73edf8e0

SHA1
7e8ce23295502f7dcdaf66ba0ef613bb645b8ba9

SHA256
be48cbd1fa50ada5c532e12dc14eb6c2e986638aa23dae7401fb8cb7e2e9208b

SHA512
b6403e84777c1eb51948f77ce26f73dd2d0210e91621cf6b4635b5626eeda712cc77cbbcc3a0a17bb7f24f6f745ccf766b285ac020ee714e863b8b6e69cb1612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
999bb8c896542a31ce246dde8ec00562

SHA1
b7ea574578c64859ffbecfe55d6a2b757d47bd98

SHA256
8d50234f136c6a2ca856b59275079f942d644937567f0ca5541a022b56960cf9

SHA512
ed6767193787e826395da814d35366914f8f8bdbbedd33bea0e8f8cb55d8d33f63c68322cec213f8f303303bdc16cb01023641d26a4cd9dc2a8f7ec0ca678e0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
32e8d26773de5ed893427fe58e2aff71

SHA1
da706073f8af0a759b064138102c9953df026619

SHA256
da23998ee5a0bcf1becc88a201274a62a67fda4dee80cdbbf6d9b0724fcb4610

SHA512
f5bfbd889149277e81d233599419e1239296d21af8b0231727c833571a7d8d572676d8b0d716b6c3bb0fc739673a601abba0b5280db9833000127009a6d64598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5527edd497f4c672aabdd0acdd1c9778

SHA1
4aeda889d080e631eb75f2db60d59ab65410bb2b

SHA256
a64240497c80a0f79de248fc6298465f5a6bea8f27a29e690ef1d86e0d461c1b

SHA512
1dfb41315f532fe32fcec6e7c86ff397f841e47282480ed1430d0789c100badb3a10e30417bb628d831f07a7d3445c6cb12d7e81596ce7896735f0f036b24675

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
57e8db60997787993d41546e0bb67cec

SHA1
1a907ecb12ff65ce4a31ce088cdec7436bcee33b

SHA256
5db527f4b943bf5c7847a068a19bb8b4c8db5d60c847a015534a72f37b338178

SHA512
899345150746fa739679a2d6c90464bdec898acfbf06fe950d7050a993029bd580460d864c1738dbe64bee7b4bbebc22c87c4ece673c488f87d97c40629ce276

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE661.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit