fd72038524f82d299b58d0b9de0da0cfa10f19eb746ed863fec62345b1044f51

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_cloud.xml
Size

4KB
MD5

cd47d4b3192545c91fdddeae5adb3d8a
SHA1

8d389882bb4a501bd8d2c9690a023d0c808213d7
SHA256

8ec8ca9e56edab13c9b45aa0dc21a4970398ba6917efb981e4533cd510c56d58
SHA512

58f8482402652807229c3d5a563c785f4f85d6f768592521b951ade7555826f49f45e41881b1012c0350ee5aa77e0e4daa22f207e0fa3ddf3f06c16e49817ddc
SSDEEP

96:7OKfETG9jU7aGyVS0/K4TL+uhBj0HPDYKnCZB4qdP9:SoZuaGyg01TPhUzMd1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909762c169d8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ECBB6C51-445C-11EE-B986-76CD9FE4BCE3} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399249509"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000db3682d261b22578845c60fc46a941eeff7b21e189d74fb156603a08326a0a32000000000e8000000002000020000000c49594a420de6a4d90d50675bc278884415ab7b5f94f31900268fa81d6ae40f1900000001d2535e75ac6274b47d7f0dfa0a385dad561aa9ef6a4d839c763ece147d178231fde6ea3ab55050f546f733ce53a238c0f16bcbe6b7409f69b13deab4d456873e8adf47c1441ef430c27a34e1ca0a2f134b5ed00e192c1c03766520e59051cd53b5558185ba8ead2bbbb52a8432d344e0497681df3fb7eb849b899555f31b1779277668362009c1f284059a7cf4c52f140000000abe5532970cfffc96433a650f730bbdeebd93f67b8764806d5ac9668dded667ebf96429ab2a8089d4318991dc8484dd3995e986ead98e1e72c4dfa14a5977129	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000dacf9cea3fdb578a130c04c3a4c1c82df485c492ea50bfc016359d3db52b4809000000000e8000000002000020000000e49611bf2f1d33cc555c99a3013cee0d0a240bff35a09d0fe77fba77ef2351852000000003a7510d97b5a091041913a71888c88206d965c4f899e84a7284e3449baa606d400000003ac9a91763e37d898f3eebd062c413acc63ff91e9ebea147ce457f36c77d41d2ca67e4c27d267afd320b88065b7e8afa9be927fd4e1db13464c10e878df612d4	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2020 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2020 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2020 IEXPLORE.EXE
2020 IEXPLORE.EXE
884 IEXPLORE.EXE
884 IEXPLORE.EXE
884 IEXPLORE.EXE
884 IEXPLORE.EXE

pid	process
2020	IEXPLORE.EXE

pid	process
2020	IEXPLORE.EXE

pid	process
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2212 wrote to memory of 2436	2212	MSOXMLED.EXE	iexplore.exe
PID 2212 wrote to memory of 2436	2212	MSOXMLED.EXE	iexplore.exe
PID 2212 wrote to memory of 2436	2212	MSOXMLED.EXE	iexplore.exe
PID 2212 wrote to memory of 2436	2212	MSOXMLED.EXE	iexplore.exe
PID 2436 wrote to memory of 2020	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2020	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2020	2436	iexplore.exe	IEXPLORE.EXE
PID 2436 wrote to memory of 2020	2436	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 884	2020	IEXPLORE.EXE	IEXPLORE.EXE
PID 2020 wrote to memory of 884	2020	IEXPLORE.EXE	IEXPLORE.EXE
PID 2020 wrote to memory of 884	2020	IEXPLORE.EXE	IEXPLORE.EXE
PID 2020 wrote to memory of 884	2020	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_cloud.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ffdca58f196dc036dec04ef81566ca0

SHA1
a6923d8ea89abf0d8279209423ba8af21f550778

SHA256
b6b379039f0a60bcc1d5b2a46e5bd89f06bfaa173810e9fa54f9817c9f7d05d3

SHA512
79373c10af5246b1e90b4f14f9eeb9196b93c389e8377728039485aed647817d6719bf31539e6e408555db21a2170c1e96af069170f1bb5d862cc41ba87bb1fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51a58c3342a991e7a5a38933dcce42c9

SHA1
d1a52ea9bd0346a876137efb6dcc1691569f8a8f

SHA256
c431c75718785444d2c4c92461811c8c4e0ca0d1ca2178dc50b56e33d4bcef86

SHA512
5f7457c6478ac6abcc0103c04b06e71c14b3cbe1537b7311d896be788dcb1d65f532541c07fd3214472710471b3535c847df5623d340b8f44d7be98fd6837b2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
183331d45ce9d031d49383b09f577b9e

SHA1
76f8cb9282baa44b467fd132b930b83c6d0c9f21

SHA256
b4bfb31003cf8198a2f236963a126f76fd78b0b91e4c67a36442d86b9b09992d

SHA512
2c03c8e036b61b6bf7fc3ff1c63cb8ae43a437665e94b0befaf00e2136d775e212f03ca6ff27cc84f3481a41ca0e1fab0a8df246a601f7daed8db82900d8c652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab95b5833c19d6db82f715997efd9c79

SHA1
43f6e97347ee9fab68cdc66ed916da3bf55b16fa

SHA256
013697c727fd20ea5a028de96d9a17de95637d5149c807dc9ee1207563650465

SHA512
eef6ccf3cd2ff769be3370b0b48984de4c46c3dd41eadd59f2ed3da37598a6a44308552816e2bceabf1c52eabbfc3c43679ee0d06bf08882b8de228994bd8a7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9eea5e69792d15eb8f5d8d4bdb12dbcd

SHA1
2b6de623feda449caee71f62e1b15e78f2e3b9ad

SHA256
2acee38b18a26f6822a8bfdf7e4650cac512e69dda69830a9596a9ac3818e1dc

SHA512
b29eaef9550bad042aea4f21c8165f952b21857431436b24319f166304635f7e6eb94443798f7bc25664fa1d6466ba078fbc2535411665fc7161c894efac9ed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
368c16f7704fd4e3e162e55ac0f33cd2

SHA1
4d7923f9142b8c9da6b7832e1c136f9c5b6162e0

SHA256
dde2be2c0b43fdf828cd11a3e9804ed8aab67120ec9441cac55bf88038ecb54e

SHA512
36e58a7e7ec0c7e1d7462a9cbf8887c78e1d60bf2e3e75824fad13022ecef41ae093fc78cc88b1436ac126870a4648d3b8980dc76cc42f13dbaf12a55e266626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7306934e3a0f88eb00e07a29c176b08

SHA1
d5a5696011a4f5c0a5fc9e95da5ffbca4d25d4c8

SHA256
b0d083fd19532d6eaba848eb117b193268f9ac4053d9b7fee00535ef251c46e6

SHA512
a2d29990b7826f7f0cc95cf79aeabc640b2f22a7dd03b8c878b8fbb07d7667b6bfe0dcc866d63749b054080ef52c7c49973578223b509f17a11546a00544af48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db4536903df5464aaacec12657346eb4

SHA1
3cbab278191912b515ffca012f7ea5dbe8670b2d

SHA256
252c24ec56a94a2cd4694f6fe3eec3e37b3d9caa34dbfdf8e007b1e68aac386c

SHA512
edd9b111bb64ed718f0f4aabac17c2fe84f887e93be8e204483cd324f8250daf75db5eed66386fe17d5cbc2c4d317028639ee41cba23bc2c49c9a2230d5ddecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
077a9278fe76450de4a736263510b10b

SHA1
e50dc21f64c519384bc7bdf7102254a15e30e68e

SHA256
f7d31b027384cf1066735aa3eaf438a529af67b5bde18054628f070621c2b9b2

SHA512
10cc6f561ea91e34e1ade7c3ad24a68fc6bc77ba4c294d3567f8533348efb98217d4bfe4a6d106eec6fad4a08562dbdccdc822a1c9fda21d827e5f52c8049c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1CC.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA34B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit