fd72038524f82d299b58d0b9de0da0cfa10f19eb746ed863fec62345b1044f51

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FAB-blue.xml
Size

1KB
MD5

beeb15f69eb7675da389dd2a7d25e61b
SHA1

9b175d994ff139e6079aa83e8d32cd97f9799ff2
SHA256

3eaad41cf652ff44c03f0100b20dbf00d0bcac736147619fe9dc66050095a1f7
SHA512

5c711726090a1b3791a62fdbd78683caefbb056a900598a67851f1e1a89f0f92ee1e8854c3875a141aa958517be720c45f1c7411089c3adf7367f2e11076d04e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000003029bf17a325cce60399e0cdb827466a7b9b649ba195dba9f24226d90d30891b000000000e80000000020000200000004bcaaf2381e35ede26a149549e4818c2fb3233add2902995416e082c2d9de7f320000000a604a8c5d47789ce27dcba221217fa5d76771ad97834b447d7b8ee18c169e8a340000000ba0b6b62e723862c7258c6b9e7b5413b4b1a6e8b722c182addbda6a134ac9220567fc4afbc472a5a9c7f297e804203b7d9e6a05e22498057e66707a8de6e1c88	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000001c36615579cf036c71c3c1d1b584d958d01a0cb536897d62a2dce4b4cae6985000000000e8000000002000020000000c59372af5827979206b018869b92d74a0b2203247d5084718106d1042354af25900000000d5a6d7795d07669a5f71aa86ecfcbd1e8d715ecb111b0be350ef83d4a486d19d07908cb1017a76dc1111600a555fa1663e0db3440f11005b1ad749b2fe1e828ba03f8a8519647cdef855b1bebebde0a16bccd2e57376ef13555409351386e98593104b2507a661e3da44b81f6d231c44f68a5ce6aeb4e7d1aa6945d47086d4fc40edf1374dfac20a298d1fc72b037074000000021021c21b0050943bdfdb66da2377a8263a14af1783ce30f27ceb977a087ab3ae8e5f3015438ad93a82ed4810fb408abae2d83271af842a4e7ca4813239d82dc	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399249519"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0facdb969d8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E52475E1-445C-11EE-ADF5-F2F391FB7C16} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2848 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2848 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2848 IEXPLORE.EXE
2848 IEXPLORE.EXE
3000 IEXPLORE.EXE
3000 IEXPLORE.EXE
3000 IEXPLORE.EXE
3000 IEXPLORE.EXE

pid	process
2848	IEXPLORE.EXE

pid	process
2848	IEXPLORE.EXE

pid	process
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2528 wrote to memory of 2120	2528	MSOXMLED.EXE	iexplore.exe
PID 2528 wrote to memory of 2120	2528	MSOXMLED.EXE	iexplore.exe
PID 2528 wrote to memory of 2120	2528	MSOXMLED.EXE	iexplore.exe
PID 2528 wrote to memory of 2120	2528	MSOXMLED.EXE	iexplore.exe
PID 2120 wrote to memory of 2848	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2848	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2848	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2848	2120	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 3000	2848	IEXPLORE.EXE	IEXPLORE.EXE
PID 2848 wrote to memory of 3000	2848	IEXPLORE.EXE	IEXPLORE.EXE
PID 2848 wrote to memory of 3000	2848	IEXPLORE.EXE	IEXPLORE.EXE
PID 2848 wrote to memory of 3000	2848	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\FAB-blue.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a745b3778fa9d95b9d693866cf7f4415

SHA1
02aa3ae55eadd038c3f9f94f6496e616ca644a01

SHA256
5190973409fc7e041ad957006f26a98486461d90a5c86bfe35a981e1e8c61854

SHA512
34082e0b32d4830549a22df02e47aaad56082084d3d5212c7775360a59302ddc691c98ebff05d039dc76a98ad4175c45521665d4b1b4597afb6d9763095e71ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f3428355b9cfcd4d97649bdec69225b

SHA1
b2ceba9b90be83feaa4cf684ec3a70bdb033a54f

SHA256
5d2ef0511038c08cc70a062a7016c5aa0f82d9e746ca8ede27a74ec68e950505

SHA512
98a78177a106bd4916b6831fbeb1c8fe29ef99510b4bcc971de6af1a835fc3d94dcf60ffcbb34cbac04510da844a361de81700bb6adfbed416ecd367447dd344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20935c9146ca5745213f8b5e834afc0b

SHA1
a02b1c5807b39d0560f745b7ae4ebf02d4c74c06

SHA256
83cd4c827538406c5a9057526d63678c208f04128053d29965bd708aeb303baf

SHA512
9b962ba939f793ba8ce1f249fc17f7d36bd7696f244c7799cc48be78c13685de4d5a35a669f47e157648be1c1ae2048671d8306b0d749911030b1e4d6ab3fab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4601375ae46d02ea9a52ce7025481d0c

SHA1
b009b9bb70be3cde9b9b6499ee6147ae91a47850

SHA256
babe891a10694ada59388af6dc645b400383022317ac1b5e532a20de065115f3

SHA512
a8f50ac69b52ba566b29b5527e6865b864fd356fa40df09f553cf0f7f4cabca04ded94d03d1a0ad8107be1931acb4e7351b2f2f9a18b7571fe1d41bbd5d32003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
feb9ad9c0d7d1a58cf5215089399e658

SHA1
392496239bfc6744cc5f7df61c35a8b31aedde13

SHA256
291d19e0133a3d526779816d621bf411b62f16aeae33896f0e278ce99d148a04

SHA512
e4ff532a6dac64574ffbe8841750a578e6f893f1f1c9446d5e8c71ef5cf786d7f363baf2473ab9762a03623493ec6c4b1897eecf1477056b7ac89b5a79879d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8dbc8a0de9470d3cddce0afaae396f0d

SHA1
abe569894c62d4e781fb5554ce33d34a91d4bc0f

SHA256
f725e5c423922dc89d1f6089a3a7b05af6b5a936835ca4c4bcd3f438f2e32733

SHA512
cc5aef4fd162c0396cbf85030d6e16a533643f761222afdbdf69b04d17b20c4220a5a54146dc8f92d9bf9da3175eb084b658dc8d2154ce8a382a790021397294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e695849c1d0a427a90e636b3b8b67444

SHA1
be04deb6920ec1627a332c809178e72a60afc58e

SHA256
5b694221a77d2c1152287dca289a10ecc8cc55d5a6b3ae6f334e38ac6a1c2554

SHA512
399324d7d93341ad838f3e843ef287cf4f37b8e21181e01a5b97042353a656730ef36ade90b8bfb3618a715ae126575a33dee1a19ebe1ae6b40b5f0fd4a04f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53b8d1c399aff673da119f82af618adc

SHA1
7070ef3b24ad0accbf34b80aed16528675597a67

SHA256
d5ab76887389bba9e92786f5509b073f615dfbbccbbe96c2eb92b0afd2a383ed

SHA512
2f6ef4b14f0038890ca187996303b51c2f544554b0b7fdda4eb2802da2760ebc27e4b3205b2cdf4293656247677883b7e54c38b2c6826aedcbbe0ab655c02572

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e158286ac55d621d4419d1f81edbdb55

SHA1
40daf7b61f910878afa7cdfb31c49751592725a8

SHA256
5de1508a7c3795e8512e3f0b954824a6b7d8ca0b64c846c435b80b3859ab41c0

SHA512
d5e813280dd13f935393e730d08372944c4feab14a32a5f28c9f47be7b10c3b5657d97c23058d0624fc3c7a22068ab33cd35d70cac100574ddbb26a7312aac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F2D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA1D5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit