a2731e6bd555142f43622734f8b3a6c27672831269fe6cafdd98d53cba75b57c

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

configuration_filter_beauty.xml
Size

3KB
MD5

fa59d18bccc7555afa1914dbb6e46530
SHA1

5d26f679b5308d46ca6f16464fb86e16df151dc0
SHA256

f593d5b845fc1d321e13b77475423c5f275dbe771c4d743dbc2f8cf6378545ba
SHA512

0a33bf3a412a27b35a29e18f62a037af56a0c100e7ff2ed20b5e893afba29bf32716fe4d06a85c2d2e947539d28c2609262fdb80627152d2ac0646606508dc48

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000020d8f922bf72644bb569fcc386e1689d1577fec4826bb6d2d617b99ce8205a9f000000000e80000000020000200000004b655ca52925da417154643bbfb11697d947215ab7bac58bf7e49b8fb2cc3e7720000000add321969a53138dcf1154b38ca31fc92199cd410a93d560151a7d39b24882f440000000052ff97be66b7492aa1a9248313655d1aa5cd8480c100bd5d1c7ae58f8c5c6589e818ccb77822799a8312c130daa62b494cc7e37ad15b8c26898291dd73541d0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000006a5c5fa8ac2fb689fbffeaf5ce2189d4d658aeb087e325d1757d8abe29a6f17f000000000e8000000002000020000000545d9d77054fc559322a9556782b5d7b6d233a37eb10e264a1b48cb588597d4c900000004befdefd0f37f353df19c94022e0119ebbee3394386edc41f444eccee35023ebc78c31ffe483cfed20dd875008adb4479b15fef8524ed159bdc1abd3d0035bc24e0e706470ef58750defcb6c4627100683a15d17f15f38719f7adb7cff1451d6bcf6fbb299a70a76a7565622f8ebf85586a866df77e624ae1aa337598980b3b8effb69a20c068bcab0acb470b2e8891f400000001f18fd41eec344e7d23b9dcb1bbbd677b07f7966f2f42fb5ffb8a16400878ce01b189ad0c990134365d2873ef94a5585e0f69b1b70a93c85a27ce3d1eb3309d7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3603BF01-49DC-11EE-AD3B-EE0B5B730CFF} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399853934"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a006f70ae9ddd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2348	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2824	1872	MSOXMLED.EXE	28
PID 1872 wrote to memory of 2824	1872	MSOXMLED.EXE	28
PID 1872 wrote to memory of 2824	1872	MSOXMLED.EXE	28
PID 1872 wrote to memory of 2824	1872	MSOXMLED.EXE	28
PID 2824 wrote to memory of 2348	2824	iexplore.exe	29
PID 2824 wrote to memory of 2348	2824	iexplore.exe	29
PID 2824 wrote to memory of 2348	2824	iexplore.exe	29
PID 2824 wrote to memory of 2348	2824	iexplore.exe	29
PID 2348 wrote to memory of 2688	2348	IEXPLORE.EXE	30
PID 2348 wrote to memory of 2688	2348	IEXPLORE.EXE	30
PID 2348 wrote to memory of 2688	2348	IEXPLORE.EXE	30
PID 2348 wrote to memory of 2688	2348	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\configuration_filter_beauty.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8772d800227bd8caefdd41bae4c3e99b

SHA1
1f784ea7ab1fb82b77e468df5e12c66363c43b31

SHA256
5fe4363db461e7fa15a5567b85df6cbc036ae7b7871266cf48fced8d8f1ae3a0

SHA512
9b334a301255780fed9ab7873b2d8b551c80dd21e19472c25ada53b2cc4bd54756cf42a9ff664e02b16b6cfb64b3d739108fe246d15f3ef9a7a68c2860ce7ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66b6bf42aadd6e56f4128de4e3c4a340

SHA1
56e45a0ac1c54b46567eb8224b268315e468e36d

SHA256
b949923cc4eed07fcae64ac45a937591d6bd611c5d9a8a9161a2ed20ef836783

SHA512
5df4f81fd1fc0301112de8604925b700fffc0a90bd4f19c05edfecbdcb867de7aed64187ebb5b049e0d1c282a7c2fc54398596ba8e8f7a645726446a3904dc87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f07f2c3a8a9551ff28ef59a7a1a93e9c

SHA1
c14f4771c1dd4016e67316eced41f596c068fd28

SHA256
1910d60679e472839825e491af56d6f2b9a9dc094e42a664cadbda5cc35818c8

SHA512
e23f9135240fbae554acef1269ae72d54f656c4dfc48e977bf06ae2dca33847cdff075d896fe1de8d0223f27ec225b2f2328346ce25212eb3b412db21f5980fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70945c4aa364d18e6409d36a487dc0e4

SHA1
98ca4d321fc2ef51e340e84c999780d287bfa93b

SHA256
bdbadeec22495d15dcd244c20ae1ff57e634ed884459c217008704bbb1f0f040

SHA512
16dab0438bef4efccbc8bf9248d540e3f1f9bbbccbac1874a14432ac926d164493236c3d6fdba7bea98a528ceafc51ad10e35684344433910da9e222f5af9ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bff6fcfec1b615ed64ccbd6c86fc69e

SHA1
03ffe5d272b50d21e9d71b4e150a3d8c068c1397

SHA256
fb045ca937742cff8c532d0f6856a9c1975a4e34bf64afea8f0330c1bb1f452d

SHA512
fc8c9120b942e811c96a869b91a016de6d4b1382f5fb93e83867e01b97dafd8cb5eb0235ca6c8f503c064b2bd93fdc76b88646ac3da2ecb8016f02856ad66e7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eacbd1796e2f75c32991811d6b656ff6

SHA1
5bfc09b91e41a5c02299c75c7c016616ffb35dde

SHA256
401020872b048a89fb56cfcea065afa73db1f48d999ac748d5889ca0ab4f5dad

SHA512
1674e80f6f9600d5a90ba4434be18adf4c5ae3ad2ca602285b29765bc10d24f7a0ac0ef2f53e8805d0d2154b9b9cb9341e6d4a9ac3f558f8128fb3fe3db25b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a0c443d6188eb6755ff297b99cb6240

SHA1
5af67b1f1ae3e7582b8a3576aab7c3489f2d25a0

SHA256
03c290c2dc74fa394db6d0157d983611a2bd3db3f60a6552e05214338ac9e94f

SHA512
4bc1b6d5dc12221a7a4ca90da9026cc567682dad37d6d39b3e1ba485e85e3a70a5454787f9ac4d6460d6f9aa898e4b78b716a1846fc577f3dac37ae15f5ea212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5284f3360c14c18e816ad6a5b5e6d810

SHA1
5b5956cb3f463ebcfa1b8ec02b3a3bdb7f563ff4

SHA256
f76340300fb3cf2491397bc17bc99465ad183d6a06525fa1a1fb869a721759db

SHA512
bf4b722a216a0e9f17f684472c513ec86ae95f27f1fbcea4d4589138a0bb85d2ebc124a542bd5e5fcd546df1e890e5554fcf691267821797428a55ab3e6b7850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c8885efa3fd921cc380727d60ddf490

SHA1
1095ef23c4dcfa2b8c8ef1c8560e73c03a58d005

SHA256
6797a490856acc76826beb9c2b4d6c6d1995bb90842443224d38f8abd0314edd

SHA512
8d3b6c3f65f27d0b5da8c3bb4509d5682fd487edce86f5eff4cecb4774a6ce2a3e6bf9e5934ab81440835f13e3b8bb6189eab3dbcfed8dad9168ba2b17d5c829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d944c17b79b5af6a84cd6aec247688d7

SHA1
db6c33f7b05884a21ce886eb652a7893b3945e03

SHA256
4c4b8f3bafd1f483a297869bff60b47e97aed548a254614da9f19e51a16833bb

SHA512
e0e25310287a476830032b0d00ae6cc81815d80fedff1eea933ddadd7808417755b3c578b0e1c0c8828694d84c96f3ab1a9aab979ef5ed5671136bad8e96cf72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab54D7.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5518.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit