a2731e6bd555142f43622734f8b3a6c27672831269fe6cafdd98d53cba75b57c

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xx.ArPublicParams.xml
Size

485B
MD5

9bd82929fd635201ec8e8dbf51526335
SHA1

a8d5763be22ef40e9a6b627c74e7fd5d08eff633
SHA256

ad7dcad973fbddf5adef90bb8606b9e4369c776ac57a81d4b91d367a20714e6b
SHA512

cdeecdde9d09e6a6425b4ddffdd113fcab194ebc9153d345d012f5758d3f0545fb0986d765d36f4205665988f0d2c304a4862159256c79b8a909e1dd0fd1d15c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399853933"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00af50ae9ddd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000c7507ccde32f3869700eab4d7cf30d4f0d5723676cbddb62d1a5c4734e64baf2000000000e8000000002000020000000a3cab5d8a424bd58e3be4d9003985f7e4eaaf6c81cfdac67226623d4aa0078ac20000000e2a2bff1eb4d2ce76813553c058fb4d562cbfa1b09e8ab7df21302319240e19340000000483e588581ce444375004a7de239b952b7c7a33f24d7f9394acf903e37070d877c648ff56a3c5288e652b360dd5d1adb6f346430327381b075ddcbc468257f81	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000011e369e02cdc0b82fcbf5e6165a6a88bbc081ea08e617e98bc2b3feea748290e000000000e80000000020000200000008bf204806f84710f73802f877de42d09d3a398271ab20ce60387178777ab1d84900000008592b5976d035ff32b45c57444b5299d3ba21324ec75cdc49a7efae8effa16626c1a51acde704e7204d766c7027b256cbf89e8a254abece277eb2473f125352b5d14725119ae75456e0495cc1da2808d3cd1871f130b3097e44bd1732da3f7dea97bc21985b4dea0a06cc0a490c6ac48654a349db7b531bf4b4a4f1dff3b1a3386928056b7a08a28a5da65750457360540000000be993459c20a1523eb244be565ace6faffdae7b2e3da292b43c670d3fcc17965767753ac859d17427e99c0d499a3da86263026bf815b5525d98caf05ebfda647	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36126501-49DC-11EE-8C03-7EFDAE50F694} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1440	2328	MSOXMLED.EXE	28
PID 2328 wrote to memory of 1440	2328	MSOXMLED.EXE	28
PID 2328 wrote to memory of 1440	2328	MSOXMLED.EXE	28
PID 2328 wrote to memory of 1440	2328	MSOXMLED.EXE	28
PID 1440 wrote to memory of 2704	1440	iexplore.exe	29
PID 1440 wrote to memory of 2704	1440	iexplore.exe	29
PID 1440 wrote to memory of 2704	1440	iexplore.exe	29
PID 1440 wrote to memory of 2704	1440	iexplore.exe	29
PID 2704 wrote to memory of 2816	2704	IEXPLORE.EXE	30
PID 2704 wrote to memory of 2816	2704	IEXPLORE.EXE	30
PID 2704 wrote to memory of 2816	2704	IEXPLORE.EXE	30
PID 2704 wrote to memory of 2816	2704	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\xx.ArPublicParams.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
251faf712c0c657d01ca3237ea1fe551

SHA1
0a6bca93959e5bdd3f4e3ad2121c86fe0cc0ee23

SHA256
b1afe26e17608a9a4b9cde02786dbfe822d71e547d4de08e6c7ec7b673fd298d

SHA512
c836e2d3e49a2029a67537e9fc01f1684951ad06fb6ffac359badc78a13dc0e6a899ffcdbffaf6728dd021dc998e8be416d60a2cbcf94f248b8063628ed041b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc68343a463ad0491a11eaa52a09eb4c

SHA1
55eb237f38e7a1790c78eb1fce8d7a501acc279c

SHA256
2193f86aced2fd433fa211893fafe6d1d98d6d97978448d272b90a2827a9d3d4

SHA512
4c6bb5654f809e926649107808e8f163c46aaa29b379bce7eafcb485bb21f2c85ce73da8803e9c112937cb03a181141d309dde8fe41e6ddd1dfde659d8c35fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5384540a25e146728ef06da89463f0a1

SHA1
6dd5f322228a2c429851b41ef2ea7dc622e793d4

SHA256
08b2b1b156663eaf13def49f60e55daa1aa7f09a20227e59276149f935133d27

SHA512
797fe6a93f661a34a82f7776fe0c8882485ab9e11f0d5ab845170cf897e7d3a70ae596c51034536deb382e79120d8a0ab27b9dad8382b853f699a5cc202a4829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8ea6e747b0a092b2eae5db23378c33b

SHA1
587626ce16fc8030f7f547cb80627e69493f3836

SHA256
df76fb140625bd62220c0a04cea8e2864adc9985232018d81c2100628704b3c5

SHA512
0468427c659543fab419c17000dc6156a91b0ca47b461895c045b5cd608399a0d3f1599d80669310b6bd1706b16981b2c8444cf885dc1632f80fed7b14bf7ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0f74ff6d388cb828e6769011ed55301

SHA1
cbc0a77638136e23ff95b646ca8bba81681927d0

SHA256
3e2f35789604f489a87883183a34987bef9e13086d9c47d52ae98d4c38468836

SHA512
e3ecb6ed6e45de27360ddcaa39dc168cb9bedf2101df804d8f68e1effd1f5d4bb1c6ee8d73c28b366680440b2853496955d7cdf70d5425616e168ff5503442e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b35a185de3528feb8df44d5e4933e41f

SHA1
d2bb7851293ea0f91d1d0cfb5f59d930011e7076

SHA256
ea84726875eb8351010f0dab8f96fb24436c3c87dfb0abf97593eb8e7e5af9a6

SHA512
593d72d78318c80954b085c5c9276e2d822df4855deb4f68a5470aaaa1bad727a671663546e6f43c94b1e7ec4184ac816913d350c3579a8171f66d440c64597d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46fe7dec5f79792e3bb63488d8b2c56e

SHA1
6944a8f8d5df91be5e517031b40778cec6cd8dd2

SHA256
b2b702d0e89726b194175a663bdbbec4c9fcc0042848e756b1646cb22a9dfb60

SHA512
b5452c727f73078454b3a4572e04c1d54cf7dba0193e46c95e6b14a776daa212945f77406e4ffffcd82df3c10c5154fbe1f0c4874736b0839ceec4f3dd9bafac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c782b6d9d87e93fbabd78c32937509f9

SHA1
f0061f82b441f7e98d196a0ef3de8d87eb1827aa

SHA256
dbbf76f2245ce51e25501d09b7f40325e3ba84850aa7fa2f594d697a3075dcf5

SHA512
fef42e61f52f1d8fb6290a654b01027d5f1de8f9f7faece511b2af1326354c63fa41299b1e1145e4db2ce2512b352f98b03b4bfbc1386b4f5ccf007e88a0aea9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d2e87222d23d02e95e408eae4ded492

SHA1
29b16e58186495f29db9838c443e8f8f02ad184b

SHA256
16cfa3ec6f573fa4a139350b0b02714ffeb096972b152355d7f17a9f6417ac89

SHA512
636ea29e578066c3945a56e133149eab5c7603e13509db659f08b15159d2d9fcde283f788278abc84b3aec35f5be8d19781cc418645aa45005f86da4da351e4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ced608f045e9ea291144b33646b7456e

SHA1
2649afc21aa0e8292aebf068b4964e45f53bab0a

SHA256
8d8c883c0667e121cd069cea7ae1518d2f18e40d4cbfa48df8ec2841973ee0d2

SHA512
795508835af13c7bd33f44864f1f2179aec77c87af59b2803c2b1de4a04787008284d2017864b9899cad2df9e8c08b6a342b9cfbdaaf32b5c1411d5f1ca21ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab560F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5622.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit