b59d43079747f8f280d0f2080cbee060e9fb7d3e0ccdd2882f6f5ffcac350efc

Analysis

max time kernel
136s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-09-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arrowdown.xml
Size

706B
MD5

370b1a14d1e77006f779a39dd6dd3823
SHA1

895367fdb0fae4ba321795779147c46b3e164899
SHA256

49dfcb4513d28e86284b95f425c37bfe49c3eb2d6da932cc6f776e4316b450b4
SHA512

4373e3a733694f7895e62d72b77032971afb7394654da3e9d7ca62f19bd0981e9dbbdec5c2e580937f3ad86fa1b2232c7c4b08d4fe53207910037f6d75d06ef5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f0a51320e8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EE96111-5413-11EE-8DA5-4E9D0FD57FD1} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000c9a9632b047b97d56dda1bf3f123ffaa4dd3e73122e266ba9b86f31cf60bd1f9000000000e8000000002000020000000049965ee41d921ab911b67ca33b7563b87892d235e4aed56ee59d2f50dc4146b20000000fdd7a52824143da550f8b5a25378bb805b2b6e61b0126843fb4cdf9b7ae20228400000008a56185ac413473d1b14717783927bb605180752576afcf28d1a98501aa8247fc665feb2a0580389669e33a9856d309550a80946c6973ff65c4e21927db2a957	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000006177ac5a931d1c112a7e3c4c56c5cb4d2831185dfd885944f5baa8c75c1bd352000000000e8000000002000020000000d7cd2278d5c73e0ba5f466cab7756b42c019635a19d1209cbfffac45d2672354900000006ad61af042aabed4ef8bd11d7d4204641337aa48303d47f594c9f076b4a030b3c6752aedb5d63dae0998b5b1e885be4bdd1c430c078d5f909af9a9ba5b1e390a56b63e687dee8239d0903639b5aa07ed4f3983c9d5942c101e154137cd8fd275ce8f118bff99963a36e739fee9f49e922b609db4a3e12eea2e2157042bb280fe70d3a5462ce74d1c8e2090d6f717e293400000003847e86107092b8e7c4c563903165617aebd0155587dd188f8b949c2f36ae5b2727471826463e47cac886f0d47c6f5d73e6083eff0a8b8fa258f5a40f96e806b	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400977080"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2936 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2936 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2936 IEXPLORE.EXE
2936 IEXPLORE.EXE
2548 IEXPLORE.EXE
2548 IEXPLORE.EXE
2548 IEXPLORE.EXE
2548 IEXPLORE.EXE

pid	process
2936	IEXPLORE.EXE

pid	process
2936	IEXPLORE.EXE

pid	process
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1888 wrote to memory of 2104	1888	MSOXMLED.EXE	iexplore.exe
PID 1888 wrote to memory of 2104	1888	MSOXMLED.EXE	iexplore.exe
PID 1888 wrote to memory of 2104	1888	MSOXMLED.EXE	iexplore.exe
PID 1888 wrote to memory of 2104	1888	MSOXMLED.EXE	iexplore.exe
PID 2104 wrote to memory of 2936	2104	iexplore.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 2936	2104	iexplore.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 2936	2104	iexplore.exe	IEXPLORE.EXE
PID 2104 wrote to memory of 2936	2104	iexplore.exe	IEXPLORE.EXE
PID 2936 wrote to memory of 2548	2936	IEXPLORE.EXE	IEXPLORE.EXE
PID 2936 wrote to memory of 2548	2936	IEXPLORE.EXE	IEXPLORE.EXE
PID 2936 wrote to memory of 2548	2936	IEXPLORE.EXE	IEXPLORE.EXE
PID 2936 wrote to memory of 2548	2936	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\arrowdown.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
515d2ab99e58965b31404eeaa4d0d222

SHA1
925f3d9511db86aca8dbfb6b3dad374d19245ea5

SHA256
ad7e4b455289db5829fbf1b83a08afe6a14775022cb2171ad8d6c2379d643ab6

SHA512
9e207d8ab399809c66cd06fe4c60cfb639fe92baa4e511b42fa2fff5e5f36ac936d7a6462b65b6d98f292906f2bf02eaf4ea7ea318265bce0e9a7ff47eb339ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc286fa1860e7d96c96749754827b7ca

SHA1
c2d4bf20a5e5c786acb5c686dea6714a65090d88

SHA256
304c1aca2d43595a786fb04d13784fa2d96cf692c48513b29a2e219e48cc1a4c

SHA512
388d7f7d1a49d63b1719c1fb38844fd4a4bc0b46970f79a4745eb9a167771ad88c559a0f553a59c3435db1ee3fe235ca5365f8f9773800cd7378af229d4b1ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa614357a1665b33b77dc4c125abc11b

SHA1
66731a19ed25205e1752cddc4349b8517f7792d5

SHA256
2a748691e5a05dff2176463d756d727a10fa80ef2081caf4c4621c216e2ffb30

SHA512
c86fa62544a702a2aaf0a731f89bde0a78b7d0a5e436f3f7ec2899e9240b4862923f00be0c6ad226e9864469b6e28911dd46bb52a07988ba7e2339727d605f5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1220a05f8c25f15feda08658e4a4c9ac

SHA1
11a2628316bee60518e138853d12d6f2661cc69e

SHA256
cd870bae9c19bafc6a91dba38902fb8413b8bdf61e57782e80f27e353011f25b

SHA512
2368fb8aefd4e4eaa7613f96f7555698c885421ed465472bf1b9274f34823942f177aab762a00e8ac31f85594ccceafdcdc525d0def6adebe3a5d38de1857682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
420327d7db086866619a7e0ff46e6995

SHA1
e8a0eafb7512e48e85ca7dd930fe9ddee0ec40be

SHA256
3c0ae6f5ad37beea457736e5c3373183c47149406d6fff3ea774ec8c8b32836f

SHA512
ac3e5c8d6bfbf01f624a354dcd9dda5309c77575d4fa45ed89f367ac646a050663aae678a9c3cd2298bcf9288f066225915bdad5aa8703a5fbd5ad7345101815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8eab5e59ff8d79d8a457531613bf21f5

SHA1
6c29b1522289398df06f62ebec8c69c3a1332214

SHA256
4d37a438bed32d6f2dd8206dfde02471704c4438976469a8841a75823e134f78

SHA512
59a6b88e691eaf76b8ed7df6c27686462bcaef1b7ad78aa0dc28eb553df7fafd565c748500cba59093328d3100bea8f3c2835166ed6fd4e208e1a5205cf76891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0dad8e215c7dfb965ddf306d5332c8c9

SHA1
1aafa0db95e4cafdbf5029693592a7ef69cbaaea

SHA256
cd2966bfeeafc0b30da8a15be1cd5687478d47a3684058c6c4dd9ce000265d44

SHA512
f2d1b84461a70593da8f85d28f96405c25b598064f7ec20eafad4ffc05592697a88694acfccae7bde7724d0561685fc4297f68a993ce3c3299bf4d92f908b0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16e34f660bc6be1eab76fbbbccd93fbd

SHA1
14d5f49f839f5b731a9fe3156dd946a5b7b48a66

SHA256
26a58c2fe76267e69e57cb6b306d4b23c5bf309472ad60b17fff78f792dd0dad

SHA512
1b1f33a36a47a8e01f7244ba4f0fcd267daf74e52a4206bafe5fde906e160552a31d1e7438c2262f44dc0e665b6ee6fea96cbd334165cf46415d83a20e83062c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
502510abd21c3317ce387331b554f0ca

SHA1
7f30b15e0e7cb47ea625e53326ed459a42e3b3d6

SHA256
c35e105266f246c8531d39cc2f8d794cd4489aa83afb9686698ae63e81bdda38

SHA512
fc7ea84dbfa89912d5f98cddd9a5427ef7553513d130f5da91f421f39d39a4022b23e7a126fe29e5118f6bb18bc0ffbd42fb284572da3ed23fccaebb9f569221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ed31cc69c8fd40352f0d1c180599924

SHA1
78b3601212631ca7e05d2d2a59148b0a8dbe215f

SHA256
48b10427dfc8dec83576b76bc3d26dfb1c5ee0c3a882b8e61ed1d89baa4a3c3a

SHA512
b531af349f174d8b1ac0c20f76e223b292e6b4864175a0e2d96d6642e6b47c86c4342ab9e044f88f2084edd836e92cf728ef9d79b69db7cee36b860d5452afad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e36260352754c0439d8aa421ea2ea6b

SHA1
68069f37c4bac00a8f6cb63910337f54af3dd1d1

SHA256
2c968f03686cc85fb0b94a812503478be0f4c21a74376b0410cb62bf12daf27e

SHA512
e47e0afea80d2d9f4f30a702441408af75e1eecd870e5834263faea94cf98cc5569ab62a60e2cf626e88c082cdff3502649770d9d9e42adde91ae17a7bda825e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43f1de764b4ef8e6fb3b7c83614aad9c

SHA1
e81be76533b8e0fb2a1a412e7a04e078e933334b

SHA256
b6cfc1ec00f8eefca141dc8019a7fb89dc631e4dd4be17e66cccaf18aa968655

SHA512
bbbeecc4dd4875ddb94c50b76d6f8ac43079f94a725fb706d533880857484f2ed6e6b4fc3a73fc5bf079d9d92001d8477a8a13f9b14c26bad6842537fea9ce02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7caf72f760059870ada201a3f4c0cb3f

SHA1
af9c085e09abfaa82db42ba3325f83fc299fcdae

SHA256
fbabb17856b7c6fca69f9d5f7ed22a4cc39cdaaae75822f75dcb042ed88d76bc

SHA512
05661fddb6e5f1410b8f49c35d0e49792b4d6e8b38c6dfa29ee72f09433c3d2cd83ef34ccca044b85bc9bd55c64c67b57fcc27ce75ae065b4facf636fdf25461

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7301.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73FE.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit