78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
submitted
17-09-2023 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free-text-comment.xml

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000d64ad76640dba47f36e6d1187c1a8925f7a4c1d6bf84a1700dd8b21b21b3eef7000000000e8000000002000020000000612dc3a99ecc1ba8b1827ae09599ba16b12b51b9a7cde7865a5237fdff4b228f90000000b58b8e7c98b58ed05fcd02bd8086e06ce616c887351ff3c8a61179f0e0e0f69af6b512741761ffe82be441458708791686911455c1204a4c6351d5a76635a85e99367524470ea7f0ae1a3ebb0f225b41ddb3677988f4403268137e45dd264760080eddbb5c8b8b4de557c3003bbefca160d1e3179dc4bb945d2ea9a7c034a9f5d8bfabc89bc9f83ec6dae7db4604879d400000001b6ee562c2d9352d55869ddf3fd7c7015ce4e021cefac23e37a118869e7c3b67e27689bbfde8276bd87b0bff6d8c37c2af44b6201972f96a9d36fe133fcb34e2	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401103105"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000ff779e8a8336ec422713327c18c27b98cd0c8b4abd3000e7a4acdc3ca6365945000000000e8000000002000020000000ad42d2313d9e42e8f18b1a516b02d6b1130e0330b75319fcbfd7ebcf3d301982200000006566aa35be0270552fdc02ba43728f56a5457fd8ef3d886b3fe7f9072d35e96c400000008030afd6d9759ed02d7eabf1d81e141969607d9427e8a0a4d45f177b4226650758260c9390b60037028ae367fa7324a6cd8fdfe0e7554a9ae26fcd9127f530d5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA304DF1-5538-11EE-AB4A-6AEC76ABF58F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0533b7f45e9d901	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2324 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2324 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2324 IEXPLORE.EXE
2324 IEXPLORE.EXE
2776 IEXPLORE.EXE
2776 IEXPLORE.EXE
2776 IEXPLORE.EXE
2776 IEXPLORE.EXE

pid	process
2324	IEXPLORE.EXE

pid	process
2324	IEXPLORE.EXE

pid	process
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1736 wrote to memory of 2408	1736	MSOXMLED.EXE	iexplore.exe
PID 1736 wrote to memory of 2408	1736	MSOXMLED.EXE	iexplore.exe
PID 1736 wrote to memory of 2408	1736	MSOXMLED.EXE	iexplore.exe
PID 1736 wrote to memory of 2408	1736	MSOXMLED.EXE	iexplore.exe
PID 2408 wrote to memory of 2324	2408	iexplore.exe	IEXPLORE.EXE
PID 2408 wrote to memory of 2324	2408	iexplore.exe	IEXPLORE.EXE
PID 2408 wrote to memory of 2324	2408	iexplore.exe	IEXPLORE.EXE
PID 2408 wrote to memory of 2324	2408	iexplore.exe	IEXPLORE.EXE
PID 2324 wrote to memory of 2776	2324	IEXPLORE.EXE	IEXPLORE.EXE
PID 2324 wrote to memory of 2776	2324	IEXPLORE.EXE	IEXPLORE.EXE
PID 2324 wrote to memory of 2776	2324	IEXPLORE.EXE	IEXPLORE.EXE
PID 2324 wrote to memory of 2776	2324	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\free-text-comment.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3c3524a9147c3a3479e4b6c8f42e240

SHA1
bade7c82047e55c16d8eaabc6c72e6033ae7b164

SHA256
440a6ce9a4a01e414d9b8ea2bde8577186996869e7444f9370a22c1846848e11

SHA512
4f8b97408d72f7bdd2d380837dfc9605e81055a013ef5dc062307c6ec52974b8e892fe889289f42f961ffb1021fd61aa4ef7d589f365aae59ad7525e82c56c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9cf39c7b481d044b763245f3949d4e2

SHA1
446d2d228ddcc469a4fd0e65b1f614b5462ad11e

SHA256
e3088426316607bd5748c4e68829939e28ae131ae8a32fba41756ffff2af749d

SHA512
7ab533330f387cb86ec32500665d7803b9456b61e9bd191d36492432e72b5b909418d5d23f6a607604d075159e0878607cddba43efe9c0aff1aa8be4e1388f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b459f7594de5d9d91c496a02f330da9

SHA1
2dbc253fa831e3a93d80312667c7da6e3e5a1582

SHA256
cc09845a5b5b225a773945583d4db30f72a75fd15c831363dd91c738464b017c

SHA512
a80dcd7ff4ad0b9edeca8f904bd0417360ba2e74d55e53f2f4a187a444d23e30890b4bae3a33b1f880af1cef6cd9030668ed71d343f35112ab0323d4a5f8c572

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
958a6f2012c3c1121c35226929b24252

SHA1
0757bffffae71a53d9356536ee5a7c561886f7fb

SHA256
f37271879c6daeabcf7b037be6be94c739d8f849a462c9020564272fbdbe49cc

SHA512
b09a6262dbd914ae2a7210b8bd7fcd78ed2a1613987ad83e39f1943335009d408d2f8b5122ea93c04ca1eba7a5e75baa80107d61532d174723b7ac50bd151f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c1605628745e4e770cdff32b42439be

SHA1
9741741e09a8d455e49390b75f6b752fa93ac9d1

SHA256
1c5883544f9d24e21b422ed277b988b9808a6086d45e27ff30480358172578b8

SHA512
a2d54e588a86cec8b188b612381133c9bb993a496ae34b94b750a461c396946046b22832f6863127915ac2346c202028bb0e0382c8e0f9e6df9cf36e9693e32d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06cdb13c968675f5ec3fc35028687b80

SHA1
23bb05a108d3f5d262e3615c92a9a121ae1f730c

SHA256
19712e18003e3f8f2d09564e9237fad5d9bdbfa211a1236e977418593d8b9395

SHA512
6254a5939e649540ad8b11fd0a3ac68822b6d000f78f610138dfdbdb479a83d07de6dc6ced2d03436884c97d1bf95f03eb128a34ea285305a6fb954a4a7976e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12c79982f8b80259186986c0b2bc9448

SHA1
f7eb64bffd5730752c1b704f35410546e7b89b5c

SHA256
85b3e64561f8f815c6d86ae050e4e01400f073c5b4ff199afb34cd264a242053

SHA512
f9bb0a7d3cfca3fd7afd726546a7dedf3ca3b685f8e09cb3f85a6f44392b0ebb3eda2e4de8c0454aa89ff28d50a30a3cc62d4219b340070f9a6cd413f4c088bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
539a98ace4070c698fc9f4a6c4784778

SHA1
23ed204c4a65c44f4461a560d7b19330871fe38d

SHA256
640fdff373098c2b0dbe8b32c0c61ee7354a9197a9cdd776e8563ab705c6240c

SHA512
ab89858d7c1fd7b78882a529f19c3e15d421983c1aa5411ffe94c69ca57047984f6a1a340a33a0adb0d7016f3d3921968d48cb3ad349f7375a93c904f02e06c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2baaeb24d66ba190703d681563b45337

SHA1
a3b653cb0785437443b292d8229712e99f451dc7

SHA256
d2f4b496a96e2de764a542b0e91063c35ab1c334585aaf4d36306eeb378e7198

SHA512
52ffd1db8236f757cae98f6c3680dc09e5c79155ec88eb07fcbec80f094ebfaddb25c3b2e0052d6b1d9bbc83ad935402984350709c7443f51d1a436b756d7d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
104fbe173d4599f5ad6b7ab5d493ef76

SHA1
c9aa988db3093d9176212fffd2f0535ec5a19ee6

SHA256
5b1f3234fdf80c4f510dda095a05a291b2cbfff88162e34c5e451a581bd05bd2

SHA512
24540b4719eebbb8553d49d020dbcd606c17a10f0aa046fa1724c77c52559b9523beeac870b2cd3bf89f10bd70491d4652c178e8170eb673ad2bca1526bce5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6404.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6426.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit