b7e59768071d2e1fa278737c39770d2c712cc4c7c9a631c42ae06b7acd4f679a

Analysis

max time kernel
154s
max time network
189s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AchievementsDescMD.xml
Size

11KB
MD5

af4ede98dc235d01a6fc91903f253c6c
SHA1

09ea0f45d0d467bbc8891ded1731a9ffd50c122a
SHA256

8b11ade6e627486745a5e9c598907e80b14d297e4e25977ec54b20c8893fd0b0
SHA512

1e07bc12797f5890228e657584ad7325da7d454514e3e4bb0a1c4e510bbf4b15e7d4b6fa5c99197ad10f653580fb0a79330cc81ee96f5ab1693c16cc51aaae14
SSDEEP

48:cfy9j1ZkgulyBYGmeCTuP+ty2IqnWKGOfeEOfvBH1mUe0pWYasZHZolitptR+8qN:Cy9rljBYl1wxXKGYqtnz53pvQ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000002291f65481fa90370a3dea7b7111a264b04005ce149933f09e183ac9b8860897000000000e80000000020000200000007c7532f3e4995d3c942e829bea41483311dd6dad7f754a0392f6207c2cb29c40200000000c7e0c82c8fc1b048009c99bc76ef21795df9e780a6e69bdb8d02379ce4ec57e4000000037a36909b8c4a5339dcbe98c6c53da8d8a72a380d14500c3c12be5c3e25094d8c31636d34d7f32bdacc3c565acc83081c17936fc9b21a92325b9e9d8b2dbdb31	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7096ec0082f9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0CB1ADB1-6575-11EE-9FB8-7AA063A69366} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402888262"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000006a1eeec7e924bb3c7446f9c41044622b213c5e8a3f5d7ea13bd94ffe38537810000000000e80000000020000200000001e3b2ffac2ccb407b56ca25591140c413869899d08ad7ffad3ea47cba795482c90000000e35685d64d6b2958e86a614a4d41b9e5e8393108aabf5e4e0da19062a1c9631503f460619d2e929d8099ff6e57637ff77c7c04210810b80ba8fda09b22ddb033911c34af291af1757cf2e08a85580ae0dc8de51c5c1140a4e10194ac3e389293acd3f2cc171c69afe245040487656960b30d028d441a56289b7a985c68df0d87269d348411ff48728baf52c4581b31974000000093e602dc2df75c21bd706e546e355e8145ba914b2d5ac0ceda1db2b6cd5ada31ec78010216fbe017d0dac6898d87329689224c661c275244f57ad1e0ffbefc57	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2488	2920	MSOXMLED.EXE	30
PID 2920 wrote to memory of 2488	2920	MSOXMLED.EXE	30
PID 2920 wrote to memory of 2488	2920	MSOXMLED.EXE	30
PID 2920 wrote to memory of 2488	2920	MSOXMLED.EXE	30
PID 2488 wrote to memory of 2508	2488	iexplore.exe	31
PID 2488 wrote to memory of 2508	2488	iexplore.exe	31
PID 2488 wrote to memory of 2508	2488	iexplore.exe	31
PID 2488 wrote to memory of 2508	2488	iexplore.exe	31
PID 2508 wrote to memory of 1704	2508	IEXPLORE.EXE	32
PID 2508 wrote to memory of 1704	2508	IEXPLORE.EXE	32
PID 2508 wrote to memory of 1704	2508	IEXPLORE.EXE	32
PID 2508 wrote to memory of 1704	2508	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AchievementsDescMD.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a02d524859bae699a4d15e928b0bd928

SHA1
65547e805321e99c077ef0a1ca5bc8d1722a2217

SHA256
596a3b5fdb2027281b8095f8d0682ed2f0eb79fd015e0e82a5a709d33b17faf7

SHA512
5912dfa675c7477bc95cbe03d6f957a95b45a1640e31a1aa6aec78f93f71525681e632d8443644c2bd7007d0708206fc6574c4ac73686eeb65ef04f8943e4885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a61c258a1c3fab4b6218dff0dbad913

SHA1
ef9d9f1ebf6f3b002215af744af469d244b08824

SHA256
b2bd23960fc0c85a0d8f6ff617ff2e40cd5dc4d41b621f3374508862f4c8df0d

SHA512
e217bb54811b8aeb781291e53fe64723cfb6b6b3e1ddd7516a6146a5460f6deedf89fa03bb2763d01a30de0b7e72abe14bef3e4e951aaa4db29e2e5fc73fcaf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04e158824e51973b2ca0250871806a9d

SHA1
caf6c3e4369a334e1387b9b456eb8aa85c1cac26

SHA256
c1984f4e8b32a407ef15b443b9c1544f3e8114c1a39ee2beff168773faacbda9

SHA512
67f6001bfda23c3314c4a7a5088f0c5c1fd6de1bdfde21fc3704f5336906c6577ecfa20b6d2a73d514f54cc909337a0df128e0bdd320fd3e7b1663620e44efc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4acdb2ddcae526e5a130de41dc54e76a

SHA1
913e43ebbecd59ff6e7f4cd215d2556e088d13eb

SHA256
11ca7d6a1c58dfc80d93acb18c6fec498d1ca6b1f4e2b1ea2088225111970f86

SHA512
621e01bb79cfa30a0c9615c640fc881c2a20a9cdaeb6b1a565a306418f057a5b8c6b5967fd44c8d27c4e25d7d91614b8e1c4909f51fb863be7f2321465f8190a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7857d041474c43efd1757f545ae0ef5f

SHA1
3d1e5fb59c7ac598b26305225d6ff786b149fcd7

SHA256
5d110d2fa7768a1b4d00cbf472aa293bfc2d22d1c63b0c945d99096024afa56a

SHA512
0d48415389d4d20842981c15e7a4baf241aff7e064b2b337aad4b8107cb345f4702c34b5b3d1ee3a5c3c694cf58b243a8e049cc31957e710b3796f0c57e786f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f9b6233654033a4ac3052e759872ffd

SHA1
b1b3f48e29a78a770fc2a1b6dc9db59c601e5a31

SHA256
fc80f707ebd47aea9553515081db7321b13a275027ae4b250ede57aa87b84466

SHA512
3745453873444f2b866acd1406aa919bc316ab906b5a1e774f64860d5985051e29fc0116a78d5fde4de5a10658951b0899057640269f4bc5962f890d1322e271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a8f885358ce4a89812b9febb7d3a231

SHA1
4342d0dd385b8fa2120431ae7f8a95ce3ed7882f

SHA256
4aefaaff83b120ad5a06e7f6ff59833362645d06c532bf387a16b93fc7fc81c8

SHA512
d05c4503030feebdaa6d5ed796ec30c83c7dc90bfbf4badcd30674a315fbad2f91a25d3bfbbcc8bb1bebd5dcc6edc7046d8e74525468d57c1cc60adaa782a68f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
340300b9689c4d2b06f2401d49b781c4

SHA1
648e5c46b6ed363ff5babf1cd2659228cfbc62f6

SHA256
104fdf7b21e73412fe2df551a3fd3ccddaae99f3ee49c5c81f8925e14e70dc29

SHA512
834df072b165bc787562a0605ef4cebf44d53c4faa778afd45a8417b981bcd917f802802d5840828f6bfbf4b29da923ce867e4fc46ecbacc6380b6ecef9d6a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fff1df85d157612581ceff3c190d7172

SHA1
5acbfee59cbf486f5cabd2329912d6d09b94a39f

SHA256
54cb6cdcb630d6adb2ff1287545a26a66c040694d33278115b2af975394a86b1

SHA512
d71b11c60fad6a629bf78476ef293f493edb1b029872a51e9a98efd6e42b8da77d739bcf7b3c6b86f404b884e97c68e6fb8dbc89189473d527bc138a5c55f426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec2de41c2d99f195eeb558f09bfa060d

SHA1
c102427edc92697af3cf5d08cba96c49a424e673

SHA256
5d38045a54e0094c0fafad1f169ecec919cede2e7161f877bf319bb76479e9e1

SHA512
e29767ceb7df3be8c1da1bdef8e13f175745bd0a5d28c0dde04f3acb5f8936038894e49f9d9f438bf79d5076bf7edf63d782069e7137ff262dc54ea5c7bd8ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab13B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit