f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/theme/theme1.xml
Size

8KB
MD5

2bc1ce59fd7b0a0b8c0c481440aff611
SHA1

3af65e014f0aacc7a5070dd36206b33c324ba156
SHA256

2760e6e84d4bf365af6570192dbe9cb57bb32653388d0ea041d116b25b1ca0a2
SHA512

cad8e8f90aa4ee2fa6b4e5a9c20ef0f876ccc3d6d2f8978f176308a1e3a8c86e57fc0a505ab8d22a89b60b467ae5a6e844613603e192d965564e0583dd6e5574
SSDEEP

96:xLM1d+8FNk/VmWHS95EUUwctUNoJuLIMFNk/VmWHS95EyUwctUNoJuLla5H7O8jE:xLM9AcCnGuMBR

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000087eebebaef5036db9d357a24bf8ecf947c23e7e1135f4fa6f4032f877ac4c023000000000e800000000200002000000092a6b1e48a8f3b822738a422a86d27b24c5e80b548c4eef029d9a75600a469af90000000e7a74c13cdc3166be1c028be05547e6c8bf442dfa0f48f5a9020d4e60959d5396652d8c73767892f3ef0940665fbada3acfa377604cd6abe55626332590ad3d762ecf168aecfba45b88f17ce7d7d82b253919d38d30c7a7566de1594a7661051fbf212bbfc13c0f38d838241edd5eb2fba4565ef56f724787f0eecb5834c44aba57af3e37681ad4640f6ebe4a92ea9a7400000002c7a6797247348dbadcca8e009fcbe98ce4f71c93def99583dab70b2ad0fad2640d571dcca85c8474484e24b359f36077bf0f10d31a5b195d5fce1418d8a2bf1	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C37A36A1-6B7B-11EE-94FE-FAA3B8E0C052} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e1189988ffd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000008234d92e333ba51a7da60019fcd39b52acc68988d9c26efc9cde67bd30de1288000000000e8000000002000020000000e5d56cdaf7854c84cabcda14fca0a63a8922f56e64fcb466e8f6c2919b815b64200000003886568a397aec474145c4bde7baf7374777424b50e220f0a8717d59373abae8400000003d748b1f579db1f91272abd4fbc6af6b3d6bcff7061f4cd38f85fa5a82903de21b64c174593398c0127354fc0c1bfe9ae6dcf435438fa02a0d09b93d66173413	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403550869"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2096	2972	MSOXMLED.EXE	28
PID 2972 wrote to memory of 2096	2972	MSOXMLED.EXE	28
PID 2972 wrote to memory of 2096	2972	MSOXMLED.EXE	28
PID 2972 wrote to memory of 2096	2972	MSOXMLED.EXE	28
PID 2096 wrote to memory of 2628	2096	iexplore.exe	29
PID 2096 wrote to memory of 2628	2096	iexplore.exe	29
PID 2096 wrote to memory of 2628	2096	iexplore.exe	29
PID 2096 wrote to memory of 2628	2096	iexplore.exe	29
PID 2628 wrote to memory of 2732	2628	IEXPLORE.EXE	30
PID 2628 wrote to memory of 2732	2628	IEXPLORE.EXE	30
PID 2628 wrote to memory of 2732	2628	IEXPLORE.EXE	30
PID 2628 wrote to memory of 2732	2628	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\theme\theme1.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
503bf5f3ad2d68cfa6f86e0d814bc013

SHA1
1ab2bb31225181ce3cef566179d1cfbc4b74bd8f

SHA256
d33f0e67bc6ecc3bb935573860bcaa3610ed8d17e340eb06f900dd146525ca61

SHA512
c111c94f91184436902e005ff28c0c9d084a451f099d5f35b506f70f3e2a2729e154d8dedb2d26beec3b99969be4740f9fff7733420f827f245d89d8f079e60c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21c91617a79f9f7e6c2b4fe29e2f6cf3

SHA1
ee7fbe31b55db5dd3eb7eb9e386cd90a14846953

SHA256
437c4f504f72e7e2f62f4a2ea776aac4577fb541a06ef0a74cce1fc79c21cd74

SHA512
7320f2f0f9437ab156679c9cc34e38c0239a5ac1c48a74140b240e3d43f4e39964b77fe6ea5ae5905d6309d015c2159d0b78ac4e3324a9106f03304030c9b7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b30e4ae8721db9fd856f456a8daf4448

SHA1
19e8759d78bd950f17d22deeda51057afa26654d

SHA256
172cd3f755d9c15b46324ad1e8d643c85083517e7b47a8111ba6d1d2799ac2f1

SHA512
2f894e8331f8df703d80edcc8d7f57f957a6d7bbe13afa5d2ef81ac48f4461ff806a3152ba06550eee3b03b59e91d146fc6008386a911add79a1f917571a4180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0369f16df44a34dca83b3de6b08c01b3

SHA1
67e4ba8fe9b9a949064308ee58609580e6f220fb

SHA256
41bb054eabfca9d6b7b9115d8205cf5ef181c99f37a7bc21574ad29e0dddd625

SHA512
d77d4c2d322d5cd5b9f4552794d3ec14a0c7d1822877b9cb4fd7caa8c482b6a1fd91c29042ecc3038e5014939261e2184c272ce206f9b61373943e735f690222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
770e1b2c2ebab3d5dc67c78aea386ff9

SHA1
028da4b641fdce19410f6be3b9490f428052aaa5

SHA256
b29c8863ae29659b221571e8de5847c13e797509f77a4721e58afa198fb3d57e

SHA512
8496f58c8307f6df976f96b68a99fa74a7246a5fb50e1265442b5e8376285036b465c60568dafb805c3c93ebe0f9cb93fcf717a18b14fbf637ec695dff0bf732

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8623b074ca155aeeb34aa42573a37ed8

SHA1
8b364562b8da1813f38e5c31e09cbdc893ad52c7

SHA256
156eb4520cbf22e1747adb0db50b6405cf3e5d5cef9424d86c595a7f174b18f5

SHA512
ba5c1b64dddee3b02b1c1f60252675bbd1057bf3e1f20560b686b3ace8591ae74feecc8865221fa17248e1c459fb147684aacf3aec8de35c55b5fadc385e232b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab93C9.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar943C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit