f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
122s
max time network
157s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/vbaData.xml
Size

2KB
MD5

d11c77649d1825dbb1581af91a1c67af
SHA1

f25ce143180a53ea75a50a9163e61eb51e06431b
SHA256

119ac08d8aaf410f9b1477e460d40e6b537233080a08f90e07d3ef89aa797235
SHA512

77211b7bcaad4f617b647ffdd9f9eb5016338ffb4cd712446bee2e11b33c3e1c746eec29047397eb5e94c40b1df10edf42a24d0db8fd51e5b09d506336c06142

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000497e70453e1e9f5d12e1e39f51f309a5ccb36bd4500078c4e39ae887a470ee48000000000e800000000200002000000064f2bc62b0bc4c1246e34739bf0bd1d58e32462744dd670a0964ee8762c455d0900000003f05916efccd2730c2e9a79368ede321c91002729bd805e1f518ba103239e97f40aa9ed5c3d83ef05aedeb5dae664cf52d686eec8866f8172b52f41fb309faf70731301793ebc9aa95cdb942857f78000faddcd061a61914c07ee154c003361c582d4d07ad7a969aeae0e6ff5f140e7948ca53594dbdefb0f862c3d78c316bc5c967907cab0f3a5ec9161b088ad62dc9400000004983d20771fcad22a97e2538b70b647d00e2b560787cb23a4570e7000f6c0f81efe826897ee05d132e163f20af758b04cdbcaecc4cd95ce539c68abf2817dafb	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50218dc088ffd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000b63fad51772d058600071df13669abd1a9cfc2c71666e80eebef53541aac6dcc000000000e8000000002000020000000a3d14eca47532931cca2ffb2bb0e41805204d701f7615c1267ac09436512ede020000000acfc1e06001b77ef728ccb35af16cab1be009bd6373f6eb72c86788be9945b634000000010b23ba80e983e45edc90ae66549490ba8857f05ccfe277ba8928f4e1c51ccc49e228c69a3a386d7d579618854c1c75c38b0362162e2eb662a86813e2788463b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9CBFF51-6B7B-11EE-88E3-76BD0C21823E} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403550912"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2776	2312	MSOXMLED.EXE	28
PID 2312 wrote to memory of 2776	2312	MSOXMLED.EXE	28
PID 2312 wrote to memory of 2776	2312	MSOXMLED.EXE	28
PID 2312 wrote to memory of 2776	2312	MSOXMLED.EXE	28
PID 2776 wrote to memory of 2760	2776	iexplore.exe	29
PID 2776 wrote to memory of 2760	2776	iexplore.exe	29
PID 2776 wrote to memory of 2760	2776	iexplore.exe	29
PID 2776 wrote to memory of 2760	2776	iexplore.exe	29
PID 2760 wrote to memory of 2504	2760	IEXPLORE.EXE	30
PID 2760 wrote to memory of 2504	2760	IEXPLORE.EXE	30
PID 2760 wrote to memory of 2504	2760	IEXPLORE.EXE	30
PID 2760 wrote to memory of 2504	2760	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\vbaData.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b43595d2e139587337a87eeceb111c3d

SHA1
6e65a5eb77740737355830fe6240c638f22e8658

SHA256
4e5f29f4f66e1c4540788d558d96764a32b0d0b4aef178ea66a04b90af898c61

SHA512
096140ba2a016612f86c1e48c4f4cf81e6cc57cb4071ae6071ebedc85791a6384731942c04bf3f9dc36e236fc9f49138f20f9258cee59002c7f6dc59908c9231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1bba8108eced94bbfd8ac8b5979e2d6

SHA1
22faf8198feec48fc480f3df35a4b4fecd41af5d

SHA256
2421dd1f242d189f67bcbaff374f1ade8b1b1093900ae6820fe81214115d298f

SHA512
2886bf190be3d78b33cdd6cf5ba09dac35d9c63c60fb1872266d80ef2d68cf4dadaa6d706fc9c48fdcb7c70647cf89196b897287c6f8af85380e4a490a2e5d6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ff781b4fa768541b648ecb3562dce66

SHA1
7cec0b4430f2d41f264c1e4d51638c2cce5d5d7b

SHA256
4de89074bdc5370cd3071052aea2b75c624f6469eea8e0ad0a9fd7260e9e0cc0

SHA512
1aa1981fc5739f5dd534f07095bac3713eb4c423bcd8505c4e85bfedd8b812d124785ea96beb1b1006279927ea71fbfe9e50b8b13b9b2019d759f6ab05fec97e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0523cab11f6bf74bc2654c1c7255b0e9

SHA1
c11efde3fcec6a8b4de921893a86b26de5ae4a91

SHA256
5843322d915a3fc15e54a6a3665ac9074bcc5498daf4cddb95564b13a0de7f61

SHA512
40b662c5a834d560e1ac81cf0c15e11d737ef5aafe17b3cb194f50118197eef5460b51cc91addb53e631261915ea1d6cb194a9068a4a1736f91c5fc35c0d4944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20b8cd568c055f8e0d6b5e370c0b2634

SHA1
63608745d1504bb4bf121c7bc232ef6fbf368698

SHA256
db038ced3b968d836f7012cc186a19c848f9aa7c8dddad0d8c30b1c9a62c08a2

SHA512
93c82483838b507a314f93c0fb6bd03b6b774d68bcd227b73126274c993b34f3de8e3553b691dc4ef236cc2180707182373288410a7b7532dc17afae888109c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee7c0a3b1a93d405b688f1be15baf0f3

SHA1
bd10a1eee5feb8770c552151a5d2be142bcd2b06

SHA256
66beb48ce7e3cd6b69ef4a1fdaa5687f2322a76745e4a19d54a0873fd61a80a2

SHA512
72fc58ff584bd6f4262c6ab6be7ecbe34ab89948432123113fc9e3f690cd8e0b9ee115926ec7eba44a89a9afb90b9bd5ff438b8f668b53433452d228d94cd54f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61f15982fe6fd3ca73560cab4a8a3360

SHA1
f879e842eb8a1be816f24e7575ca162a3946561a

SHA256
157d3f980672a1973591bab6fd841555bc5c692c2bd94cd67b822d2368751850

SHA512
44e47dc25d7d3a6fb45ccc9ff2b7522f7a82a1a655efef2a1c2f818c226d2571f63d69df2a496e9d6a4090fa5b8c2638bfb5f36ff53864337055057a8533bca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc378bdf1b7eeffc968516f823092a6f

SHA1
94062573daa978fae648f3dd40f724b1ae51a6cf

SHA256
c5161e7ac79242f6fd37c0fe1a02d8866aa2178b310de61bac4d881290ed6d70

SHA512
bb53c7fa3d72102eb3b8e1389f09eb5fb5c49bd0bc0e0d7cf1aa3ddb70f17d931e89b279a6c897d0b6ab812112618ebda102b599ced80ac1baefd3082553af24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
782727e37e258a9244243cdf81f6864a

SHA1
8b1e11a5dcf172b02611d7cb9d4f0c603b09d141

SHA256
caba64eb2c0a4a6cd1897d6f9aab7321693a81b59810ec225fe9ed1dc7d2a5b2

SHA512
acceb2c8cbf93ada9ddfefc2e5f934277912caf4d87f59c63a4c35a750b18d91c9416f96c1976d7a7ca3623592929961a4b9995c6651ebb91bdf6445b8928fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1536d22c5ab10ecedf1942dee624963f

SHA1
2d697af3a671cecc0769a935c5b4e7a3b1fd6be0

SHA256
8afc15cab861787d80b2ac3b7fbe0e4d4e9c34a81c45cb0d216b08eef7233560

SHA512
673768ce92fd5ced598ac25f6cd87a729ea03d46647b95c7fb548b92e812759b4ea95a77ada067a97b2e20bf59ca96fe13e2f38b250a15cd32ee449b6e59400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCAC0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD15.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit