f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
117s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/_rels/vbaProject.bin.xml
Size

277B
MD5

dd79e6440b0515bfcf771c2c5286a2c8
SHA1

40dc1e00e2663cb33f8c296cdb0cd52fa07a87b6
SHA256

c97833e6456aa2bfe9be614f9c3ae41a8ef764b1cc3af92c6a6f273c62309122
SHA512

461bcf63f03a733208cc31a97c649b5dd4e4af9f8b166e69eea8094ca95c4189f5691d7d3ef4e63ac3ccd8202b46fa9afaeec97a03f99a04205db9ab4ba16148

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403550854"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C6FE1DA1-6B7B-11EE-AE34-661AB9D85156} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000e9cf99dc8b0dfa07035b3f89cd7245d5dc1706b276ff3e689cc3f415f1d7b472000000000e8000000002000020000000cbd65d238ff3c02797d3d8f41f8072150c62ba45c3e5762ef34281e8ccc281e1200000000330985fda26b5be8811ddd267ed5d47e27417836a924350200940c368775f9a40000000116dd6fda6a0d2200d980736c8354fcfbe77aac8bb5083945a5bc711f16865fa882636075abbbba4c30a3c40ddaec992cd667b8de898e25fed0cf1cfb8876c76	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50bdce9c88ffd901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000e0f381957869101733101d8dfdbf9c30751a3148c17f459e719b6c044fc7d326000000000e8000000002000020000000bc05eb5245226df3482fb274db2c8c09b590428f6f2af045e47fca99315ab008900000007beaa481bfeaf1fbb398880545f6eeacb333f49be0ea7ddf8d7d0368f23770af745490257a85e2c87aa45b0361f21ac421aea9411057dad22f267adf3938a41927e5a1c7ba66214d33240a99ef4c3ffb34e97de802d8777a250f02b0dc6ede7fb4c7052ccecd57aac0e5ec8edcc082f87cce9b251e4a129ce96e123c5cd2ec6bc83a04622ce3a860661aad303945d82f40000000210ef199034facf95d86a4891e7279c14a72433bbd099676f3118f842bb317a24ad1fd43c3ee71455f3bd5375f1647403ac6964f4b4912670ee38c1f59594c7b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2172	2448	MSOXMLED.EXE	28
PID 2448 wrote to memory of 2172	2448	MSOXMLED.EXE	28
PID 2448 wrote to memory of 2172	2448	MSOXMLED.EXE	28
PID 2448 wrote to memory of 2172	2448	MSOXMLED.EXE	28
PID 2172 wrote to memory of 2192	2172	iexplore.exe	29
PID 2172 wrote to memory of 2192	2172	iexplore.exe	29
PID 2172 wrote to memory of 2192	2172	iexplore.exe	29
PID 2172 wrote to memory of 2192	2172	iexplore.exe	29
PID 2192 wrote to memory of 2624	2192	IEXPLORE.EXE	30
PID 2192 wrote to memory of 2624	2192	IEXPLORE.EXE	30
PID 2192 wrote to memory of 2624	2192	IEXPLORE.EXE	30
PID 2192 wrote to memory of 2624	2192	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\_rels\vbaProject.bin.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08b8190978acd2c61f3445599d31955c

SHA1
318cf2a425b4064602b4e085c402bd77a2c99748

SHA256
46407cbe3fc7592c500b18a40cf45d905c1e8350d5036c3dc8422180d35b5e79

SHA512
d471ac54c1879cac7e41a7ce4d0f7b898e227c9bcb702b9d63e1ca02dbd60841e1fc630cdfde09c094f892c802d2a73b339d34189eba365138338d450b5123c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7457fe517a69d102bc3d42b929748571

SHA1
2e240a2740afe756e106c6533c5dbb4c6fbf7f90

SHA256
5e8ea56f0860c767173604b8b62269a012067a707296d7340f728b55e8fb6713

SHA512
71c0885d14e91f8fb6ce43a88886cec1b2cbe6333a724047e83e9183a2ba1446a5a277414cb77bb70c6d164992b326370ab8ea152534ba8213c669fa5fb35b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0096f1c38efd72ce5c84ddf0a8dd65ae

SHA1
615403eb67cd9f8e924e2650788e1eff228e8cfc

SHA256
0e7203342962e8213f10f0755937af94676aa86b8e8dfcbb37438f42f1e28ab6

SHA512
d6cb3877f56f25776d5caf0fb68939af572d23957f989b5a5f1826fe965ba9b077cefa905b695aa2f5a50460f2339a053028fdbb7a624ffb0e0bebdb836eea91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6875b78adaa155fcf5dd1cc68de1a5a1

SHA1
23da72ab8aa9df7a6e622389207ff57e6413d503

SHA256
f61c37e2609723ea534beb0803b74e193c4c2d0aa1de5947e0655edcf787e96d

SHA512
52f3e95b8f54dac884a0089aa988a36a9617be2eeb167e462dfd916a26810277d84742ed9528afb43008542d46c895fddc9bf70d1e6223fcc4e95ec26f273d34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9e283e729dfcc2f00305c3dd9b02b9d

SHA1
54d6d827685fa78814ac87c7d76b99e9922209bc

SHA256
471ff3112f500a5ffcad7887d0b1fee5f239e516c20a41de73660af5c690ccb2

SHA512
8c025ac84159ed6b4ca894a6b97cfec3412dd9dfea7bd7d18ef83659c1d4d48e2d9645a72842f48a2453950187a84ce3d014de3c318dcc201d19ad541cf49164

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab0c70ff666e35b31ae7db65c216f40c

SHA1
17de094fd87ef1e3d395db25636b6b94ea853c6a

SHA256
15aea43dc8f9988eddc3170baf1847234d80407402d99c159e7d2771df67549a

SHA512
ca02a19feb203b81c69464e3d222c4cb951c4243082764acd97b107352d2f6f698850d3e4bb339b986396a514d835352ff2291d004d841fd3fe9838f420fd4a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47c0bdf4812aa4413067a544549d4133

SHA1
23835d41135448f58d3960bc112ff81e4db65ecb

SHA256
662db262dda2f9765e43315cedeae935027e4205f8dd803f7bebe36b1ef7b036

SHA512
87f4983e41a1fe62561e67052d0697fc34187d4b8445558c622fa2926955c94efc9f0015fcc5befc804009f781100c6182b9c058cb7bb1db5dce5f5882e4f1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
519b829b67fe2984e6cf0b1fbf347061

SHA1
0c3a42c2fdefe0e5473907aa33f2772a28a2575d

SHA256
5a6aa07159ab5c6c19902be38d9383dad5d1ccf93048df1c5c07ac80f936468f

SHA512
95f34e437057a3b05a5821352d4862adf732b9840891648905b138252a1b6a5839280f28a9ea98ea735b7809c08bee07028a0bf88963611a434011c75be4702d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA24A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA2CB.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit