f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/fontTable.xml
Size

2KB
MD5

770b86eee170314650f53072ea9a6ea3
SHA1

d335dcb1db50cd842a3e9a3b187568dbc5f8f074
SHA256

12e9a420b6614709f90815e219dc6a91d23f08500c6e0fc604eaec32d53d3c42
SHA512

f9069c05936c88fe3299eecabdaea9a2e0cd9a7bef7837f77f671ae9c26585074498bf4312782c5de10eaff61594560699d9c01bb8b803f3154314c83c88da25

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000b72075e42e7083cf0fc42760ac705b081bfcd92dcbd4d718456ac3339bf7e9cc000000000e80000000020000200000002619551e1ad048cf761d8182922a743e1f49bd8333295b01eeda12f74d84f83120000000bb9e7cb834790b75a5122b49b278cfcce3c8a1f3dc761a2c3de32c8a6fd0ed5b40000000992daacdd387301744f9c09103f074ccfc27cbb837cc80fca25498fbe78af0f6279312f6f2897fff40bc87574a1741f70819a411d1a28055b2056943d7180f32	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403550871"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D188F7E1-6B7B-11EE-B458-56C242017446} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000927bdd8b56cc0149e45149b30db7060e24db12aabdabb72bd370b3bb6cbeb1c7000000000e8000000002000020000000a53c7ab859e339f016154691565924592136fc7884b27e80a40def73dd96e6cd90000000e4051ee6deaaa03f63386d378c0841c93714aa44ad390e4aff6948fe55639963d834ad8c06fbd3525f1839988174d65e87120fc0ba9e256d2bbb96c8da71211d41a5b7db9b45428069f23873c7da2fbf702758e28a2d79204254652ded772070cd92a1277c2cbd4e988fdda0244a2db8b49658c9e091571ab481b53490bbfca6104258a784aaac8d57dd071e57474eed40000000db923f37e2072a3a7db0057f8f63d24d7f107c2f71186d3655d9213e78f0f056b4242ee87f1b8e7e7bf756e14a2c9db15410b1615d9c90e9d3cdcbdc5dd0a3f8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e071eea688ffd901	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
840	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
840	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
840	IEXPLORE.EXE
840	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2112	2096	MSOXMLED.EXE	28
PID 2096 wrote to memory of 2112	2096	MSOXMLED.EXE	28
PID 2096 wrote to memory of 2112	2096	MSOXMLED.EXE	28
PID 2096 wrote to memory of 2112	2096	MSOXMLED.EXE	28
PID 2112 wrote to memory of 840	2112	iexplore.exe	29
PID 2112 wrote to memory of 840	2112	iexplore.exe	29
PID 2112 wrote to memory of 840	2112	iexplore.exe	29
PID 2112 wrote to memory of 840	2112	iexplore.exe	29
PID 840 wrote to memory of 2660	840	IEXPLORE.EXE	30
PID 840 wrote to memory of 2660	840	IEXPLORE.EXE	30
PID 840 wrote to memory of 2660	840	IEXPLORE.EXE	30
PID 840 wrote to memory of 2660	840	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\fontTable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c76cc277a7b19f613b29c973917dd56

SHA1
8823594d0b6c4d9bd259d4c92af395c41da8198d

SHA256
47642b19067eb9c3e9db3f833387d6a49ec9ffbcc3c1f3de677a14ed8887b814

SHA512
42be6fbfc9600d331a7ff48ebef049debc721d95f95136ef5ca51cf2b7040dc43619f84cd2c8e0011c42cf0f124ce53af48a99695a2217e344fd8e61a2382461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b797fa0217570cd606182cb1d6a078f

SHA1
796ae1acc712dcb620d4ac33670bad609b8de94a

SHA256
61dd553ae0f7c17238ef84dfdcf6654177bcbd149db07856a762228385b308e5

SHA512
3f56f6b7f0e515d08005ba4b4c9b08e28467460d9afd3d0b0df8011deb3f98a8d9c7e6dc76ee60e5d0f435c62b11a1a36f7883eb0c9d665dc9a4b1a4124f5b11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
185f27c77a6c81de4e960932c124470e

SHA1
daf21f6c4fc967ff0a98e2a48db5143a6b830059

SHA256
c35c2ec77752367aa0fba4e2017a6c3670ac98184032094748d7174f4e7dfcac

SHA512
cdfdc4122e24ec8251243e5a5c10b3d7bce758a093b882fa26a38636a16b8f254e08b690276b67359a0c82a9024653e1c2abe1ae1db5f5e5cb9e83af89579696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96a8585b80f499f27e56abbc6cb23cfa

SHA1
fd5e079ded66f4633c31694828354200b8a4a43d

SHA256
1f8bb736a78f047907871ec897ed53de63c377b2051187b74f0cb486c3070162

SHA512
82bf71fa818ece1f04812b00aac1ccfeb1ca4c578c23e97ae2213c05bf3ffbe79ae1faec8c2c8f835b6467155e668cdaf8d635063377825c529291a6225db672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbd0ea9de28472c10980f8dbfb633799

SHA1
eb784603beea20b8a4f4af58212fea8df7cf390e

SHA256
1789de3f27d1a0c77f60ec593608ac5c0821a6fbc076bc2559938cec8d6e7802

SHA512
e41c0ef9fe1f4fec2f9ceacfd6d9e6766c2616dd1ee0de0e2e211661877c7bb0e66b2b9fa9d8dd3033dddf8f91435eaae627d3b5105b76349746d25796f21fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d50d7403c6dab73dc024868e45036f4

SHA1
ec41642a3ecfe69f416e8a5d7cd7340cb8dc1734

SHA256
4d84662c460603bff2be2f555362559179d5c16a90bb8718d9ec27f1f9a08a42

SHA512
da2e2b233249b41bee61d7f87612249778b14c7150aebf7290f7524e7fe5b1fed9b1537a10aa41cd905ae88832016c30cb331d5ddb56ac9b419a3c606459ad40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5615007944cba1557f4b97de431e99a6

SHA1
96fc111271be09b4b0c0457be8bb8ba5169c842a

SHA256
61b0fb2def80a48bf5768099caf2ccfd4ab92e0cb9b01211f55a7e3cd11ad490

SHA512
6bc872afd0df30defdbc9c2cf12873c49118450168538446747d24f062e8ba8a3bfd18f6e64c02f5fef3adae4c1c4c7b05eb2a74ee07d655168243824f8d00b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c46ef749959a13d67fb41f77e1fa759c

SHA1
11d79f282d104ae8143d53ddab75b3b1ba45a401

SHA256
64147e06138b8ee6aabcf31e8dd57ee925f039f4f515e7fa61db4ff6befbcabf

SHA512
e43750ae3b6e71da0e083822094e7efdc9f965c80939ca78d0c1d2a23b13809e167f4a00ab3da13453aade2cf3e1aa3d1d89fa4acdfd8b72fda1e60633bd7d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0359ce2564d3d288bffc651f4c291a3

SHA1
1e5d5930a250d74e5a27e8c2ee094dbb584b52f7

SHA256
fc74c7658d4e3c1211696d0c2107ddd2e6f3d8236078b33f4203c71d7f2fc7bc

SHA512
cb7da99dc70b608ac894be08373b1a7ec0079dc1f37018310c6ceb31ad7bb9b902975c5e167e08584e103ee018576e520929fad4e7e41a270cf14a7302ed46e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97a837da9d7fb90a1d5dcbeb8711c4ba

SHA1
b06394a2af3e8e51a627eb554ac6954e3b0e284c

SHA256
e2b6ab1ef3eb86ec5b1bdc43773cb53600d9a9dc924d67036f966926baf001b5

SHA512
89d21094fca97ddcdc4df524dcb506d302497f217e98933a7c291f2cbf04c4d8ada440f7566bf5059b5ea73edbf80d42a6a7f2551073f5bf03b547e49bd96d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5dee5fa19d1d0cc276cc8987f964a41

SHA1
c78e95c91e027ebcb11006206cf74af58806c547

SHA256
6772bdb1bffb4b30fd078f19cb096ec4505f238a0e3a6ba06b78c50114f11524

SHA512
69dbf837f49b25a4658104045c18e85e213c947382a8f20b595cdb06a3263f1002e3944959f655ceda626c056ef697d91203dd41b39727497b3681df34a623bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E7E.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EDF.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit