f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/_rels/vbaProject.bin.xml
Size

277B
MD5

dd79e6440b0515bfcf771c2c5286a2c8
SHA1

40dc1e00e2663cb33f8c296cdb0cd52fa07a87b6
SHA256

c97833e6456aa2bfe9be614f9c3ae41a8ef764b1cc3af92c6a6f273c62309122
SHA512

461bcf63f03a733208cc31a97c649b5dd4e4af9f8b166e69eea8094ca95c4189f5691d7d3ef4e63ac3ccd8202b46fa9afaeec97a03f99a04205db9ab4ba16148

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403561936"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000336bc794936f0a4d2263f11b594dd4ffce26a1b49f01beba16b6b04a9dffd5c2000000000e8000000002000020000000edbc6d672f4bcf7e43b87cfc30940e192404855236970b0ad3eadc1efa312f4b20000000b621742d013017c173fc25cfbb81894c200ebec634237e836e84dd31e23aee39400000009758e303a24088acedf9106f6267445d9e2b579604571eaf984285d29563ca44aa70b00225b0a67dca9224786dc3670676ca76c4decbcc7651ca83eae98f14a5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005ed06ca2ffd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000b81939a2ce753ec79c8416add96fd69d2b93624d6a8f8341b7b219d197609f9a000000000e80000000020000200000001e1c0c4b2ab7280464f270188b47fe289c8d9688153f003dff644b8d6e2cc1cb900000007a1f425e6d3636f8036cd576c7d67e57c84578c83860eb2f47ce3949f478051f2ddd847564426d984399cb72d224b33e8e9f8d6b9a313714065570ab038f1caf1aac9070f8ad3059e711d24f383089512a1957efd2c386b11858bd3771e1bc753546687d41e88c5a83ae68070bf3cb6c1f1a1d2af17a24bd576d5a6be8a2630c7c564d68c02af7e3fb77ef3f785f2741400000006ac069bd454c30e983a66be1f74281eeff5e30fb0929995ef8be35f879799bd274ea8404ad6d1c261eecbfdee0f2f424ba98152dc28468477452a06066012ab2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94972A91-6B95-11EE-B018-76BD0C21823E} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2632	2260	MSOXMLED.EXE	28
PID 2260 wrote to memory of 2632	2260	MSOXMLED.EXE	28
PID 2260 wrote to memory of 2632	2260	MSOXMLED.EXE	28
PID 2260 wrote to memory of 2632	2260	MSOXMLED.EXE	28
PID 2632 wrote to memory of 2640	2632	iexplore.exe	29
PID 2632 wrote to memory of 2640	2632	iexplore.exe	29
PID 2632 wrote to memory of 2640	2632	iexplore.exe	29
PID 2632 wrote to memory of 2640	2632	iexplore.exe	29
PID 2640 wrote to memory of 2644	2640	IEXPLORE.EXE	30
PID 2640 wrote to memory of 2644	2640	IEXPLORE.EXE	30
PID 2640 wrote to memory of 2644	2640	IEXPLORE.EXE	30
PID 2640 wrote to memory of 2644	2640	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\_rels\vbaProject.bin.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37620a4de10b7ff2c184a599b35c259c

SHA1
032e5e8221113c13fb48f32cba8d4e158da42819

SHA256
39e852ed385de5c3d30c4bb3a5e4e7f4bdfcb8ec14706247521b1a80b2b98108

SHA512
e7c581a7588e2d71d7c69b43cd28ce236ce249bcc58f5cddf708f81405512f934aacac0faa8f835cb850a596860f1107b3402544abe01d5894eeeabb273de89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84558f6b4ddb6d45cf099fa3b736f070

SHA1
6bd39c4ea27227ab36f69f3f91c816a40429e358

SHA256
e586dcb864d85bd7d65bc4ca6f1864595f6be191be8060fdeeb5dfaf436dd2ce

SHA512
c126cc639e4e87a2d571c21e8acdf47cd8242041e29cbb15728436e60c50a92ca6a2d2e1ea12860e2f15bb992ac957616fd30f811d7340428aa1cce4e3023434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6885eef962566fb749ceddc8059d0ff5

SHA1
241e2be43eba0488694bd094c29d3565b1c34a68

SHA256
1c71c0901c353d030cf046b75fdc48f1b7a2a2652cf64210f75eecb154b1e654

SHA512
a47bb6c1f088c0f57ec056725d56c289b28a7d9a501899416961ae23d0fb59fd2b4f0372de2ae467f9b548f81fe30f8d69092a9e5ae6e9668833825ef51407d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
992f5a1321dcd3f7b71bc1a41e2d1216

SHA1
0b5efc7ac9b6b1858c953472b1a5d760c6d88b85

SHA256
7bdf4036d6cf0de0860a8ad3634f15e94d6b7e94c9bc09abd05964f557b3c706

SHA512
1fa531758a6e58b5c4950a01994f573d7129d2b7aeddf2484979bb1a2899ca804711e14a79ed25793adcffa53a0ac60bb06cf18a9b48f20698ce16e2d9fa0366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b633afccd0ed402333a36fef241bc39

SHA1
e456680ac317a7fae6853334c546f5faac44c9fe

SHA256
3870d50426486355af507dab8d5f8f0b04a21f4491f20d4eddefeaef9ff7bd97

SHA512
de38875dbdd986224beb47357be45799466c1bba9d6d6f4c19b37eff54edba452aaa36c9748e185ee9daca5f797bac6731732b0793da7100743f8a0fa8a5fbc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4035292ea688776cf08acb49c17c0af6

SHA1
05fc37ca4fc5c20eb8fb553cf75024a00a47bd04

SHA256
fd111448afdf2abd5bd21fb25f4373f97e47c4ae6339ecd7b634c6dec165afa0

SHA512
13d42d916bad21bbb50ef9180252358c80020271289b2ed4fcd6a33966b0d6bb5ac055ea29cbfec4358b4000f22885f17168c9f931039f080a0f0b85eb4412ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da4808972569e3749f90d78edbfd8925

SHA1
0f3cbf5e4c5616dcb1de740fd1ceec688e28853a

SHA256
63e6957c50ca50f3d36b9fb1e106ae92cf6c63bd14a3a1a895e2e9e43a1f1667

SHA512
d8cd26353856c0f4dc3553a3f97008efe280971fc64437831dc21fd187c4251e26ed8c8ad1e248e4072096e8fae81bdd0ae46cb5e7c860d95b7e5e6e5a8ee712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e898975917ca8c76f2361f353de82c29

SHA1
1329d6b358dd940898cf9ea968391ae53a74d2bb

SHA256
82487b723850f7592d8c5f6f7ba51d2bfe8c76cf3b885d1d1199bc69f99dcabf

SHA512
29bf135841acf8138e48eb9bd7685dbd0d5f3794746424a1e143970a8b463feffa93f7ae38d1fc2deae408829296c1f0732267f67c733e2258b15a9d26316a98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42f24728ca2ed4ae1441b11aac0db6b8

SHA1
c226f2904acf2acd7b73b7f8ce96c161f95e6506

SHA256
cbd4f90f0a6cb884e01ace180c4cb642511224b473c25a6b82d3829fe83efdd9

SHA512
8788591e9f9e2424038e75bde5da98fee72dc0d95f90364c8575c9348c4aa21427f859a63ef2dffb630ef0495f91a00c30488d7d9f7653bfd11e43ce1258802a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98efec8871f76f6ff43b44b27ba09046

SHA1
3692a71fd5814466a1599288e768c008ba4e0d2c

SHA256
248f39381cc9fb83581e0081ba52cc36888d31b3b78988c2376cdab6976bbc35

SHA512
d34bf61ab83e9b4f5a8f96516dba5c591cdb5d3a76f3641fc8def5d5529f54b20a48a377589907c6ac48f2592e1ee2f88eb27727e48de89d89dd9408fe5d0910

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5F6.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF666.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit