f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
135s
max time network
144s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/fontTable.xml
Size

2KB
MD5

770b86eee170314650f53072ea9a6ea3
SHA1

d335dcb1db50cd842a3e9a3b187568dbc5f8f074
SHA256

12e9a420b6614709f90815e219dc6a91d23f08500c6e0fc604eaec32d53d3c42
SHA512

f9069c05936c88fe3299eecabdaea9a2e0cd9a7bef7837f77f671ae9c26585074498bf4312782c5de10eaff61594560699d9c01bb8b803f3154314c83c88da25

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80db046da2ffd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403561938"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000b4cc7470bc2519d090d881fe8f3736e9dea9ed760ed40b2e041590a375f848be000000000e80000000020000200000002afb0c1d4ce25f06fb42915996eb1adda4a81f2b4e0b17f443219db63248ea6820000000b9d7ed2d633ddf363e7b46ad8238d58380601be836903a64593a089dbdf7177c40000000256d338c0932046a75675a059d1e16cbb52b3f90537a1b4fbebf0661d6ab9bb3898c1c9b2cea9a13ab178835fabf6088a97c5412cb013c0ec5ae34af007b7118	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95ADC2E1-6B95-11EE-BC2E-661AB9D85156} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000001ae3c203ce8846142494da57a491995ef9c96875e77b16a0ff3e8c4626f83a47000000000e80000000020000200000007d309a1439edd523c921485043fcbffdeeefe7e13bcb7dd10dbf0a1d422e1a87900000006a3a8002c4e3f58e8288c88887ee7489be94e4aea263cb469f192f58a33ac1aac775a701e543c308b4cdfd6c25b1dedbf07d86cf0868f927685633f98efd0adca47eeb7826e8ec0407e2b612c7930ecb0a9a98ae23ad1f9eba1bfd7de53056b4fbccd878bd0cbd5399c4af105494f67c146dfa1af73266a1009e0b66d54626d1861311ea92d2b96515e975ac15c1889340000000a0ba5a839c6ed58cee978c0ad14dc51a8fcab73003ccbc7cf208c8e2ad44c5b873864a264dee1ffdd661f9484d580d6af45145d3bdc2a4068b6b4a0f1f3572cd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2972	3040	MSOXMLED.EXE	28
PID 3040 wrote to memory of 2972	3040	MSOXMLED.EXE	28
PID 3040 wrote to memory of 2972	3040	MSOXMLED.EXE	28
PID 3040 wrote to memory of 2972	3040	MSOXMLED.EXE	28
PID 2972 wrote to memory of 2588	2972	iexplore.exe	29
PID 2972 wrote to memory of 2588	2972	iexplore.exe	29
PID 2972 wrote to memory of 2588	2972	iexplore.exe	29
PID 2972 wrote to memory of 2588	2972	iexplore.exe	29
PID 2588 wrote to memory of 2804	2588	IEXPLORE.EXE	30
PID 2588 wrote to memory of 2804	2588	IEXPLORE.EXE	30
PID 2588 wrote to memory of 2804	2588	IEXPLORE.EXE	30
PID 2588 wrote to memory of 2804	2588	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\fontTable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a1f23b8806219f9441eaa7aec34f58c

SHA1
9d7b9727a930fcbd46b91081b815ac4dd0fdc3e6

SHA256
dd36e8cb936c8e2e89c71891c7682868a36c4a20b91b54d7b635ac414e34515f

SHA512
53d56bdf6fea17504728a5c9564c43a2226c79015812575d5bb630eceaf66251eeaac8dd616c01d2a68f903c4701037fbdb77ba91e504d174fcfd462e780dab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3d3e751df8d7ae2c142611803ba5330

SHA1
f9a2664d2a50e3a02339d8022e45c981ca1f1995

SHA256
ddcc5394c6bd461be84d88a3a9712cb34bd0f4f441703ce9cad68f64317b89d9

SHA512
e8620be25b2e8a7549951f4ae424d9d22afed8a4ee8bf8ec45adf6e0f5e37861b5cdbd3db21bed32fc10366d026ba0946e01bc0d31614cbb9d6f429a70c2d663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5f3a8fb3ce6d9bb8e360c0d6118f993

SHA1
d62f7f273ef3111fb7e3737e5335b3d5d3ab70c5

SHA256
3dc0a53f228f37a6b9b8c38723de06392fb685cfbde5397d4e222acdbcc66322

SHA512
853c176c5b9929160e4d42d9d7085f1f39418bb3154c3218fa2cec193ca696ce246a7b87b96956ae75fb685bbf7570d8131cd170ed12a5bd359a3de20963d4aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7c9d61211f907bc1b4f02157e0775f4

SHA1
9b42bbd9e58d4d961a7b1e192477b3e2078065fb

SHA256
056076d5884be7df4c9080bc27febf7fd9684e77ee5191a19379716aaf1620fb

SHA512
1f9037e9bfb6eb63a118e389d0f5b1fbfb62209547b8c8cfa89095a69934db78aaa87811efff44ca5a20cdfbec95253c98aef5ddf64962d8b289dc7490af0144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7945cb2ac024cc8a770c6ca8345ec12e

SHA1
522d8341b7981bc7ba8e4eb793329f0d010fa0b7

SHA256
62745f3b80208f19576248c6147c04f22e293bff6b55e5003283b2382bd1219b

SHA512
dea4b43c7ce3442cb2987c9f8573daaa8f63c0892f549747270b886e63c6e67faee0d5adacf1aee6eaa3c38b736d74f01abbe5e146b6346b67f9889ea3c21a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6746227359eb5be752f0b5d7c8db754d

SHA1
465436c01bd555d131ccf7e6df6a6f3549feeb77

SHA256
2605cee3f2c28be71b5b1853859430cbac2b567d5912bb880f1d7252e03d6c46

SHA512
d8fa09b5c79720c6f2a7b659c83b620879422e356a77f97d0e86ec51abbf10107c21217a2e96e5659d186cafac37b7a65e4cfa004e2030ab52118d939f45e058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2544373516e0d2c8dc180c6c610f3053

SHA1
308db74b3085a1bf87d40cd1b99137cc705fbb39

SHA256
a81b6b4be895aef7817213f992d90582065a41ea244a19e350dbd1af9918da54

SHA512
dc40f072a5e3abc3a4cb72fe0adea2cd973a0db4472f5d7bdb6afcec0221c18b4d27e099797357ace3d162a65f3c7c669dbd86ca629941731dc75e482cedba24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9e3fd1af38df4794c8e3b5954d54126

SHA1
caaf8a46d0310dd180eb666440eb1adea157a167

SHA256
4fe5f6d7f5a210983c93be2b00d8449b53d56a1ebb806b58d1aead3ec401c7a6

SHA512
23379eb8daa54604571ac824a98e7313b4c033ca1b23ded8cf84a128f0a5da0f81fba81776c90f98543d33a2c0b099133dbb3c3b53ad2ed37a4a5e452cc98f76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9a2cdb36e364a213e3169ded100ac9e

SHA1
b16b09c778b7e8d2b9feab0bb20d496758b42da9

SHA256
e06a6a3bf22125f22b5ce031ca3d41a21e61a67c8e97a2dc7f7c1a81202bfb21

SHA512
4b11c28916d078912b5d1a44a05b4ab4a42dbc77f2e16dc38937896af14aff9c0c5a6c72c268491d2cdd9d70c133c311413d3b184a0ee955565eb6db2b1aac7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA0D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA2F.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit