f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
137s
max time network
139s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/styles.xml
Size

43KB
MD5

f85b9a6d77f6b76f312595f43fe2c938
SHA1

4e4d1daa1ef749d3cb3a566176bfe7c2172e55fd
SHA256

af3f6650a56185106ee5430463aa63416075659e74228f8dcafe8e2bab786438
SHA512

4069528674a714fdef121cd51fe9e428d0abab1225a65fa24aa64aafa1bc7bdb10d2733880a7ba3701bc6c19d251152eb6af202b70f0bdb64d2592bcbfc3021f
SSDEEP

192:v1mmmkse6HLKUhVehPiYDuNYD1CYDQYYDJFYD44jUNjp8jPJjb0TpYDp0pYD/tYA:v1mDkslr76yO9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{986B15F1-6B95-11EE-B489-56C242017446} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d5cb6da2ffd901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403561943"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000002a618da02380539a1d5b8b14104682ca226a8687efa3fd4b2b9ae9b57c8afe2e000000000e800000000200002000000041e73a83855db5b7e4ba50cdc0e91f16dd4d082a82f2a9d38d129c5db196eb7920000000bf04f9d9b466fd494a3886ff1073271adb9d7e2e417aa6b61d49c7515018b66140000000771296a8641c30ae39709c97ba757e9a16d6c66548ea168e5d668d8d4fd474f51bfe34f08bb5de4ff4d6758374e932d43e65d49dd265ec6d103f5c6978e66ccc	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf812000000000200000000001066000000010000200000002b23a8131078056d5f7b98f83f0ee90112911a4603457629a40b12fbdb9d9c76000000000e8000000002000020000000c9791c865284cf79e759309a1225753d462c74159fdf3ddbbf48aa5e4c992b4e900000000c997e0bb6adc20bdc500cb5697596a6a81f9b6314518e0c0023a99b77972b0a875a42322a08724fa44da27b4dcb260dcd29476182445b586b5dc9dd0c601a14723b76c5322db0e366f26825c48707c170ac452b0e8309776b0771658efd03db21cd0aaefd708188eb1f9157263e837b822f759847b5d25b618a516df6dbb01de524e096632c84a61ae8e935227c548a4000000017e63bfaf83409af727f6d97bdd4c0c55eee52bc7fb43a31b28ba50dd0b15c5d0bb7a82fc49b495a3c130d10e7fe9a348aa1fa612ee75a8cae9d2404e2ce6b19	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1864	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1864	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
604	IEXPLORE.EXE
604	IEXPLORE.EXE
604	IEXPLORE.EXE
604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1740	340	MSOXMLED.EXE	28
PID 340 wrote to memory of 1740	340	MSOXMLED.EXE	28
PID 340 wrote to memory of 1740	340	MSOXMLED.EXE	28
PID 340 wrote to memory of 1740	340	MSOXMLED.EXE	28
PID 1740 wrote to memory of 1864	1740	iexplore.exe	29
PID 1740 wrote to memory of 1864	1740	iexplore.exe	29
PID 1740 wrote to memory of 1864	1740	iexplore.exe	29
PID 1740 wrote to memory of 1864	1740	iexplore.exe	29
PID 1864 wrote to memory of 604	1864	IEXPLORE.EXE	30
PID 1864 wrote to memory of 604	1864	IEXPLORE.EXE	30
PID 1864 wrote to memory of 604	1864	IEXPLORE.EXE	30
PID 1864 wrote to memory of 604	1864	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\styles.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca077ffab7276102b577ed62e975a8da

SHA1
ed8957474ef56d19ba7d6459c3e51fa2905760f4

SHA256
8d7d3684492cc52148f29648b95c969460fd038d3cf7c28b4d1e51dfde891702

SHA512
d8d128cb3ce1733af061b7fcb4e7dad49e38ce468d5cce7d9b030349bf66e5862800fd0ba3ab79b3edd962e2cd2e6a84b747b954069e617b16f8d0eee6904a4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09b08b6339494f136ac12d19d5cfa163

SHA1
18d266b47298137ac29bd0425d1c8a7aa134dc9c

SHA256
034955f69760c738a7a12962c9f212e97bddb4655e9a11c35f08a5561f457f7b

SHA512
5fbddf29082801d4ee77b0444fb8bc3648fd47a5ce97fed2544c8214c6a9faa86969d02fe16f4e4e0590846f3d384769fa7b18ecaeb8d57d77a0147cbfe2541e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3854d8666e5aefda4c4ed4b39d8dfc33

SHA1
d3e49bd1cc0006a1397f69f147a3326271920464

SHA256
6ea8abad5d9b24b6f2476e98da7f3c7be804e1a3e68eac8d5b36388bf54f9ceb

SHA512
d43940614c7e10650907a314c1ae8157b0651acbeda299b794d9958667290be5608ab2c89ba07d974edb226046155310d18e6695baef02e0f9d0bc8ea47bd4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f06b41a18ac856eee9de5d0b33b2bf5b

SHA1
398cd0e4684c7d4e6ec31057f0d8b54815399ad2

SHA256
b3fce116dfdb95f1018e162f7c1e8e229d797158bedf1e1218710c0909494117

SHA512
8ff06bcc604494aa9c21740d5795b91fa78709c6e2fb67630a204eeb8e55a52971647f5ebfb2fc6d80a05699443429383a09a3cbfa3427635fb85c92aa7f69b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43618abf48947d3953791c9d5dfd57e2

SHA1
cbe747faa69a6390abde3927ea7a9d203690f0e6

SHA256
2a2ec0763fd9712208a45760371b69e5c9ec8dce643cf1d5e8851ccae4177b86

SHA512
8fcd77786e05c5c0b529cbc1099baab1ce0c92d775ccab56cc9c2e4814d84e23ce068b0ec6ca3677ba25a500958917b4f9da506c885ee68c3fcea9d1123ae5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68b1a0a8c396ee681efdcf67eb3e67d0

SHA1
d1ce1b75547d533de102c8f80f3539b41153d1f6

SHA256
5b503fe27c84ed1b02d41f5e13db229e1bf92fe14c0479cc9e236518f4383d8b

SHA512
9c302e33c7b5dcac04346268a5910e3393afec78262cf52be4489c2d5b8da002b3f08222552b60949fa1494757173648cd7e5a3aa6710164cc5679c6029f306f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a593cf7c97844d21e3bc34be2e2b65ef

SHA1
2a2da7f8e3c39fd7ecc23069b58ff3bb9510f7b1

SHA256
0460d0986bac57071847e88e4bb7cfd8636f6f698620ed4c08ffda57ddaa6c66

SHA512
93381196993d3196fae66f207c1ef34e91fa10c61d12d7fadbecdec9310c72a0e99e4b15e3347920005323bd88a92824438e92f84c8d75ccc940673770e0a05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f2d89229a254957b32969afaa302380

SHA1
d6500a352d64cadd31f74971e340651181e1a9cc

SHA256
6258ccd53bd68d3dd39d05b983675dabd7f9fd6985ee15370b6b453c050ddc5a

SHA512
6d78f5a337f20060aa836a14cd86ec0b43506702b4366c9c697a44219e17da288461a71926058b1c7036de5be7412ff547b324ae4dd2a4bf1f91424fb2bb2977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
559f530cfd90f81bf4bedc3a728ebedf

SHA1
392bb748c56c560ee6faf8da2f26af480d7b97af

SHA256
161d3c3016ebce2b20a0abee36f19711855d6f6751da431cdaa129cbf2ba395c

SHA512
c0740fe954f44edef61eb433d498d9a12c6d9187f18851d7189abb9aaf3f522275ff8ee5bd5bf555239fc881e666c40f0ebaf0c2fd60615fa7ea95489ab8d375

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9bbfb75119587071c8c7fe864d28864

SHA1
bba3f6b86b6d341f4558fa189d13cb5fd1eb6378

SHA256
119fdaee26d5b530cae796b9aacbd8d4e58f89e24c8741fd7d6b2e7a8286b795

SHA512
552407fd72558cf7497e42e83b93644763501e1565307f2d38e343b4014a6f85584dc6588ef11fc62bde38779a82e443b22f54f0e385af75489223ba3a6f676b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEE76.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4A2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit