f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/vbaData.xml
Size

2KB
MD5

d11c77649d1825dbb1581af91a1c67af
SHA1

f25ce143180a53ea75a50a9163e61eb51e06431b
SHA256

119ac08d8aaf410f9b1477e460d40e6b537233080a08f90e07d3ef89aa797235
SHA512

77211b7bcaad4f617b647ffdd9f9eb5016338ffb4cd712446bee2e11b33c3e1c746eec29047397eb5e94c40b1df10edf42a24d0db8fd51e5b09d506336c06142

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004eae5c790dd57774c4afa83e031c56829df99fab8977bf287ac6fbe937d4843c000000000e800000000200002000000079038ff3461eb135b348d84797917d32163572a2e86244e9a3d6be9e17d7dddc200000001de298ef325b0652e3b1133ec646ca43c6db03dd5a290c8e11d1607218aca4b840000000de362c9c6f63a19ec517c81df5cddcd6e3ab0bcd45e8ed5768c7c7a7726aded34a8b653abdf96dba0e239e5b898b8ac9ff1b1f407b8dd778ce437ba6ac894ae6	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000c7cc27a4d401f6a59cf1830ae1c361d1d8d0c5136de163a429a29f8b58582fc0000000000e8000000002000020000000fc592a630f961f943c6c7af6b38eee93f53fa2059f06a5dc926b4c28ebf48acc900000008014908bedf61b03a621cba31f0dc8273284dfad16dc61570543678de897759c3a557288d52b5328cfd29b2cb10e5f3042466ff6d4ec55286e4039cb3961815eccc2b539fbd8248de4060a6db06a00d1e45cf757de93b171160ad8e36024a047337cf7ad068998750e67d41d7c59bb30252e25bfa892cd8e97c03dcd96f991b716f631664f7ec0731bb7fdaea48e4d1d400000003dcec54bddf402ae899ea0216e1bbbcf010a11df10ced0b492f213b6e228a5f6d228175f8e3cd7b3ae09b922f1d276dcdf8a6c5cc85baf22836359f594d1536b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403561950"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 209a3871a2ffd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C3BBD61-6B95-11EE-A96A-6AEC76ABF58F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2744	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2736	2804	MSOXMLED.EXE	28
PID 2804 wrote to memory of 2736	2804	MSOXMLED.EXE	28
PID 2804 wrote to memory of 2736	2804	MSOXMLED.EXE	28
PID 2804 wrote to memory of 2736	2804	MSOXMLED.EXE	28
PID 2736 wrote to memory of 2744	2736	iexplore.exe	29
PID 2736 wrote to memory of 2744	2736	iexplore.exe	29
PID 2736 wrote to memory of 2744	2736	iexplore.exe	29
PID 2736 wrote to memory of 2744	2736	iexplore.exe	29
PID 2744 wrote to memory of 2812	2744	IEXPLORE.EXE	30
PID 2744 wrote to memory of 2812	2744	IEXPLORE.EXE	30
PID 2744 wrote to memory of 2812	2744	IEXPLORE.EXE	30
PID 2744 wrote to memory of 2812	2744	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\vbaData.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31aa2536380c607ca372e5caf7df84e3

SHA1
4f894bc350fc924d7e2385bb43008ba49654f4f2

SHA256
02971c977518619bf1a118cdc1d6770e0a60d031034181db99102c89438e4f1d

SHA512
7c4baca1fd5ab8ae4bd66e4c2831e84d9d980c57061bbbae8c49289611434c71763dba930d0d9426175907eb518c4a6be29748e963964ff95ff19abeec8b6962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa9c837eb2cd6a9931a944ef853e4a7d

SHA1
1234c4e9a30eaf178ab0d0f822a449636b2b5feb

SHA256
b32117efc7435cb5f700168292f8b120996637931ea79421b925796948275852

SHA512
ff4e30c75c8138c8d2dfc5918dc6a800425a0159cbddd46ba87bb10e19ff9519c46fdf4ee7923baf59303bfa1247a990debe339ea8047f79b67ec5606d6b3baf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa6ef7244b794f93f74c1eef129e25b8

SHA1
4d283daefbf4232d5063c4dede28b74e11b9c63f

SHA256
1a8ae115cccf01dc2ec3d41e21f2ee190b6d5f74a0d6806b13f28ce81a83b57b

SHA512
af7f379776d31ae075b38fae260de9589b9413b33ed3077397e9f5091daa59325c01b8b75fad61100798acbac6a1482c05aa3378ce48c840c637b12c66027291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2237224fa51e5ade30c5d613afdfafa0

SHA1
2bda36e1fa045e8719362d093fc0b0e1aaac0ee5

SHA256
c3f9669b8fe17be0b471799107d455a2dc6acce007d35d0f4ece9b2eedcc494e

SHA512
a1b3ab806a10bb16145fce3e89c0d79c356505193b1ae13cf969cc4f7c42b1b01ca9b1047d373985e8f41aacc4553dbce47cbe0bf985127c56c42ce9700c18b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5c45ecf11c0bbcc474ec469c1c01270

SHA1
7c449dced383f1b25b234436ecbe1f7a1646075a

SHA256
222d56aaac315ac494874078a3d40fef8481cf00654ddb38ccd95922b4f4d50e

SHA512
84c824e3a2c02285addbc640d12583fd79d2ea63be34b33c48e2e7c6b1bd0631881784478bc34392c5dbd973dfd1fd59232f380a206c02bfe0268c8e83e57e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfcd71fa444380c6d9c6cc90a71af3e6

SHA1
07fe7564cf55955cd1e9cd76c83a6afa7427f93c

SHA256
661f8c7c4f6c613afe6b71eb5c23e1afd2083480c231572ab1968afcc87ce81f

SHA512
bad0a2eb36f3c31f93b23f6d227158cc0dbe95345dd4d3bc159d57e2fbc43e81c1d5b6816a6187f75d92963bebc9ac0abf10541067067e9b26bf10845e37ba5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
374b45fd690603d35c5efb80493f6e23

SHA1
84d76cf53631460be25fdd8e1753d34b32e7eac1

SHA256
473b28231c1cca78ccee536ec63b55ca11721b2075d0a15ebb89c4c09306d00a

SHA512
c45bb48669e92d064ce0f84e35803ea416de53d6324ff9a37d1a33be2b7de41426d0699bf06eb1b0e4aab099b7f0bd00f5f3111c1ce6d28877247981cdd20e5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
957b041680314ebb83a9fce0fd41e621

SHA1
b811cffbb3242142d28ec30b28d8d455584bf002

SHA256
a54fafb389eb793f37afab68256cc5931dd61fd611d4a665b9a4372c6db24315

SHA512
6b5a8b90fce3089876b81bba9b4cd830571e3672441004d881dd1de14b390d3f200ee656082b30e3c1a76964abcc63541e7d26c10b1316436ee3f455a1bd945a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5e803fc8eabccfdf8f9b9ac4e8b1dc5

SHA1
4b1039db4a414ef14fb441bb1fcccfee02097532

SHA256
52ba60168fae5635f256a63b1c5e7738106954b626a88e0855403eb040d9ebb4

SHA512
9391eac7c80f35a1f06e85c34b6a105a187dc5c76fb5616d5287d55ec52596c16d1530f157013c6dc4f10a3ccae0fecd9d2e48a9bd832395833721e06e600290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9635d0cdcd6149d409b2bd396cad984c

SHA1
fdbf33cb0a592c826fc380379e9263e54de3f165

SHA256
0378265c2d184c2c99ae1be25d8bb449fa1b6d10e109eab8034e835545c69d60

SHA512
d3f9bb708319b03b1a68ef26055f3444a8b1b8e037bba912660b5a07bfa1b412af68bb134bb4b348bd2f028ae001411b4a4229e1b98e15bc9392fa8138deb679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E1D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EBE.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit