f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
139s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/webSettings.xml
Size

14KB
MD5

9753d3dd5908d03780976e9cdc226eea
SHA1

058e8770c5557b8b6cfd28fc54462ec1c0b16e73
SHA256

3a759be3223c8a6be0aecf77b734a84f913f204415dabbe19fb463140caff320
SHA512

9adf3578664bd81756cc2928d14f1a766fc2284b4974c36dff0ed0fdc30be87aedd957db3c3c503bbab2c12d1967adcde8ca81bdb01f4342ffd7b4e2bd2491cd
SSDEEP

48:cU41mNYmS+B1+6+T+y4+B+P+NDUuBTUxDUuBTtDUuBTJyUuBlgAUuBTHDUuBFqDb:e1mmmSwH2O8Q0L4Jh

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000d4a5b5e98bc4aba170c2a82ad07d2b314325f16637ab6dd95182141ac88f1d4f000000000e80000000020000200000006ca9c4185b863a4008a3b37a475c0da861abf07631c1109b31cdbf8b29703fd32000000078851ec8075a173df6d44355146bc5c0a78893a1f957da221f20e882979041114000000045304f59748d8a3b633779bddb923807eb51b3be18677824cb1951faab3be8095fa2b0fb9bfec28509e31c0f8a858933c1a6812d085c6330a487ce508c8945be	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cecb70a2ffd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BBE6771-6B95-11EE-B812-C6004B6B9118} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403561949"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000b12f12162d0876e246538d212cc743e4b6c596ce55787616c6d44c548d354f4c000000000e8000000002000020000000196d8bf3560cb540997fb6feded74196b89199a9ce5d47b216dcb27af6579b3690000000840bc02dbd91254073f021699b21506c92c3d172eb3f5a0a489cf5eb2fbbe6ee86209eac5d22bd759dcef2e42d9e1874a7845483defe63e5d2d1c882e89df582f30d16bdfcb66f1e13b26706ebca58d101052d4e380c2e6a5de4124d2aa9ea84a40d4d481e531111af7d201bae0fe83ae0172501e7a01b9dcf1cb7e99c8e7c1925db124607cf61447e3960a281f1145140000000f9bf987a0a960208605b9b6b98daef332b5528e2164197c6ff54fde1d34e970d1da73df032fc1fa47c876e1e5089c4871a04fa13702a3964b42d43bf33bbb0b6	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3024	2984	MSOXMLED.EXE	28
PID 2984 wrote to memory of 3024	2984	MSOXMLED.EXE	28
PID 2984 wrote to memory of 3024	2984	MSOXMLED.EXE	28
PID 2984 wrote to memory of 3024	2984	MSOXMLED.EXE	28
PID 3024 wrote to memory of 2116	3024	iexplore.exe	29
PID 3024 wrote to memory of 2116	3024	iexplore.exe	29
PID 3024 wrote to memory of 2116	3024	iexplore.exe	29
PID 3024 wrote to memory of 2116	3024	iexplore.exe	29
PID 2116 wrote to memory of 2772	2116	IEXPLORE.EXE	30
PID 2116 wrote to memory of 2772	2116	IEXPLORE.EXE	30
PID 2116 wrote to memory of 2772	2116	IEXPLORE.EXE	30
PID 2116 wrote to memory of 2772	2116	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\webSettings.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b5119b88618d5b638ad123b4d4dac8a

SHA1
490c251fe076ac2cc3e4543087852a1264611411

SHA256
16acb769962cb238a458f554c226d0d16226847c552415e49791efbe970e899b

SHA512
10e84170d84212bb617ceefc839e5506bd6419ec2b5610c27b5d29eae34a04a71fb8cf6819485e34a36fa8b0e56e8a8152374a351564c8098512a770375b925e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98ce6cc95f10f851566a6bc0872a1a82

SHA1
f294e01d65e34b0af6903ba5dbc61509e30e3e04

SHA256
aff1422df6ba80e5d39a7f8e20aeb408d507b4ea4ce09e7fc1735a86e19044b4

SHA512
71f40cbadfb9838265e6edf0ff8968021dc75df4dab68bba43d4cd6fd176b6aaf142a36f068ff944bd85dc9b32a01c5014fc941494cda6db8a9e104b13388ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7584b1986eabe087a12b60ce152ef4a1

SHA1
d6dc698c751a39d0f7f45bdcb01888f85fbefb39

SHA256
a030a72fc504fd71cdb4b29bbeff9f13189339ff953b8f977e7529a4bcf43c11

SHA512
69d2cc74951506a5df6e372fc230b6ff6d4d9f7e634895bef291acb1af6c6754a7cab324b1434f9daa7a1f3d049bb6c1c9176e5d773fa3a16bfd5633c3bb8dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03e5cbd86c9c24f5bc808e4467a6a3c6

SHA1
c6b40714242b48333db32b8caaefb89f8a538aca

SHA256
c7f7153c4df99d29ca849ab7cebdc007241d7b7ce3f1b70ed608185fcab84728

SHA512
f8f7ed0572729cace9b388451d39e24d3c75883fb993dd7c068ddf013f3d5830e5f9ce676f7ad299580cb1d1b496e1e5c06923494341c22685321876113fbd73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15aaa720b04fe2b39cfdd6316dd35bc7

SHA1
f343449e128e68cb35df62f7a695dcd62f7410e7

SHA256
4d63c4cfd54dc74fa311dcf3fc027a3f0bca01ac7295314650ffc1dd2b0559ac

SHA512
259f8e5e6d0147b054d4ceb5d2dcd880f659d4ea9920421631a19195d7d130aec01f3caa71e17df0b9f17cc6715ce0b3252f9c19a58495dd0fec9a189c63071b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db66ad0bcd9d4da56f2c09e8f6c69964

SHA1
faca1971a60c6e94f270b8411c123ac01395ed3c

SHA256
86bc8705065bd25a52316ffdb712334bbd77c05a0b10574daf295b697b2027fd

SHA512
8ae8e7fc8d44fcbd13fbd3694a2bd0ad74453565b45919459f8051a9dc0a149061e423b42a2f1973c08177c7598153cce012e5222e44ccb9478d42d5ecc80474

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97cfb596fabd405a110409bb0e383a52

SHA1
16256a576cd11529beb621b13ba84646bc06540a

SHA256
dd69c84f334686b0efa1771d2c60980d30233d1ce00f134520656271c863c094

SHA512
4e76b527d756fddeecf61dcf890e8b578e608f895af4b31d18ad4e53c3e0d65db7c571dfa9943ab1716fcbb2fb5abeec40c74ca319263644c0705055552fe0d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7eb7f00462a9888d3f7b7d659521a6a

SHA1
da63377a96434b704546da9bcf6bc5d512396d35

SHA256
d46ff2e7c078cbe7bb9e19b916b53e7e450684c73b8646acbf9cb93e07fae63f

SHA512
151ca949369490fbc88bcfd7bcb26ea11212002dec1b14032affc859408033dda7c3917eb9cf646a3629ad57db561a5ccf06eb2cf78c919bd1957dd41e137b07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b8be86a2c61d2d25676494736b989e1

SHA1
60ba909ff047690aba6b18417dce613827609460

SHA256
d8acd9721bbd2936cb536a3ff0c1e7d68ef9fa37249776bf0ea66e08327610e8

SHA512
a0c1d97a393ef57845db77005fd0099306d7cea3f60b2fa98b7009a21abd063d3b5e5ba50b02d92646a15a5ab4beaafe272eb1bc24e145e17d7da1372593e377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98392e0b7bd48183feaf3f50a79d6c21

SHA1
1c7f3cde1da0c9466fe2e263f5417fbc494ad5e3

SHA256
393fa1901bc2688f4742aaa401100727c827f6beb04e99c2d4e72cfcec6e84e5

SHA512
4aa4928d2b4183e8bfea9ec08daa62e9a4ced276b5c113ab0254b2826f38f1a7d8c27fcdadb1d7b3faf028afb66ac2f3efde7dd48e005c77ca6a462b737e143c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66694b2ae4b3f71f1b396c81d5563f1d

SHA1
1f906f27951b2f000b0bdf4fe798db87bf228037

SHA256
92b577cc1dc2305eda7d85edef5ad91bb42e9dd60481ec20ed234f9d9781dd24

SHA512
cb43e86809a9d85219af4972db8c63f0c6dde9b837aa7a49ecb52e4880398c0f8341ef2d60928d0717c436d1daa58a74f9df91ea80946d42a5770de925803534

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab72F2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73B0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit