fbcfbc9ed5c1777946b0dad7a5813377960a134e9907d3e0669804d273defe90

Resubmissions

25-10-2023 13:58

231025-q979cshd42 1

25-10-2023 13:54

231025-q72c2ahc87 3

25-10-2023 13:53

231025-q6ywhshc46 1

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
25-10-2023 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppxMetadata/AppxBundleManifest.xml
Size

7KB
MD5

7a206184dde4e1c26f85397605d77d51
SHA1

69ba4cccdf2fcda97e44ea05a51c945249fec7ab
SHA256

3bea2195b3e46e859288426fb84a7a0d3a00a15b53b38728b4eca3b51dda0429
SHA512

be4c84f24e8fbac2d4d7a6fd1fb1f0b2c1d5671d24035b70c3ce06e1a63c860d0d0a8ee52ad43b33ea2697488ac7cb67c72211fa8c30b99b8bb3a69e96c17b96
SSDEEP

192:WwF7yLvg21SeJR/ADx9bqxH8FHZeTb6b9rxZb5K4ETQVPvT7nRwfX7XZZ/CuD0dz:hF7yLvg21SeJR/ADx9bqxH8FHZeTb6bD

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000c51e25af7d52f8bf146ada01f268e47d8e031a0e0f91940fd47b1dc65e005d96000000000e80000000020000200000004185e2568b253b0f294c37cd869bccf27b0ea4a21052956b774ac0af714524e09000000085d12624816375bcaf01908c5a8d38c5075417e7451f86ffd060246d0ce688e4b99854c695e14d0f11d8d8bde496f0dc6b47995205962cb9fd35d5a18b6e9d0af955f0bf8fd071158095e250469192252a25aacb21e6e32016e68c61ebaba3e078c847c82ad7038a585c9eac1b81e8f18cf1e6351e9bd5fe18117d72a61c092a90a8fae5b96380ef47ff38f2d9dbff19400000006237d16c0aedcd4f0e7f534b1550cf12e4fcd446fa3eaf818f6a3e5231a72d20a36a566c4e8a5899a1fa58b2a751064aa7ba692b9960c4dde658a4d627bb1511	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d058f1074b07da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{329A2711-733E-11EE-A91A-7277A2B39E8A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000179545dbef1dd357ac313ad977046915c80d4d81796d973a0388af5148d51a45000000000e800000000200002000000070b91d1a473c282c0045afefd5e17429e0c9d7bb6aae9ba576d361f0e9ee21ab2000000052a49b63a7551ca0b9d89e821685648d7424ed599db8ed04db33d6cc4c53f6a440000000389295dc4b588d30e2a0da6a0b416a0dcbc61d39f599bb6f675073330b835f0f3ee748e8e2f08c8732f5e2fa062531dec9fb22daf73f127a7ff9af8393e9f7b7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
1168	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
1168	IEXPLORE.EXE
1168	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2376 wrote to memory of 1652	2376	MSOXMLED.EXE	28
PID 2376 wrote to memory of 1652	2376	MSOXMLED.EXE	28
PID 2376 wrote to memory of 1652	2376	MSOXMLED.EXE	28
PID 2376 wrote to memory of 1652	2376	MSOXMLED.EXE	28
PID 1652 wrote to memory of 1168	1652	iexplore.exe	29
PID 1652 wrote to memory of 1168	1652	iexplore.exe	29
PID 1652 wrote to memory of 1168	1652	iexplore.exe	29
PID 1652 wrote to memory of 1168	1652	iexplore.exe	29
PID 1168 wrote to memory of 2476	1168	IEXPLORE.EXE	30
PID 1168 wrote to memory of 2476	1168	IEXPLORE.EXE	30
PID 1168 wrote to memory of 2476	1168	IEXPLORE.EXE	30
PID 1168 wrote to memory of 2476	1168	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AppxMetadata\AppxBundleManifest.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a62fee4a203034a41ccca6e85fc2ef4d

SHA1
a6aa597ff90ef331c3eb909f4052cc5e05f0b48e

SHA256
37c2ea07e26589c1fc1050463bd6c596d89c2365e501eed00d3e2e99558c98d3

SHA512
78ed786efc564d06eecaf91f255b3033f623b8da62e492a2a740a7b10312a08bb467444bcd7ee2a22d02e8275138b2292b0424b536832b450b5f1c107b6cea4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4bfd24d823d3bf2b6cc4832ecfe4f1ca

SHA1
f9608eb4c9dafa6ca6d2087009191f40907aa84f

SHA256
794ae65cd3b38745ccfd7f825d880400eb00aa466ba0733e223b87de5a606d1a

SHA512
41875523da331b36329519008609d10607bf1392ec190b4bddff45f630c900ae97267d16390d7c65fe7e7e35046d6501da0da812c29c61462731ec7ae08bd5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3aeea3aa9f464e27a7c12bbacaa05b6

SHA1
ed39d296892053c5558faaabd4b7588f8795e2aa

SHA256
0884582692ad437d07a65a7e1ff1ee3a00fe056806c8790a207e7393ec15c20d

SHA512
1741334ff39fcf1824bdf6a993a104acfffd2f722de51d0d59f210e7f6b20b7829a9c99f93f240f863079d3950b11ddc52bd63efaf8caaf4a308cd9bcd7b3b0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e3453cb065bdcec346a4283ea900dbb

SHA1
6a578d4c66546ee90503487aa959c30707798b00

SHA256
3e9de7d33bd113b39d430133498c0774f723d409f98a147cb2c4051d709d7f08

SHA512
88ad7741484c304fb171f15d0c723606f73fd252fc793fde673d5db3afd7dec01a048ebb4c1b55ea129d04e4593b264d368f9d276397365280f3d273c68628b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b783bbdb61af616e73d672b6e6eb0514

SHA1
585dd5f65a24a144f18cf55487650819912eb200

SHA256
544abe0cbf8e4f6ebe1df68adb88b4212c7b0df609c73d47229103d26df1cfca

SHA512
8a32535f5bb70ecdc3da81fa706bd0dee28d08cc744f8a6191f8fee3fb93eb646818d32b5ef689a817ef2f4fab6f012f46c099804a803dbb08d3803e0ca89e79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46ede499117a1bf036067980f1eb22e3

SHA1
15d4c6f6c9496cad885d207b661ecf1b5d41783e

SHA256
9c0ea1891254691f2570fda4da63b38303287114614b1db5c8c3a85d626d863e

SHA512
6fac5ce79c0d76c1fd8afe64ee63c69abf822639d34d2c610362b59c0e08145fdc9bd2396b6a8ad9d2b9242d8c7a597503ed3e4b5b1af92dca8fb90d45e799e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3e98570ee3d174c7655e3d0ede09854

SHA1
56072889299afa41c19b0ebcb028f54a9d342dbf

SHA256
b96079d99948da308e2d1ad19439c4f5f7681fdfe4f5833d075bd2e210e897c9

SHA512
53e9c4082cd933a59e355b29ab0b61b9b983ad3e538c7c46e49781b1813e3224f9a5e3a179f35e4758d69e8e96ce605075c78b823a306327e50cd5d4900fd6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab69DB.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6AAB.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF6C7B5113B5A183D2.TMP

Filesize
16KB

MD5
b1fac258f2340292bb79c541703d8fef

SHA1
c10c98f0c98038ff0ed0268500b8766b512b043c

SHA256
87e00a427c3efda5d1c8147b17937c0e9e00b4bc073cca7cfca40a5f742fd249

SHA512
eeee3400d5a7ad450dbfc61d47cc177e85e7da84465ce3bad134eae35de809efd5660db593eab5c68d327deb967220a61d1208969e1bb3e949f4fdf6437721f1

Download Submit