f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/_rels/vbaProject.bin.xml
Size

277B
MD5

dd79e6440b0515bfcf771c2c5286a2c8
SHA1

40dc1e00e2663cb33f8c296cdb0cd52fa07a87b6
SHA256

c97833e6456aa2bfe9be614f9c3ae41a8ef764b1cc3af92c6a6f273c62309122
SHA512

461bcf63f03a733208cc31a97c649b5dd4e4af9f8b166e69eea8094ca95c4189f5691d7d3ef4e63ac3ccd8202b46fa9afaeec97a03f99a04205db9ab4ba16148

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26D28091-76B2-11EE-947D-4EB5D1862232} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e90000000002000000000010660000000100002000000019bd28c0813d1b5eb7d91be87aaf732b158561d79d3aee65557554e9e230234c000000000e800000000200002000000057f547fd6f347af6d58b29681ea3e55ab3afa769078ec9ef68598da90b2013e190000000b24abdf866723cd290a69429a15568dd346e294bb5a0c65bc282c0fb2ea2dcae2f7dd7ed274d561c85dc94e6d97f9e9aaaa436f01ef72b5fee83be86f4b19eb38906d130a7d0825a96bb5f324c662e23776763349ad974883cc7808512e9774654a20e91ef8ec7a494b4a19c25fb7758f86793bbe7e648fb278eb8e5e49c49294cf0ca80b85a40b28b0acfc7603d613640000000664c75368a90e7f035276dcd0b233bf217f8e9efe118052a09e919ccf69f2095fa2fef5eca6411eb8ca747e715e54a7e20337fff9375dd38459cebea2ac82599	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 803496fbbe0ada01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404783671"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000c2c2c3c8ebe808b8dc5c62db6d35200ac5677daa2350e0c30331b1e259ff381c000000000e800000000200002000000058d3c8b3ac94568a2ef8f27aff4dd29664932b6f9e3d241210fce0956ebb6b04200000006be639a9c1c77e608a738faf8c6e3e1516dce7430c8c0b339c960f1e6fd5d09b40000000791fecf40844feccaa7df22a00743c3e67a94f379cdbb434487a89fe6edcd10219a804dfa8d3f265b55deb6a411ecbcf9e406067000a16d75df0efe7d8059cc5	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
792	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
792	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
792	IEXPLORE.EXE
792	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2216	2440	MSOXMLED.EXE	28
PID 2440 wrote to memory of 2216	2440	MSOXMLED.EXE	28
PID 2440 wrote to memory of 2216	2440	MSOXMLED.EXE	28
PID 2440 wrote to memory of 2216	2440	MSOXMLED.EXE	28
PID 2216 wrote to memory of 792	2216	iexplore.exe	29
PID 2216 wrote to memory of 792	2216	iexplore.exe	29
PID 2216 wrote to memory of 792	2216	iexplore.exe	29
PID 2216 wrote to memory of 792	2216	iexplore.exe	29
PID 792 wrote to memory of 2632	792	IEXPLORE.EXE	30
PID 792 wrote to memory of 2632	792	IEXPLORE.EXE	30
PID 792 wrote to memory of 2632	792	IEXPLORE.EXE	30
PID 792 wrote to memory of 2632	792	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\_rels\vbaProject.bin.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:792 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee6a9c6105378bf365aaf6e4309a84d5

SHA1
aa7019bfddcd0f84f58b61bd94c348b2dd0d4129

SHA256
44df881850dd40f1766659357c46647880211b6d56a439b46d0f3bfd56d045a8

SHA512
45443b4cd20bd4ce8dd4a06e1db272d653ea7f40674c7ef8bbb49601e6f4fbd78a16150998a1f4626f6c277f36af54b5bccfec9e51c401bbd2ab8cc31dfe22a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
473adee5dfd72b58b29b580d930be32c

SHA1
8264135fb6cfe04f8401f8962bb8eb164cb2f052

SHA256
b02d1cf2b511fff238220d7c5815f84c2a59adfdec5ee7d9a645023a3525e3b6

SHA512
9ad4c060bee933e58f62bcaeb118c4cce71778b6d61180d8b85a322c54631c52e002779a2b43a85c69a696294ff289604538f1169a0b8eb63f6d31733ffe4068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3f42701cbd3bddc72415f22e9a63f4b

SHA1
5f341c3fc959d0dacd1df34dad9388910fc7ebda

SHA256
3c4a7e7dda3f1ee40fa096da661e6d3aaf01acac0e9b027b033aee9dcd6cee72

SHA512
96522f5b26700d2b8e5af1bf956a2244b549876e6ed332494a1965db9bfd543727fb0aa6fa7fb838a5bb93598584e96c971d93e8e638b764578e59aeaf238b74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6d69bbd01e264507ad558b3c964affa

SHA1
5b3f2f825e5ac5ffe9b162602347477ea7bb774d

SHA256
7414cc7a77237d342579522af5ad4175f6c90aa3dfa0f9183d6d46d495ae129a

SHA512
ef4d8faf590c4753df309849feb27667a3a89ae05b9f0356c541403040dbc6c3a8e7580e3fe5438dd48255d6496db53127b29b166be7a92acb6e8c48f61a0574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e5d7e7a3b1662421fe1c502e686190b

SHA1
4d6f174d5315e9c2cf99ad7fded04b64d9ba07a0

SHA256
588fb87fb5e117c3925c5c6c2a39bbf2da63022cd9c3165231ae90a7c56aef3c

SHA512
0a747f829d206cb8aaa1e2899ac1c7ca917b3659ee5512d360193f0a62771f29a6abaef2de5b55b4e82731b4ddef611b7abead62865749c0a295207923b3a0e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9101fd25ec584b88e71092e3ffd4bb6

SHA1
9916c5880f0612fdd8bafa9326b2fb636abb85d0

SHA256
b780017bf548f0e90c4e4805a528a3d581958032447865a66d5c3078158f0e51

SHA512
506bf222863e8a3a4e25ed3e94ade762535c708425b93dcbe140b18c8dcd2b7a3a158b5e534814a3f23ac2e02133e96b8a15487aa4d79b3ef88ae3aa38b70c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26721d2a9861c679011e102c3abbc78f

SHA1
5336815e843e7e3de772c9bbdbb9c9b74d7213e4

SHA256
957af66a6f7b5a4c20e44362de4c4912f435c8ea88aed5e9243e501ede8615d3

SHA512
c96612615e2d57d9f5faf99a00e0797ce1597454445d208936be9e99d70324fdcdee02ba17231b47615d6b96e1579af42dab17f09a57c861789ab83c33e41c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
beefaf67b7b11319a9753e03ced84aa9

SHA1
521d3eabc4bbcfa4ae64215b4f1bf5b3c9a5c9aa

SHA256
806224984ba73c5e4d6fe06298bda9625950d8219c51c7c1b03a0c3c0a7804b3

SHA512
7a47d956aaa090a8e521dfba2960adbcf61b6c82c992ac449e06b752f143db0fbae8f27f79bc125cbb23ee9011572b8be84c34401f63d2640c96f66081d10677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
669532b1825e7b0d18c27948de120bc6

SHA1
50808f62a5721ed020e4b08620bb8b180fe2589a

SHA256
5885df8cdf3cd5781a153f45a705cdad0c5f4d9fb3a20afa239bef48f4378447

SHA512
c97c778f0f4f19a4e211e9eb93fd48fa5e361a68af7075abb88a9cad333a743b24a57b53d7abc9ece16defa628c6394ff679f4129c620cd6e741a90bd6ce1aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62395480fe727d31c6b59c9b3a3aa5a2

SHA1
df6752877bc95c7819f2f4e7a0ea0f04e53594d3

SHA256
a5389cfca909a3e5b2d67f6ca2a71e20e0ef2328ef3a9e757130e3e2523dd5ed

SHA512
a8d68382b901b80b05f6cd59a405fe515a87d21b90487f2038564b32362f129470367480e06f6aa41b1b4133ba1c23abbb1cfecd3bd13435dcf9d0a8a2b85213

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f73afb28f14ee2460ff4fc532055a69e

SHA1
7b3726f45cc17655605eaee4125a86d7ce820556

SHA256
2fe29075280d52264c0434dc2c352411beb3651a8444954f34fcf96af9ca34bf

SHA512
26f010ae0f67d7c695004668e56eb4dcf4ca3754a2efe805f42759b5e24f6dd394f846eda0152e2caa59275dc82599e1c5dfde54666adff8781a82c7eec25457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df97b24e1c2fc66933f1b5cbf22feaa4

SHA1
d1fb025de8eb9a76c2dac03ff035872efbe8ffb2

SHA256
557c0c5342590d1f5350d26aa9ec52b7ccbc26649dad0e122ed6c6302781a5af

SHA512
7fc577ab79de55ab544f93945048b076409e7e436ea1612c6947fdc3cb23f91daf0720a310046d6ce1484ada16fcd917dc7322ad25b224aa8f480688a2efc931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5505db4b7d1ea3958d979b3773e595b

SHA1
1c135e40bf1645ccbc85e8bb37243e38027a0834

SHA256
6b0c328d51062cdf5556dae76f09f0b0e067d9cb79c8d16c5d650dc2214ffdde

SHA512
725db0b121b97e13934f17a0237ab8760b0e254d021f23fe594846b43640efbd5e408e56e71fa2e6bb6beae1ccae06816187fa8162f1a2f5b2c10dd863710d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E78.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5EB9.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit