f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
132s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/fontTable.xml
Size

2KB
MD5

770b86eee170314650f53072ea9a6ea3
SHA1

d335dcb1db50cd842a3e9a3b187568dbc5f8f074
SHA256

12e9a420b6614709f90815e219dc6a91d23f08500c6e0fc604eaec32d53d3c42
SHA512

f9069c05936c88fe3299eecabdaea9a2e0cd9a7bef7837f77f671ae9c26585074498bf4312782c5de10eaff61594560699d9c01bb8b803f3154314c83c88da25

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404783671"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26C55961-76B2-11EE-B844-5E980B41BC44} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000efd84b60c288f59fd41559229170cacb2967bfa5838dc76e6aa5ac2e5537eecc000000000e800000000200002000000064d2b6050bb67c72b29ffe8b3275d2e3efa58517f2c8cf3934db14ba37d8ae112000000002c3f7b17778c2d9ba7b33ff205459f797d9d1aa110267d88a17da8bdb292fad400000004e591407454459916fef758f479f8731f094bbc444053d0642566ec5182329c7d25c02fe1d79f57e76bf1ffbee08b0ec98c220373e29d94dd7c913114008888a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0df5cfcbe0ada01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f540000000002000000000010660000000100002000000076ee2a39e94fde5a870c0df6c5e7b8f0e4f79b9b7888c3f92c58131b8b8c6bb0000000000e80000000020000200000000963e62495136d2c5b639c02e2b16fef4770486a34ddbff2b67ea8d1ab8dcf6d900000008910b47f6d1cb6b518720993ba1a8ec76730e3ac1abd84ae9f7d4d47cce6199a7d886eb0b02ef169d8e88341f5636c07e5e04fe3f3c36015d5246981c9773cc3b8bd28e806e50b59f9cd3201e9adf5a391ae4925b8ee939a98f444ed2768426a7f08b03f3cf6199224826f3171169635bce40059b4d3d5e61a736b870a76948e9640fbbf61db7cba528a8db36adf63f540000000b746b0eb61a6c1ebf5bf2498bdd8c1000a8ecfffcf7b0b29830bb61c821e1661e519e97addff99e8e081463150aadd9e62664d51804dd54042d67f9e76c8d059	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
832	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
832	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
832	IEXPLORE.EXE
832	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2676	2080	MSOXMLED.EXE	28
PID 2080 wrote to memory of 2676	2080	MSOXMLED.EXE	28
PID 2080 wrote to memory of 2676	2080	MSOXMLED.EXE	28
PID 2080 wrote to memory of 2676	2080	MSOXMLED.EXE	28
PID 2676 wrote to memory of 832	2676	iexplore.exe	29
PID 2676 wrote to memory of 832	2676	iexplore.exe	29
PID 2676 wrote to memory of 832	2676	iexplore.exe	29
PID 2676 wrote to memory of 832	2676	iexplore.exe	29
PID 832 wrote to memory of 2416	832	IEXPLORE.EXE	30
PID 832 wrote to memory of 2416	832	IEXPLORE.EXE	30
PID 832 wrote to memory of 2416	832	IEXPLORE.EXE	30
PID 832 wrote to memory of 2416	832	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\fontTable.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f9c0e1998435eca6c294e48e0b2ad2a

SHA1
0d5231c0481b6852a4439eae763963809f99a09d

SHA256
4d5628ef5fc5556d72276486ea4714021050ac1098249af23693bcd2b8a2518b

SHA512
e0979c9802c684e855ebe3a55bb3c4247c1c7e619131848dbb547c5bf6f5d97b93b973123e71f6ecbd88f5972b96509688e8fe097d49e185132d3e000d8f8a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e77023874c2359003162bb02fbdabdce

SHA1
51ed48d39c5bf7a5631ef809dde98396b9e5041c

SHA256
1d3997b607004b781d5ebdeecec69fddf4fd8da4a18e26080052bb3ac402d41c

SHA512
7114ec31ccd1e5fc97edc320d12c9171fea59d70678dd7ec6e918dda628b56b2b9cad58c0c3e050afb5d39604f8f554ed764e969abc1ac9f10a2c1d1fa9bd00e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f8b6da883dc7ca2a052755900923bfc

SHA1
c883dc89997477137a1f621e612d60520fd82f03

SHA256
3bc377995000ad07808d5ca0c4f6d00f891d25c8778f20a7be9bc740de3fb931

SHA512
cc5c262497b2ec3f0192e9448b42f1b83e4c263d41295cc287392d80ae3f186844082dd8c7b6ecb38ae17c14e469fe9574280d64708ef0218009e6656f1c6117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2188c56e4f5c8e7359703cdf8de5fb3

SHA1
322dab6964ac564754f6d0ad22583f3bab5d4a34

SHA256
b79edec940a8de518630ee8976192ce3774c5cc598db2c3e74a73562983ddc28

SHA512
5cad08e07053ec105dc4061b037adfaa80c09797bc81c2e357755b1281e6728844636c35d327d93c096ea5459ba35df90fa9b0827c385a77fb962d8ab36e3210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f5d225ca73bc178cafa4b1ca40aca00

SHA1
c079576351a4908e37b9d6b880a6e35b3521a91c

SHA256
7c1e35d3977ed4e0a5657ca02ec253a36b546cd8f77113eafe1af646d3ac3923

SHA512
81c0aea3cc2e30e689a15dd7b327ed3f90afd7faba49d5a1b1ce228def08c0b1f638cfce0f34af31f4ae5a2d33f04be261ae86a1424a103210d7fa027432ec1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98915587e599c79bfdf551c2a64f2b55

SHA1
6f6d96c9392d8ecfb0ec494a1588509bb3209d72

SHA256
974f675c305ea98a5c4af7afb4d841f5ea53adaff15a4ec236749066f55b71bd

SHA512
7ec59f7d23784efadf544d3895b1c3a9edaecda15314547201bf8c094d8d1efd227bdd40e144655d2b16936696fa23550a774dd31ee429ccceb42188807806b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c8849a03a6a6474727a472236e5c4e1

SHA1
b8bfe2bfd5daa209331d2c93c7a8c71f5776defb

SHA256
62810b5aadbe29e5c0c43fd3f979e2b3a0b10e4d78bf8f9df1d357d485c25ca6

SHA512
5bc23f02eda7e25dad4bb6393581839f2db8eb00c77c606f87512368203231febb82f4db53794903a6a948243a00964b7a6db308036d154f760737ab9317df24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e70885fee30f40a9c810433c68a68e4f

SHA1
c0c4faba6d3c1952ed0ec0009e137f701b2ba314

SHA256
ac8acfac5d9c4f9216503e8f86fb1a06ae73346e7e97aacfcb1a991f4d878dc8

SHA512
2f9e027701e0481b154e25e8ac00e38677b067e76c404c1677be38b678deee3d24d7b8565dbbf2435105520b435b8788ec15963d96e7d5612cac541335450441

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f593835f88e2c792d3ce365ece1da17

SHA1
42846057154e5aa9e280a23d1d4ce0823872594d

SHA256
d65fa843e857a4ea325ef52575bf3194cb462c0c3a34d460392370efb8c86724

SHA512
a68b2cfb8bff6347c36cf1e02a922d30062e28795452b79334f4560994b19b896b179f7ef8aa4c292b4b410342caadbf36ecdc481c3d41a4d6718009d073ce1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7478fa5568eeb5addf91fe8ab6f78a2

SHA1
0c23ffcfce27573d4118ef159f70a1e4e4ba0380

SHA256
2c5f38b67cbc7e84ac130a89b88da1b3a8c9367641890faebd3a54c937884ec8

SHA512
322369bc66a2adbfe2040434237917942f1b2a5a6720f3dd6a4ed42bb73d7905f8aa15d68c84480c7bae6b07a98f15051e36c3fc68f4e893911e3ad3106e794d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
745ab44c4156c383412e4d0aca21973a

SHA1
ea83335afaab0bdae083914dd04f3309d641ac22

SHA256
03eac55b828bddcf0a59140f8d354ce0860c0882105baa4e2717bc41a4d83e71

SHA512
c48cfb16a09eed74ea0a45a4a125c2522bfb938fc61ce3e01fe070c61acc10d27777bf7377249b70617216406c34b043c5e6ee4bf84ecf8a92cd26fd047cbcbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a0ea543eef996b5cfdf0b04bb5a1e17

SHA1
f6cd36d57d18a794dace2abdd0cb2384981751e1

SHA256
2eedd4d75d2c82c055249945712d3cbdfd6c309e4b2c536e45e4464e460859b9

SHA512
b0c2f107063ca3620ecb5ee8b39f772aaafa614e2782a83c68734d383e2360432bc2aac4e0549a3c4b8bac1b7d3bffcaa188b7e8e5df741849407b9cf700b342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2508cc212f30f0f1b944162ee5344a91

SHA1
c64963b166bf698d30a3081f851a01fb9c2c3b1d

SHA256
6d52935bd35ad7f23263e26cc8ddc3cee3409c4e6505c2f3f7cee4c2ed643458

SHA512
816b584ebc1a8d1ae1ce7af703cc38c0cf65aeca178c63ae8ea76017f1d669aa0bebf597c44f56f1953b3cb0278b3c260a7e90d15dcbd39d3e706a00bb8775c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6645.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar66A5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit