f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/settings.xml
Size

3KB
MD5

94fcc0477c2d0b80fbfd3c1f152f6237
SHA1

070d89661789646b728a8700d829fe4f696fbc57
SHA256

6bde982bb78db837f5f43164421f3022c0fbb0d9f51ee698b596d982ef17cef5
SHA512

c48f131d719c324505f8440c8ca7bced37d297d7ac5d3f82e74815e57fd4e26a3dbe4ce33840943c6ea169b97275f6511e77ed0fe05bd36a4562fe5642547556

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000006dccb5debca431b8dd28730a078871f6a81af40046f96084d2563387d21a9c55000000000e8000000002000020000000598a9dec662f5f02c4dea848d683bdb0832ba080700b47d0c9c64b5e4a68209190000000805668467a1d0461876f8d969a90b87de84491597f2cb3ee135e324bff45641cb05f40f3d27dbc097c27428859babbaf6bff43ba66faa11ede52ade9c50ccacbc0d9d293ce241dc7b7e29c77ec959622faf48e1229c5470b507bc6f572dfeca704ee685ea623191e0381cdbad0ecfb86fc8889e592ed7f390f9338627b46aa8afebdec2da2149c9edb15900558be155040000000a631ebcff651c5a1f0db0a3b5889ff46b2205a95e249770fe8a40f1ce0180e228504eb7d8f23c56933097f8c2c87da9cceca823fde91a61eaa217b6d902bf1de	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80708cfbbe0ada01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404783691"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26C672A1-76B2-11EE-AB10-C6963811F402} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e90000000002000000000010660000000100002000000013527349385d9555f7b234bb66d3dc3f63c7e7e09cc7a6af9c43af6e45b326ea000000000e8000000002000020000000fa250be0d9cc06bd5970b0011516603cca351f5d38c984c0e6ec1b68c024cac720000000fdb484e9ad79203cf7dcc1d3c88af5338d842f99f2cdc6f11b02b08115f149e740000000168d63a2493ba1df04a2c2008d51d0508a637080d14cc89e9f7aae27526ae0032f4736250a959be3b222c69bb1554aa84da6e57d6d6ff704c56a3dea71fa4388	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2300	2200	MSOXMLED.EXE	28
PID 2200 wrote to memory of 2300	2200	MSOXMLED.EXE	28
PID 2200 wrote to memory of 2300	2200	MSOXMLED.EXE	28
PID 2200 wrote to memory of 2300	2200	MSOXMLED.EXE	28
PID 2300 wrote to memory of 2156	2300	iexplore.exe	29
PID 2300 wrote to memory of 2156	2300	iexplore.exe	29
PID 2300 wrote to memory of 2156	2300	iexplore.exe	29
PID 2300 wrote to memory of 2156	2300	iexplore.exe	29
PID 2156 wrote to memory of 2648	2156	IEXPLORE.EXE	30
PID 2156 wrote to memory of 2648	2156	IEXPLORE.EXE	30
PID 2156 wrote to memory of 2648	2156	IEXPLORE.EXE	30
PID 2156 wrote to memory of 2648	2156	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\settings.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
786c3f6d0df0becf7ac135517b0ceadc

SHA1
febf013c13b2f9b9aac0078bd2117b186b64d8a5

SHA256
05e21601e5fdee88e6dd4f9e71fd53b0d6c77be09dec7999f931d886abf707d9

SHA512
e73faa413d7a3b950f207755c58eb3b497e138d1aba3965f423f0ff70cddc8289ff3955fdd684564fcceeba4336508d98919a02787563dd215a6cf2556e45110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d4fefc26c91bba433a3fdc9184c36c3

SHA1
34f4704517549b11b7dd215c03a6287867e4ab6b

SHA256
1388151a4129c86a5b4a6d43a51baa95be87565dba812f56fab5fb632282f50a

SHA512
ef13c84d43119d9b9de72afdb9bf8206aea80f70e09a3e55024878577ea5934b40638468c750689c94dd1321a6d301c8f995615b90042bdfbda6e3808cdf6f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cc244df4101873472af23ca353b9b43

SHA1
e80b990dfec06d2f5a11f449612f4a25cc6bf77d

SHA256
482359864cc775c1007224fba9397b0caa5499550a6238ba0073a127a640a3f0

SHA512
aeb0b2a3fa24257e1a01e0599b283b0cff9cd6c17de1104881660bbaa1122d79cfde9b51ca21351bfe066d64fbb3ca606215a9288d2ec36befd4162dcf2d8a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bad0c0d2da7ab9ecde198b60ad8f8f9b

SHA1
aef67cae933147cbcc4863c7b4a8f11b8035132d

SHA256
7a3465fa9feccc97bc28ada212bb5b2c9a2fa7047db4184a4be1cad7615e4bd8

SHA512
d14dfe3164a539edc3c187ce77317ada2638ec8043299784c64b6c48f6d57e8f33d6616ce6e5143e175e579e898850b1a6ba6a4f23c879f59a1a4aba8aba9d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f641bf4c645075560ad9b10eba81098

SHA1
ee12f68876d45fe5ef415ce65bdad804421e06fb

SHA256
2867efe6387c53e49dec0f8b77988c1b47a51de216d74c2a71c9bec46c4b5ad7

SHA512
8672ef114f5be9b1761bcd3ebca8433af515642963227db9dd31c4b54ad2a7812cca3aa0acf8d2a4a4e510ed94f93fd89e03aeb865f488a513cd12f31da833d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14de61af8af11c4957ca2e60982745d7

SHA1
8dcbad5f15842dd2a7748f7bac424214d12e92f4

SHA256
d2707be09abcb03d738c46cf54e4aa0dacca413b060f3b89102e4a48e39e99bf

SHA512
8f1ca5169212e3a6fa661b5bb981a999e2c577f7b83ee617f3cf5080fcc350675c2c376e6da355437ad356384aae25ff76be68e525660098d0aae49e4e43301c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0912ccf6be79052b5a675fcace57d56

SHA1
42c58082b8a1e46fdd4e57af73d23c25d5d4c7e2

SHA256
65742befa58d9536abcb2a95cb59e7e59373e499adaf06b7d30620102a788af9

SHA512
9e055759258b1674dfe13712329d0eb65aa86dc20b71691f487396e8d532ae236a242c54d756836bf75f8a2e284b25ee406c372a5626e4f41b10f96ba9591acd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4ebedff2d63558ac59abd707b36d06f

SHA1
5afbbe63a737e9aaf5859fcf8ed4acdbdce3b830

SHA256
a744e83c4d1344a5faf8d9fd94e388d6a6f85ba0a3878c9916377b5fbd2042e8

SHA512
efb04aa87dfaec4cf612e1374f83d505155ebac863517378dc0164418f63f078ada5111f221bc4cf0455c6b14e2245c207fefe1af9c801d322e29265203f5678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea3281663e64e0db1d0e1a8f21b0f3ce

SHA1
93876b20776dbfe874ced85dd99417ad624dffd3

SHA256
4a34301e41fd65da45071e5225a114200cbcdfd5cc2d955c53caf1b0220c3d1f

SHA512
53a34d621a4a469f4d3c1fe3894f1214a1dd2cb8f6cde0404d08ec94bacecf5f55e814692de436672844465178f8ad922ef2bafc093d3a12616c465d6ac01bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6838.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar68A8.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit