f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
137s
max time network
136s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/theme/theme1.xml
Size

8KB
MD5

2bc1ce59fd7b0a0b8c0c481440aff611
SHA1

3af65e014f0aacc7a5070dd36206b33c324ba156
SHA256

2760e6e84d4bf365af6570192dbe9cb57bb32653388d0ea041d116b25b1ca0a2
SHA512

cad8e8f90aa4ee2fa6b4e5a9c20ef0f876ccc3d6d2f8978f176308a1e3a8c86e57fc0a505ab8d22a89b60b467ae5a6e844613603e192d965564e0583dd6e5574
SSDEEP

96:xLM1d+8FNk/VmWHS95EUUwctUNoJuLIMFNk/VmWHS95EyUwctUNoJuLla5H7O8jE:xLM9AcCnGuMBR

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000fb4839cda76af1d57a8735d7a56d1c350fa87c63c9a2fc138ebe2236dd75be75000000000e8000000002000020000000358dff8af14800bd9cb6e7f8b34ee7bf3a463e1e02e2d933acfd3b1e93617a7b200000008d6cb7ed1693a7bd5147e62967ebbc4cfc37dc69e06346263cc54c0bf0e85ff0400000008645d23bf51881873b5294131ce544fa63a7fe76a11610d62fc229d058f8061b6ffee5c60338a2d688ec53cdb6047ec249d28b9aa40dee0f8c0276e14bd2cd34	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404783674"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd6692000000000200000000001066000000010000200000006cdb4f8e420d3f41d29eac519d7b64e995a31af6e835257448e934de27cf8cae000000000e80000000020000200000004370a0e68065ab7aa3a5e72f6c5c283c2f3fc6c48b9321051474460384b988ac9000000068d256b7d160c42b153192bef99f5847a4597070a69dc3340f482bac2f78b94e1fab44468592d9712b4acd36d4dd18af6d6680b6670e0025ae392e7211b05eb6849d0b84360b05622c8f35549ccce338edb32ef110d45bea7652f7d475f1ae243f176f3052898e00feece5adf5bbd84a3cf541328087e3eb57b1bbaa5c60f81e1f0c390f83cb8822c3eef1972fe1b0e740000000696e30353eb57ebd48b4730674b600dd87e971cea3f1de6a65c7a207e01793dcbaa1b12fd7a1d7e0c0fb863e5603d2663aa5f60c21dcfadf5780138fd7c0afc2	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b92efebe0ada01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28F1AF41-76B2-11EE-9958-C652905ACAA7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2684	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2628	2740	MSOXMLED.EXE	28
PID 2740 wrote to memory of 2628	2740	MSOXMLED.EXE	28
PID 2740 wrote to memory of 2628	2740	MSOXMLED.EXE	28
PID 2740 wrote to memory of 2628	2740	MSOXMLED.EXE	28
PID 2628 wrote to memory of 2684	2628	iexplore.exe	29
PID 2628 wrote to memory of 2684	2628	iexplore.exe	29
PID 2628 wrote to memory of 2684	2628	iexplore.exe	29
PID 2628 wrote to memory of 2684	2628	iexplore.exe	29
PID 2684 wrote to memory of 2588	2684	IEXPLORE.EXE	30
PID 2684 wrote to memory of 2588	2684	IEXPLORE.EXE	30
PID 2684 wrote to memory of 2588	2684	IEXPLORE.EXE	30
PID 2684 wrote to memory of 2588	2684	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\theme\theme1.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecf8e69f158eb35c3afd6b9374acfc80

SHA1
15a586a9015f2c2ab428370eba37243face11be7

SHA256
04c8c624147df752aa957fe263b05e1d458b379ee083b551014d53d7f3c4ce62

SHA512
915554711b7a797d302669db5b3ff2beb713eaa3b4d18000c82a45dae038eeabc3f1ad5f588c45ea23efa2c04d13ba328ca7cf3dd50133a3e9ed04e12b0a29b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
328d9a0dd5b2920c558d350428fc26e1

SHA1
b6517bf1d840d50b9cf356364fb95c766d0ff4da

SHA256
16f94159a7cd6e799b8c92ff2549bd300ee62374a13fb69cd6c514380bd1dbee

SHA512
a3975a7e9da1655cb6dd7e2aeb6b4e50b2b8f648f8787b9844e3931c8e3312b2264cfe373f4bf6857053cda9a61d08baad616ccb7f1b8eacc546ccbaef6f0de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a036021621af5e4e21aa55a3552a7ef

SHA1
034d9dae5a99c62d28525202c981ead4a3274a98

SHA256
136fef2d46420055922502ed5a6ef8b7ce6760e90eb681bbaaa13751984ca7f8

SHA512
195a25053197eeb2e2cfe1bb51536d5048c96963a6ac7a9241b07a92aa7bc6950816af9a288c5d4daec63ab8ef0785b52f0c743fb12524671f90d0f734662f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
317c36af9233002fa2faf0eda056cc45

SHA1
f788223be09f1151db23d04351a7dfe1d6bcbc90

SHA256
aec2d524497ccd0b868901241a8f7d3bc06704b9f4f53708407a95db83de7b67

SHA512
e6e8eafa202ffa922fad3ca51eb4be1b4907d21e79516cc56b00fc150b33c271ea771c8d15cd66e89a29d8725284843d8a5222d94a06ee46a19a8c964ce8c953

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
631b42115c2214ac0c2884c6740bf73e

SHA1
8c16980aecdb651c3aef0e7f96774c4d73af8202

SHA256
3f01c394a90be1b198c0eacc8de0384af91b1af87c2d03efc08b3c06ecc01e82

SHA512
1ec90ec4f067a5f837bd5678d07182e4ae8b3b6c2fce30bd11e69a84690e81d4929d3cc55a458a2aa657f8ea48ef3853aaf33c888193ded0358d3db5e446cb1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
559b5a937dcdab8d2a46d3100d6c140c

SHA1
91d0b3f3358620c76734c488d2acf4c26fa29c5c

SHA256
b44918f4f9bfacd1ddbeaaafe79840208026dcaf94d9555bb959c46f65f99354

SHA512
3bc66861c4a59cb76c1b85dafbd893181dfd25fe33a4934ac0fa4c78add91bfbf506d1dacfeb62f9212d447f4e26542faf8179f16e708e9e3c3a744879bad3a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4043b90d0efe309d75bb0d3d805ef64

SHA1
060002b3a7f2f6e169bc3e700eeef721bad0e977

SHA256
844531a155f34661991c5d75056611ca6971d0e525b35e986d792e14a94548a7

SHA512
4f61f92493cf285814f8cdbcd174f7caf364e05db44d4064ce1b8807426f88ff096da0f27e97e47e0ce84eea8263cb5297fe5a90f5c33ee694b3b5fb7b095462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b554a9b639fd8d8e0d80684f0f35fcce

SHA1
c6a835b0760c157e4590284d60f2ba4cff962130

SHA256
91116b63160267208e0b3d3df2adebfe32b679efe4a30cecdffbfd4807fc049a

SHA512
91e9d7d616ddc4799a7f504fb4175b9839149b65bc63092eac06161f8f01cc2d20549c9207cf7dbb33b5772e28afc93c39a02bcea0805f529a8fd8309c91eabb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dcc76856c1edf34358d6b39a91259ac2

SHA1
4e473db241d0ff605d01c9e655ff56e8815505f9

SHA256
b44e8a78497f1eb69dbfe2735a81719b7432cac48d35043feaf87f24b8851b7b

SHA512
3ed33ffd6c8d73a41015aecf1cda7a030c3fdbf8a3ce726b17a71aabaaf4034aacbfb11704a6c9ed6e233ba95f7e99dd006f2d25410c377a4830dd0263250135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54f0101f8cf167ce842d5a4703b6ed7b

SHA1
91027fd636523170fa9abd4ab9adebfc5f7763d7

SHA256
c51a47dee0d628a222cca01f59f956852dc351ab0d784d58928e6d10551cb16a

SHA512
e3f19a4322572cf07ffa08caffeacd3d25296c063833657b8a94ac7f6982396523673394692f5c593dc52c48083dc283a0d12e4b699a7f78949edfc032c2b750

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab874C.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC20D.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit