f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
132s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

word/vbaData.xml
Size

2KB
MD5

d11c77649d1825dbb1581af91a1c67af
SHA1

f25ce143180a53ea75a50a9163e61eb51e06431b
SHA256

119ac08d8aaf410f9b1477e460d40e6b537233080a08f90e07d3ef89aa797235
SHA512

77211b7bcaad4f617b647ffdd9f9eb5016338ffb4cd712446bee2e11b33c3e1c746eec29047397eb5e94c40b1df10edf42a24d0db8fd51e5b09d506336c06142

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000c2afb4bb13b92e4d3420fd59defc1318ad6e6217be5a6a82d95cc45c64a1b553000000000e800000000200002000000030100e9592fd41d4c6201b153a1002f435298a59f44e03e278d964d0f82b17c690000000831443403862f8242f68cb1c548184080ac45eaa07ffef3350169af70787b17a1b049e3b679555752ecee576889028c6e82786e1ba29f780b78a6994c72e75453505024700b73019bdbd5ebc96ffc3da91f9a4d168a98149f7fbf63cc27fa6b3f35bc5ab4ee054618f6ed806703f061b42bb19cb3b3153403d556beb65be9da93227c6ed1e94006001aa9f2867a9e56a40000000da1fe6d9992621451e6f9605aac94baf50128bda2486285cf2e12e7e82048bfb457c0c7b4f7f61d23adc47be95ea376ae05f83f97d10bdd2ecd09d5ff88cff33	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000a250cbd31e603acc1962cab4501e4961ac5dc6f91627ed0ad9a8ab4612ea2583000000000e8000000002000020000000b9e7297780f1e33e3b03ac6cc5f628694637c5f426e8c0fae4100988e57ab93e200000003a4c9b39f5a451e0cfd551695b257f27e3d3b97653e828855bd5e36244f7e26640000000526cdd521db9663b0a8b21807e3d28f98e201aba8e21c1b27282a7c747283501a4c80ea59bc23f6db9959b99c4d3343380853597ef84c59d12c94f360e5437bb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25FE5811-76B2-11EE-AA50-CEE1673409DD} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404783669"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00db6fabe0ada01	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2676	2704	MSOXMLED.EXE	28
PID 2704 wrote to memory of 2676	2704	MSOXMLED.EXE	28
PID 2704 wrote to memory of 2676	2704	MSOXMLED.EXE	28
PID 2704 wrote to memory of 2676	2704	MSOXMLED.EXE	28
PID 2676 wrote to memory of 2772	2676	iexplore.exe	29
PID 2676 wrote to memory of 2772	2676	iexplore.exe	29
PID 2676 wrote to memory of 2772	2676	iexplore.exe	29
PID 2676 wrote to memory of 2772	2676	iexplore.exe	29
PID 2772 wrote to memory of 2768	2772	IEXPLORE.EXE	30
PID 2772 wrote to memory of 2768	2772	IEXPLORE.EXE	30
PID 2772 wrote to memory of 2768	2772	IEXPLORE.EXE	30
PID 2772 wrote to memory of 2768	2772	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\word\vbaData.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7887b3311fc2ef18de2592417732913

SHA1
8c6d7b8b8599e8da434f50f5e4788eb8e9115c20

SHA256
c124792852a98d6ffa5bc90a8be43e8dbbb1d0a0a408cc7ecf8b370f60f1cfb9

SHA512
db34730ee2d662a4d7441beee09ee7324c83acd98807d32b36ed330e512b2c642d33a4660c504d9a500bbf40dbb2ff66ea0f15ac0ca0565252f3b4d86470c7a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a41827404fb44fedf62b76075c0c59d

SHA1
e925208307079835e4de54781bd0ef4c8a551b93

SHA256
e28c1e2a0ce5185d730c5a49b3542f4124c25ffca10f8a89662331c9fb3b5e67

SHA512
e81c0902042bd41492cb06c80fb19093f048c0f4595ec7d46c3afc2f219536a499b35d8f7577a47cde21c8e54435b15c56c98567d36038a1ba3653fd18ac6211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ad44b8ac653dcf03d7b2a2e253baf1f

SHA1
7911c97209d9bd5c82ddbd895e7ef2ed18f0af90

SHA256
a836710a58146e6bd7275b6e5d8d448d02a16b3f1094760764fb3e7b98ca000b

SHA512
d369fa4460bde76ea0774ea356b714f233303bfc1b35672e5508420ba219608b11ee7f06d2f936eec31817e104c5af37aa4a4428bf9fe6d7c82bbf1f4dda4b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6459a957c25bd97d538e37b992ae7b9a

SHA1
cdc72bbc13f33572b0dff50ef4a84470c79a839c

SHA256
09678e7397c5bb75df683c289f3de9a07a0a2a5a60270dc2995f10b660ef5ba6

SHA512
af30e365e31504b10da6697eaa54511b7358d61852a894b93361ba3fe8cd30b9e7deaf4475defd6db8a9b64eeb6401627e28f9d53657ce0e96f97d7eb30be065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
409f30e7e11701967821684b31b5a146

SHA1
29108006f39e12a57cebdb899e99c4c360d04e03

SHA256
922ccbaffd50a7fc7e39c2bddc2c6cecdc67913c3df6b4e9fe048e37f9a5060c

SHA512
de9a9748061fc7e4542e23eaff6f5b304ae9954fa2bd0481af24d63a4e46f6e9ce1736639428a417ccd077a00917f87187812c3577a143d9e9b93e131c09d2d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b84a011ec85f2264908cb58a6a13662

SHA1
cf8996985b45208ecd08eebdaaff8f85ca61b570

SHA256
b31de5e8a60afaa3c834d9e6667a0f7a6f423874393e5f0957f800564f5ae380

SHA512
cc5f25feaf40a4cd6fa4102f01d3357c8ff70f316576713c5d83db75caa92bb75d2d55e6208ba04f97c49efbfeff0a187745d89fdfb9b98c1da627110a572921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfb876711e8918d6c34f550689df6cf2

SHA1
80448f9d055f282c15d6721f7745ed8949883a21

SHA256
9c61bfb12c928604ddd47c0456d3b27e6ac3e2b07665c96a4a8bc7578a555bab

SHA512
d78838b8a200e96023eeedf77b59b9d8176b73a63d137fab6d287ec45e6791b7d97a253c93a9937818ceb4f7b54d2c9c28676d64c1a01c8b679dde187e51c9fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4eb80d832812e1f24558b571e2e082b7

SHA1
ad314ea5dbb7dfa4e03b9e3517986be90c39a27b

SHA256
fe309aa3864b11bf11c5f3258c17c6d61de21778739758dea13e7626c2893645

SHA512
e84acb99201f27e5c9fd1db90e14f456ae5119db17124ea5801d118aac726b51ffff7f3ae92aaefa716d11a42b797594648722d5bf79d3ceb61b3963d239fbab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30f7b1282a8e01ec689618ffb8e6bb5e

SHA1
33b7a523450d561304d50004c9a95a7a394a0235

SHA256
aaa338f9b89902b12091228496f15ba361067f75cc1bd25c8588d77bf8da193a

SHA512
624548d6ae830dafeac0493d948e9e6f4b45b3cff448da1e2b79a518a6ec8d517c1b009018b8547508d21a1948817aaa2d29619f242c4912e3dd44d9dcdf7506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fc09d3fbef5770eaa0e2b473898e754

SHA1
9dd22b48e180fd6ded2841d612a2ad9025d704b3

SHA256
4b0df8c5c4769d222020831bb6f40dfe3e4aa350f599aba3ed6bfd6d848f12f5

SHA512
44b257d2d7e9f5540b3f079f52d1a4b7fa036e2850f46a588a6c622cb624a548d177d6a8befc16bd01e1692c730abaf2a392a0f0b084fc95984608f4800617c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47EA.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar487B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit