f03e0df31b16d4dd954918c496a24107c69a6468be1f2703fe56ef1f91118e47

Analysis

max time kernel
134s
max time network
131s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
29/10/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

docProps/core.xml
Size

751B
MD5

6c0a63fc585f9bcefe6fdd7a2b91c5fa
SHA1

810f0659ac86d4308bd2e7bc9b05f210e2025055
SHA256

da36ca149dfd0e9dfc0252e53a2e144fa2c0e7561f22e84f078ef2e56f54f235
SHA512

86eaa0edb7d9b1351f87e0b08b72a710d59a55688e48b74736f3150da321a3987f13f3e3c09cde77089cccf41b453f06a51513fe0b9263fab6c2a5430c3db7e7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000001f97b7e42c5703b86326bd4bebf0fabff46bd9b4a94998747d9390302bb50b79000000000e8000000002000020000000a4c749f27bc10bb4f134bb2c843959667c804a24a89dbb2791cfd47e20c83ee2900000000bfc3b872bca4023d35440766b5eb03c61bdde5dce2775266e173fd7ca99a4a6565bfdf053c60892015d2cedc668c42a3be1c9eb290c31fe96d48c3f637e7b1d246c264951c3d8e02d32a4edc7ab0f675551bbf3c6ac669f06e629300fdbe873af0bc27b2d41e43675d2960931d4484cbbd659f58c4a242d7c45ca12f83edfb69fca4ed58e5de59f28dfe2483342880f400000007aa0010aa33f6336205ec4b4e91ed3ea87c3d4b288ecc1b2503f57dc429874bf0a6f4e8597cf521ac3211de11eafadb8366fe43fcd6631fcd7a463194ba4913a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000006abab8685c7f2dfa4831295534c93dbf82aa197d767ac968382c15d951da720b000000000e8000000002000020000000aa33ca474f95f918bafaaedb636380755eeebf502f2c00ddad37922ec6415dee200000006b260eb72e16a1203b8cb6c24836e83b80793db510f5736f26cdc9754b33dde440000000d00b7a6d9626ed16624ac91ba93642e2500f83b2d7b1572a5bcd4cf6be8035abf64c845934b3f44ca3e10ca053383f911cf1b6504d8a77542fe042dbc9b9e46b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25E83801-76B2-11EE-AAF4-6A9A6F1CE8E9} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e7befabe0ada01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404783669"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2360	IEXPLORE.EXE
2360	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2560	1740	MSOXMLED.EXE	28
PID 1740 wrote to memory of 2560	1740	MSOXMLED.EXE	28
PID 1740 wrote to memory of 2560	1740	MSOXMLED.EXE	28
PID 1740 wrote to memory of 2560	1740	MSOXMLED.EXE	28
PID 2560 wrote to memory of 2360	2560	iexplore.exe	29
PID 2560 wrote to memory of 2360	2560	iexplore.exe	29
PID 2560 wrote to memory of 2360	2560	iexplore.exe	29
PID 2560 wrote to memory of 2360	2560	iexplore.exe	29
PID 2360 wrote to memory of 2676	2360	IEXPLORE.EXE	30
PID 2360 wrote to memory of 2676	2360	IEXPLORE.EXE	30
PID 2360 wrote to memory of 2676	2360	IEXPLORE.EXE	30
PID 2360 wrote to memory of 2676	2360	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\docProps\core.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2360 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1426ff7b8f88ff493f95c5b3f1908705

SHA1
1cd50acbe1ff89faac2af1d3cc82d9e8bee74b29

SHA256
8a14892facb0033e5259dfb18584b61099452f8935a8b62c64667a19bd635ef7

SHA512
448c437fb1b37b19763de0a14df46c0233489fac9262e1a2fdf8c30a49664be68edc1fdfbb4d123285e24d233a8c08150c52dc32cdaf059d95e052d7dc44fa89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd96225b3aba7679610294cd9d5cb0c6

SHA1
49e20e028a50435aaba15d9eab04837f6cce5135

SHA256
37080a0d802ce65c9fad95edb303720baf843fe670b60ea6a3df1f70af2dfc6a

SHA512
497cb5e9b310347ab088c518b99d2124a90c12b24f8cc27d2db563643d125f216f6c7927beda8d58292da17714e2a8d6c272ce666bd527ef8e7b10041e1819f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
868a14df42cea94dda713da958a621a0

SHA1
26b53bbf4a5f8c0a2e96fcae3cdca6a6eadd3fde

SHA256
bb763bb4cdb2629294f74097892cfa2d7d36276c6dcc69012366438582f04e0d

SHA512
cde0412e0ea6f423f15709af77dbec26023c8119d48b8febd2143f7e0def9f35745f75c90c32636f83a1b672a35346bb6f6cc053598612224d74c30f01cc5d5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c8ff865d05e2c7af0f101785ba81603

SHA1
865a4e9e73f9d4a53ee8d8c6c8e275db063fb60d

SHA256
42dfe0ef2b877b2b63a0712430b4cde57299385b2d741576cb2d5763dbe6c4c4

SHA512
9bf2d54e915f617d9aba877e91fd7e2fa1d56e972735b9492e48aab376f7345d3c4ab0ea87cfb70fb65d7bc62eafa5e31255a0c6af175ed869fa4ada1706244a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a17a59e4906de186605cb86f5a52a4b

SHA1
95f419ceaca6d45ede85da9c01f60fb0f50fb91f

SHA256
38d0f5319d10ed18b22c406759ce8be145b3763cd82495f4e10560c496f7845c

SHA512
398542da6d71f2ee3b929b50da00f44a6bd483dfaf8131e900a90cc53c61a1fed83161e383f5402571525d1d58e57455083f58e30f94260bd601b9fbf2d7213b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5923ce6bac2aa6b83a94ece316227ed0

SHA1
6c1c45a2090f4ce15645f6ec12dc526feec8cd81

SHA256
5d16d4352218b7c274cf5ab2d1e52472267308c56d69f0e4760fe72a54fdb4c8

SHA512
d33de8cfa1f5ea504a1120b1218901f477b75e2629dccf4a6858f45eef5c7e39acb004fa35108f82c920d48aee93c30091a99f3c45497f8b3a7fb941d7690c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ab9f09f1cb5f22e0d1790db6508dcb3

SHA1
7be33ed78f687fda26d8b5043cc44a2481eb269e

SHA256
4c87090e62b82e54b8ce95b3573d8f5f7f0e40114131d0a8fe02f9e47fad078d

SHA512
6835e6f336dd3b1e5515b2cd812bda1ac4cce4c5ccd5b2db1fb65a2f3e1136efbca04b3458789858f50ecc64ebed0cb59a8577d6f10d845eb4411b31d3dd96d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0070ca52d6af68105d0b246cdce53a1

SHA1
dad1a938562bf735923cf555a34f52439441be0f

SHA256
b4a2b910c4fe1508a056e3c57747f066ed214d6b1de8e2795c4aa3edc1123fc0

SHA512
42f558d8136ebf6406262bb5e5c327467409cf44225153930de27691e62273ec92023176625162019fdf8900c2466185cbc3914f590a00212a32f38ed0a08811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
154267a97cfaf825389b5276a8dea404

SHA1
1eaa3bb944d9e20685fc82e9fdd3a7df3ce76296

SHA256
4d891ed409c916a4af7e917fc35da58115fa0cf6d3d3eab7a1c6f77139a60386

SHA512
e81946a32d09aa334af64047fa39e4984fca26333dd69aab4395f906bff3f57c5cb5b70506783d6fea9f4dc9686872ee26d393bafab99fe36023412bf847185d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af74376dc736d25980bce8c8982ca2d6

SHA1
48ecada86bfa67c3ce66defde33c53b7052ae0ad

SHA256
c0ec1746f84a926b6a1e31249d1a779ca1ed72286eed62c488258b4737c1c1b1

SHA512
637554e0789672224cc388ded7448a01020ba1e64f6dad3738a0a1ef1cb09b5b990213579f032eb77f43b03130a082092bc411a8e42946ce9a0a447962444a13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d3e82ee9559f11f32d853402fe6a3d7

SHA1
59297315153de4891e4032c877e706d7896de3cf

SHA256
c5f1a2167a25722db2d48ab405c2d4cda4de71bb73df96cb4e6c5262190bbb55

SHA512
0d28d906b680814230b091dc559cb38d426aa4acc740eb84121a6ea5a12fcb2a78dd8835f2419c96c6abad6755d01f4450da65324bea6bbfed8964275ba8d911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
860cd36a70692197c8e45d17eeda1ec4

SHA1
0f25313ee6f80b3e4aa07890a8333146bf8fa34f

SHA256
da6b4cb1ffcaa3680030ad41e6ee8137c648e933f42e2107e0dbbe4683eb9d38

SHA512
8a19ab8be7ee0cc3e35299eb1a9f0a13644d0c0c79f77993f0fbd1a57b281578b131fa9ccd8aad29304f4b12eee04771064efb18d833bcdadf0ca1fbc8e65e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6710.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67AF.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit