feb3ab1217f993d9214bb0e1a9561709bd9a1172ceee719fa9051d9fa6aa9622

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30-10-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xaw-VPN/index.html
Size

28KB
MD5

3b503e0e1b5f722d0567b6c3d3ebd6dc
SHA1

03421e1e96bfbf55b5cbb1e24b03c0a64b945bb2
SHA256

73e18c8e6a2351254cafbd51ece95ac2d1d473c828db3ea4e6f3d1327c3301d7
SHA512

32a172b1a198e748b11db61cbfc5be5b5cd6699bd91bd928868aabef7eec0611b39d22f13ebd66fbdb85589e40e8de0a97d36293446a1109c42b3748898e31d7
SSDEEP

192:0V8ClF7U9JGvukne4ACNNzcioveDnJguHJ3HJJJFVGOJnHJ8jrMVwxFrfOmPGXHM:ePluknx+DegU57FVGCp8jpFrO/h8CIJ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404811946"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB54FEB1-76F3-11EE-8260-66C04E06BBC8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000a495c9db20b6f9eb2cf40ca0f9685b691e455c39be94c802e5c8ee605640b9b7000000000e80000000020000200000001ac1208c34941e688bc9270024c5274600539e16146699616fbc4d209f140ede2000000047943326234c2651e49bf74ec416d612f3d81d3a2a44a83d2b2956bce2275d31400000005f1afff080d9e9cb54bbd7a47d1e100d842b6fb63c701a119c1902b3a2a82649de0892af75b0b9f189ce409f96c993dcfc149502be43efdacdd86b7c56cbc01b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80110bd1000bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000b127c3fbb2c00942f37b434d2301b73c56fca3e9f708b574068a1b60c8a4bcda000000000e8000000002000020000000bee0d25dbb3f8c0f2545001b4d3329233b5df46ce33aa3b085681f3a8526cf97900000009bce58711bd3d8cebe1f4d213cd36df66f62330ae3ac2b7a6da33ca5d46ce30dd8368bba02496fdaeec6b9172c88251b9421d2d683c38fb9a2a2cf39b7d4e2e87024ffd587b083371c2eeb05c18c5a0bb846736c5900c1403d3c4dd67e1de11c88eb99dc00e0fd0d2f2dc0b40a883867d58ee423278bc1c13c8579dec5da207d77bb98c801ad128d6159fea02fd176cf400000006b256d299f7166eb3ef929a453f0095bf97b91129c798a552cd96d8875f9974a4729e8509f5f8c010ed2e9ba059301fcd91a998787121eca3e519bab55c32f75	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1384 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1384 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1384 iexplore.exe
1384 iexplore.exe
2172 IEXPLORE.EXE
2172 IEXPLORE.EXE
2172 IEXPLORE.EXE
2172 IEXPLORE.EXE

pid	process
1384	iexplore.exe

pid	process
1384	iexplore.exe

pid	process
1384	iexplore.exe
1384	iexplore.exe
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1384 wrote to memory of 2172	1384	iexplore.exe	IEXPLORE.EXE
PID 1384 wrote to memory of 2172	1384	iexplore.exe	IEXPLORE.EXE
PID 1384 wrote to memory of 2172	1384	iexplore.exe	IEXPLORE.EXE
PID 1384 wrote to memory of 2172	1384	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Xaw-VPN\index.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3effff89a1d08c01f7e27b70f10c747e

SHA1
bf172b859004311a33c1edd5ac0efd53bd46f7fd

SHA256
259744dbb338abc9f67a33c88746a08582b04fb9a3b56514517a236ce68a0d74

SHA512
aea0335825cb599f87ce1722cac6d4aad7989b89b7dfcd823db151b0a4bdb439a53a8c9d10124abe432733ec76052b5394f7c5b7f0acb896988d38776fc9d8ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d436badd56ea263fe3b3d1b3cb22305

SHA1
8acc8c9a75de11aa7d2e345e67a88d0fabb51756

SHA256
966411512295baa5c7aba7043026a831dc6e20a637cf7c67861083fb4ea61bb2

SHA512
2862b807d33e807076ff6b78acb02d6ca34df181b50d9ab7fcff4535aa670cbf04742e8310c9760babc7f45b823f232efd55d7ec074eb495d613c14a74e30746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7a6b6fa3ed093ee2910cb7cb8b17dc5c

SHA1
552015b7e13117aa3578ce5259b772a4d59042f9

SHA256
7c02bd1cd006c9995d6a2b576afcdb26752b8bd9f9b957f2d500061b6ed81fdf

SHA512
d35260a3423b9fe098158300cb4bc89cc9f5370d2716ee210831282d9e7895fb033661f2160e84cb2c10a1751328354a9a6f85d0bbc61944a6554ab7c44e7480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bedf463e57b7543c7d1e2c4f2251ea09

SHA1
443f9447a214c2d5b84752389652b3b0f190af5c

SHA256
34d3d1b52ec5152dec5daa4bf7bab276bb45d2b190cfaf0ea61a5b7d0f3bef6e

SHA512
4f2aa18bcb4cd3d2d1f13099dec60c571800d3553981b9bf01a280f9485b5e02ed9008508f7e0297713963ad020c904fc345893cce4c5bd675c8412cf8d07b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6511f9b41cce48be9122ec8d1066c72a

SHA1
e1f1bc4a296d2266691e3db6368168526ba4f9a5

SHA256
b7e178fd527455d9e803ea6767f7957ee9235bf5af527ec69af39fa9b38e9503

SHA512
d327f6685a73770e83603b9ea34d0bb7f40d0ac761c185c4148fef996d4c1a6d072199a64f9753ac1abdbc5d87ec9ed8cfe70385ac1407a4839ee6a22067b8fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7ddb45d2c449108b2bcdd7ead19a41d6

SHA1
11a4d7d4aeda314bf5dc0d125a6d890ee84043bd

SHA256
9a010ecda68a227f3e9c5dcde850576b07e432d7abbb5f391a498b6a94c183b2

SHA512
bf093d2cf1481bd97dd135fc2eeda143e181e4f1381d01f0c8f62bf63dd4fee6c1501d4b658e714bd65dad25f7c7c7d63faf61fe4279ef889ae270fd84e466a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aaff6b9ce39fe77802fb7788fc072a65

SHA1
2605ee2ce979fa2aa55d775cfc2031fcfe95711f

SHA256
15367b7d67ece78f49a8d0eb7765639b12e9049b7060c7babce8d6dc5ad35e68

SHA512
353aef38c91ca4430b29c84a68febb8793dbb97e7b3d4329df51919a4c8b9b496bad7ef3d132c3b508617f3ac5f108cb3d935d0a5a00b36bdd89b4f7573786b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
540fed3037805e554449dcc26c430602

SHA1
eff102b7d61ba8dfcc05e43cef33ca741bfc3793

SHA256
31964e4e637051dd59bdb24a976e1b7a882b20356dabe43c91e4f2a020ac2f91

SHA512
df3a78d50da207c83d9f568af8f5d71ab79322fa33ccdc27c46292ee08580e08cd3e0bc5967b0fcdad145f1517843844c9274880f71b9497d3709acf03ea3030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eaf058e53ceebeea061ac9547358a7a9

SHA1
0b7cc64504291c2e3272c6b18649518f02f00373

SHA256
97f151b4bd35566f9571907d8ededc042eec75783bd7649c848111c06827b2bf

SHA512
89f5062ef4d5d1a6c99aa667eb0c11778e916a88294b8103682257f6f7a7a2ec3d3aae6c06f7d466f29da21c0f76fdcc5a6330486b6c3d284b3bee8f0fe87d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0c055158c194b555fc2161c82c211bb7

SHA1
9f3ed4e39b2282a74cf0b9890cc707e6735b4198

SHA256
ca4f3d51a40226c8c0c4f2e06cd66862a1148f7462db8905239c051fc009c6a0

SHA512
8684042146511a1c46da3720aef6d462c4b7f2b32c18abae12c6e5b8fcbd89e85e683d037b26c7d16711e6d5665138b5574345441a712caa63caa5193d10d5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab61F1.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C17.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit