61630adf63a47f6e53d2eba340dab6b060bf2d2787604dfe3058858a3609f0a6

Analysis

max time kernel
120s
max time network
172s
platform
windows7_x64
resource
win7-20231020-es
resource tags

arch:x64arch:x86image:win7-20231020-eslocale:es-esos:windows7-x64systemwindows
submitted
07/11/2023, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BOYFRIEND_DEAD.xml
Size

15KB
MD5

67829ebffcff8cca9503056f58a146e2
SHA1

28c537b5599d9ed54592b3ae37c496ec3790802c
SHA256

6ba9038ddc78875bf5f9cb07f18607ff842be5bcf7d7ce8df6d76ddca1979336
SHA512

e873c0a380b940744038eb0d4377a69aa3818613163962bef5b1dca023d895857d1964c01524e24658f6787b1fb3d0dae5552cb83428f7d32e108a228b35d850
SSDEEP

48:2MREeC0EpZo13CRkr2FOYcoRS3kuDm9HdSH3M/2jOspdVFfDVGV0VRV9VGVOV8VB:knRFzrjDblNn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000532b370dcce9e31b992510f5e32ad3d890037900404ece5a9598e2f0b809fc25000000000e8000000002000020000000d26eed23b6445bfe0a1a7c5a45e07f8500d52ec8cf15f570f8374be3d372380120000000827d18feea2f2b6378cef6240d5aaffea8293a13dd47d9b6d52bb709d3b0c45d4000000037d5728a5f55c9b6dd9dbb52862c694c9ec78a8c8efbf4488faa0464b5a3a4c5de9e53bef583f771faf069d9d2eeea283e4929a5f3aaf88f8dca57fbe148df02	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405526586"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701d3db88011da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E25BD421-7D73-11EE-856A-4204A4193539} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000004c0817b93b8e83dd8958ed9241d47b4c6e684122c2c0841ae33916a01cf85ed0000000000e8000000002000020000000580efde185c7d574ee73972d44609d889053031e9d83ab08d909fe26d3e60e8c90000000a3c3ee253d3e22289a788a8a2c5afc9e9f56548af0dc785be9f07fdd9dd425f4bd5cac2b370d92232b0d08392b7b3aff7a5e8471c7d24e74a0b533bc20d87b64847da20257fe477ee47e7a60e0be0af29f48d227532873eb43438497052f29a8e9b642cd4e31118a092a6561eda3d56c080385a5cab273b8811cb2df2225980bd7f08b04eaaa2ca005cbfee13fa39d3f40000000e7c5385643f0007d6620716854df4b8ef5c6aa4e0205f8bb1684c474dbffd1ebe9e68e4f367fd52b1a035b122233ad2e4ffb1d801eafe2f3019228aed1fd0b92	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1992	1816	MSOXMLED.EXE	28
PID 1816 wrote to memory of 1992	1816	MSOXMLED.EXE	28
PID 1816 wrote to memory of 1992	1816	MSOXMLED.EXE	28
PID 1816 wrote to memory of 1992	1816	MSOXMLED.EXE	28
PID 1992 wrote to memory of 2888	1992	iexplore.exe	29
PID 1992 wrote to memory of 2888	1992	iexplore.exe	29
PID 1992 wrote to memory of 2888	1992	iexplore.exe	29
PID 1992 wrote to memory of 2888	1992	iexplore.exe	29
PID 2888 wrote to memory of 2704	2888	IEXPLORE.EXE	30
PID 2888 wrote to memory of 2704	2888	IEXPLORE.EXE	30
PID 2888 wrote to memory of 2704	2888	IEXPLORE.EXE	30
PID 2888 wrote to memory of 2704	2888	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BOYFRIEND_DEAD.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35abb693e7ff3bce20f7fa1e0052af3e

SHA1
8820152c2a293a3a83ec04f5f1bfd06649205318

SHA256
a9a061e58166cd8f596df9e0bb0a3efd39ab03d0e2e30a7f209b0960498419b6

SHA512
181f9afb65de4748d77cfd671ec52e3407ff95bc424cec320168d71ccdfaeb123b46075c10516e1f635a64c0f0252dc32cecf8bb00b3919afac47e1639b9b7e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f46d104b2b222062e18e5b963f99c8e

SHA1
1e70be66d4c18555aa40f9373432886ee3e24465

SHA256
8243ee99861e6f129b31609ef4e014c241a949ac4453492f600c029784063978

SHA512
f4f91d08fbef5e3d1363401b0cd17d607d7e851ea154ea967cf034a1bd9c7f0bb3b18765f6d8bf2c7693191f19a666d8ec26bf60b3ff1fa4f537694e4d7b452e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
427bcb1822854ef2971b7e97509ae49b

SHA1
634bd7578891437641e46e214345a2cce7f52059

SHA256
66dac4fd58fefee95124e70e77bb1a2a1051f9d13fd56125a9071d8674610791

SHA512
0102fe989852a9e402388aca93b9c617f76d41cbfd4069e0764cf11aa029bf5583258750138532c5de20cfcf2f029cc9f0dda7c599786cde4f023245f1d6ee45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f3a2c25b1bca201384e48ff4a510aff

SHA1
89f52adc2420e7b8748634a2e9a1a4192f342fa5

SHA256
46bbd49441eb744c210348a75cbcc72efd23851399b479a777676187769a2903

SHA512
7733f1371dd30778f6c67811a5feda1233eab3775696111d9b89d97d752991c6c544e7d5ded397fbddefbf076d373247a617899301830856d4cbf112b769a67d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7c94287073729e6d64889c38bfc4529

SHA1
72cd25b42f8b0ab80f9816b6ebbb744d0aef9b54

SHA256
4dcbed578ad57d418a448978b1b4c14e59efeed65c60d1ebffbfbf923b834c59

SHA512
79b2eb46ee416bc39ed0f11858f4e48cf29c39e86f777b11ba924c287fb667dcd76725ccc327dbf902f7da26cb1bbb08ab9c96ecd026643cbe9349a01ef53005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62cda62715d7ad34a119ab67537503ba

SHA1
27bf22546624fe9624c06995730e636d7be804b6

SHA256
3efd9cd13d496e847cfd24f3280c58872ab9f4aa2f7a70d4b37e0de0adb4cda1

SHA512
3c1c678e4ff0e99f297bf6f8d0c15e53fff3b32034487b5bc7e159321649ac3e1cbd4a5ab6dfb3703ae1e4f2fd433e80cbbe3313ff0aa8330fb40aa398501193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8378a4219300225eda55b32f99ef7d80

SHA1
a1aaa6ca246a316ec7a46f5baaa45de365a13435

SHA256
eb38acfb64f5943d0b65945036b6bc1aac68b60a05947a4d7140180377d5a484

SHA512
64dcedf0420134ba87b142c866893d811c51364b8e62fe3eb6c1c1ad125c69b09ba2060965e00a5c1938a53b0a67652e84e0a4e86ec075cd13fe35f45bc21e0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c780598c8a752ca7a0a7d0e819a6e741

SHA1
963b90cc9e219520fd7c469b97b9caef431527f7

SHA256
1b33a3afe8b02d7d9ecef86ad04f3c22f86ca7be479327fd70efc885ee131ce0

SHA512
c5a3946700c9d0c16305bedbd7f4d25ac7de97688105d1adf5372241914f92e2cafbc279705cde88c710e0538093884463489843774aee114af744894c6cde03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec5402978d7d6f9ca24c8889051626cf

SHA1
26cfa8ebb55175d4a241746d840147ec76106193

SHA256
df092bf9f2d4caf031be475df7098405ac782bf883afd28fe931e7111fa39035

SHA512
f9cbd6180dea4c0ca0b67ab401a65a3830bb96e33d03b679adf4fc0d9bae9b04429895505328d646e306539c7b8cf3b3484fc903d5b85bdb68ad880300383302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a3a23c51ee3196b946fd94ee51db2eb

SHA1
35bff0f7ae9973cd7b62e51f478c0348527b5282

SHA256
3ba87204329e1c86f86284cc8b782cd04327b5c93afcdae7bdd7ef2faf638140

SHA512
73a7fa7e06bec20b6424082c6b7ea531b6e1bc0de4a89667e6f35af1883ba873aea920ccfb468bb6676fe10e63f885f26cd564f2316d2ca81f35a98ecac6fde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC61E.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6C0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC680.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit