61630adf63a47f6e53d2eba340dab6b060bf2d2787604dfe3058858a3609f0a6

Analysis

max time kernel
134s
max time network
160s
platform
windows7_x64
resource
win7-20231020-es
resource tags

arch:x64arch:x86image:win7-20231020-eslocale:es-esos:windows7-x64systemwindows
submitted
07/11/2023, 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DADDY_DEAREST.xml
Size

17KB
MD5

51f56c6240ae7be408408ce57ef35f6d
SHA1

34a110662110a215c6a5f3a0b14241b61d330941
SHA256

bdf5fdbd232dc3ffe0089e1fcefd16f845381fc40f0037a86ab352928e8900d3
SHA512

a978a3f20a7333680d942af4d1a9a47394cde830349b591c9a933372a53d6f9d22650959e611b135f4f98cadf157773d1fa2590d3ee28b81e8b92900009fd4e4
SSDEEP

96:uAIEFHL9tpRobybXgeFrEiZ0b1OQHxacbDcddFWoPBCkrG1TMyx/Y+tuV7U6RDbv:LHj4qr

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000ea2524ef58361f8f04a0b8408c9dfb56016cc147be95dbcbcb4a39697793a33f000000000e80000000020000200000003d9831a5e6d83a1dc3b3690cfc9aa1757cef9f648aaff2021afb29cac08880b39000000041f7df70db8a2e07114100f0247fc969e8652e60d114de825c1bb54a5e3cb30c8051d0a5bacdb0560aa92a33f56a853173b7d986870abb80357fa9f6b79b97b0efba8dbb6d9664c8002cf41da538f40436f0c86533252781d1eb4a97622f2fa37032dd40a1c6b4293fa1491c895c8a2d7c2e21ec0bd707c0ded69c8d9e6578cb9910a49125f7d6b72f735b22ab067b17400000002662e8a982649031ef4ed85c16d1a48973faea0d89dccf1cf2b258c481301e44772e23e1cb823b73bb37cd4e77e39738c73c1e9707bb162231f0b74ae32190c0	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DD2B0071-7D73-11EE-B5E1-C6303085B124} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405526577"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000001a18624d8598df7d3c0b8bdb9efd9d173004e35c7162d05ff26f27558b61cf65000000000e80000000020000200000007071bd982c86c6172c144e1c3c4dab564fcf1fd393be1f965254cb2dc399d62e200000002f21d5a517b3ecf9e30c9e230cf181c802a385fca04333748e32eb54da24694d40000000c3baf6732cde0859ecb3497b6ba409a1337394f0212267ec51b43d5c70e604ee00dd95ba86b5b671c598cded5f4130b11ba81aea13581ef08cc983213cb6d846	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02d13b58011da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2324	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2332	1252	MSOXMLED.EXE	28
PID 1252 wrote to memory of 2332	1252	MSOXMLED.EXE	28
PID 1252 wrote to memory of 2332	1252	MSOXMLED.EXE	28
PID 1252 wrote to memory of 2332	1252	MSOXMLED.EXE	28
PID 2332 wrote to memory of 2324	2332	iexplore.exe	29
PID 2332 wrote to memory of 2324	2332	iexplore.exe	29
PID 2332 wrote to memory of 2324	2332	iexplore.exe	29
PID 2332 wrote to memory of 2324	2332	iexplore.exe	29
PID 2324 wrote to memory of 2768	2324	IEXPLORE.EXE	30
PID 2324 wrote to memory of 2768	2324	IEXPLORE.EXE	30
PID 2324 wrote to memory of 2768	2324	IEXPLORE.EXE	30
PID 2324 wrote to memory of 2768	2324	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\DADDY_DEAREST.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2a8a51deadd926d14aec9f2708814a2

SHA1
b6f2287d813f380ce371f907b7a9e93fca51e1c7

SHA256
4b82015437c159bc6b27b61f760ee535e2ca91a55ebc9d3449fb91703fa5610c

SHA512
f92fabdb14a7fabfa19f82248c75f1345b6f9041c8e69b60b2824fe2bf5dfc8edd8766a41711ec90f178970bdf14f10dbde1c816101a5396b180308060a21990

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50e06504d899a57f078d8ddd2d253134

SHA1
31f806cb8a343d702a6e5a6305f6f3680a78a4cf

SHA256
5d3d3d5edb5f1be8a595ae48988a75e79dd8e22c598aec38e5d7d2e9316ca4be

SHA512
1d4edb0df23adb5b581d30905e230096e2b550089cfcce71badb30bf5d93d272e149f1a33d2502b47189f75e9dc79a16bd5b3db97643ff41a42e30e3ad989de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02c139d32931da2fbd55413598b0c5e0

SHA1
429e6cc733821a25bf54671902b20c0c53f37c05

SHA256
687ca8a8f59c9ddb15ea33be2f121ca5547ab0a3b34351db91fdd84a980ac2e8

SHA512
88434deb30f400e630a8f4ce314b64ced30ad92c657e5283a1c3eb07f47b07b5823179dd76fa6c90a6295c3df0920e4fd2962c95dfe2f0ce4f7dd77e23c106fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccb0d2d1c8ceb7140351d5401532cf1b

SHA1
8c429ebdf6ea209e62794b1f618f25d61cb2f0e1

SHA256
1b53634c9763276dfb9ec7715f8d63ba828a0977a04c3b115899470368a77609

SHA512
b62574321b2cbdd66ad0381baca47bc7150e4b0808e2ec0379d2cc03decfd8f938dec21f452287e2e1a63351eb2418581a71b8ce786508bb6dc5d4f7cec0dde9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb8fc637ea3de8860450d52b7557703b

SHA1
c98ac0a0065de8e72b809d0f7f1098f773937744

SHA256
f33d562a0f14839072c6a9c1cd56979fc182c859b5105ae841db96614f721dd9

SHA512
08d3cb88bfcd89545190d377d9d81b6ec578d7f7b85749169de3ce8656ff56eafabbb6e039bc54c595d12c370bc52c20f015645793125be5c7b4b0c0266a846c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85c0ab59b70e780f32f5f21ad741c9d2

SHA1
30d6efa5e9768d08e5e60450e0cb7ddd2a06f1e0

SHA256
07a34aeb2db313a71d372e54b69afaac8f34f16a3d6c76a8c850a1e06ab5e9ea

SHA512
bb71921fee6dace64d8c2ff660867fe359018d24511418f6e29a82ed74d62aa0581da22f7aec41e27e975adc2be733b57ca98f78639045f1072efdc406cb0bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4f270bb62117f574180f39d2b05fdf8

SHA1
a03e82a686d1fcf4324f67d7db7876c6e1aa8580

SHA256
3c0644507d5ad56848c802a8aa1aa1ac4437f0bacf8539467437c9fdf5bb0b01

SHA512
b1db9a79b1901e140c0f9a1b66f46d85a223b3a9d73bbc548bc859f989a0c68c5e92e72bca044475377f37c43b71136989c1079c0296bc304517e7e0c39eb48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB443.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB551.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit