5a25cec5efa849f8bab0d75de0e860bd576599cf3f3ed89cc6e847e2f19603d3

Analysis

max time kernel
137s
max time network
134s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows-11-v22H2-Security-Baseline/GPOs/{03A608E1-608B-4ECE-A44E-ACE3AF1ECD8B}/Backup.xml
Size

7KB
MD5

6a0dbbbed20565436252d62a05e53e7b
SHA1

752111058eadc978518d217cef0f6af2ac5970c2
SHA256

a0ab6d8fa6b2dbacb0927018c01f751825a69a02d97d6a07395fdd6cc820039c
SHA512

460ed4666374e4f6fad2fbf6a41a862c4f3c9b6e2074ebba418f7788e180cda76ba22de835b19f5c69e925a3dac73d765e0aee0c0334009af54524c055833fa7
SSDEEP

96:YDdrVGW7Xk5X9X8fkNCV4Yj2V4oA/XhWt03zJR/Nl2NUDw1juKycrSc4kFUJLuIh:9SvSQWtKzv1sJng

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0774292361dda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000004dfeaba60d2797f042bf99229a33dd8f4ead7d6185e7daec81508c4191d90da5000000000e8000000002000020000000f1b303eaa53de165f52ea33b142cce37d0c295d67760b1f107e684cfa80b626020000000cdcaa52ec8f298453cf00ad49b5beb82173840a43cc2978008c1ac4294c7375040000000e5b94c510244fcdc13c611ea5a1591272f0b5bae559c009b4270420630ef722f222e250d6339b2d63a883d6a0da0c18940e6e2fbde4279fdb2588f7894b83485	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000f0b42bcf90e679e6dbe1ce124a5590fa25b8460a93ab3392fde2e6a41b5a9843000000000e8000000002000020000000422c1760cbfcecbf13554bf288819f3f86c2c742e55c5889d1dba1d4ac05cd9390000000e1cdd3b6bb0bf01a760520cb787bdc321b4c232079f412a2716efbea23d2078f2c95183dfbbb794482c8634402cd93a6b3dae62d565b1b6c41904d18ff74435f7d0053d4142a403bafb1bbdd8bf2dd7a8c867bf5b065db3a7a85126257518e84c37201b8897ac8f538d66bc0d5dcadf7ee90753e109faf5c71703f9c392f002b91bac60727d150be3b63c38757e49a63400000005b53bb9759e03f27cd8425bd81914b69eebb15cad08ed28129af1fa6c237f73ee697bd1e127e58f2180c2f6f471fc108ab72c8ad3f105534d572275196889960	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BCD82B61-8929-11EE-91F3-EA36CF52C02B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406814154"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2256 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2256 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2256 IEXPLORE.EXE
2256 IEXPLORE.EXE
2784 IEXPLORE.EXE
2784 IEXPLORE.EXE
2784 IEXPLORE.EXE
2784 IEXPLORE.EXE

pid	process
2256	IEXPLORE.EXE

pid	process
2256	IEXPLORE.EXE

pid	process
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1568 wrote to memory of 1588	1568	MSOXMLED.EXE	iexplore.exe
PID 1568 wrote to memory of 1588	1568	MSOXMLED.EXE	iexplore.exe
PID 1568 wrote to memory of 1588	1568	MSOXMLED.EXE	iexplore.exe
PID 1568 wrote to memory of 1588	1568	MSOXMLED.EXE	iexplore.exe
PID 1588 wrote to memory of 2256	1588	iexplore.exe	IEXPLORE.EXE
PID 1588 wrote to memory of 2256	1588	iexplore.exe	IEXPLORE.EXE
PID 1588 wrote to memory of 2256	1588	iexplore.exe	IEXPLORE.EXE
PID 1588 wrote to memory of 2256	1588	iexplore.exe	IEXPLORE.EXE
PID 2256 wrote to memory of 2784	2256	IEXPLORE.EXE	IEXPLORE.EXE
PID 2256 wrote to memory of 2784	2256	IEXPLORE.EXE	IEXPLORE.EXE
PID 2256 wrote to memory of 2784	2256	IEXPLORE.EXE	IEXPLORE.EXE
PID 2256 wrote to memory of 2784	2256	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Windows-11-v22H2-Security-Baseline\GPOs\{03A608E1-608B-4ECE-A44E-ACE3AF1ECD8B}\Backup.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
362bd367d1107653aba7c2c482e7430c

SHA1
c1974ff57db07cba17e30f4e6fa6396ebe848932

SHA256
f8e754c9bf5e2ffee10eb2ae5562ecd2634af5a6aff05f3f34879b41f9ea02e1

SHA512
d7c8460a6dd7a0f4acd22f857a0fc31533c2c548d466e236d6846a95e741495ec640c04461f2e793165d95a3af1685458c5afc209a993827d2b46aa4c53ba82d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfac2fb9ccd1e4067126e00280bf3abf

SHA1
56a21c477e0816eaceca6ff5db87f56583c9620b

SHA256
0622290efb2e3500cfb5077e15d69a41d5090a1850129efc5f833dde82bb036b

SHA512
a6236b7268252a49b5eb8ce903e7d2eb8f04fc215f6aa611fa4f63a4144e7ed794230138e04c12e7bc7cc13ed715bdfe2518247903f01b8473c2293171c1bfcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f4e98936074f5a357bbc15366bfa9d9

SHA1
f44acad23e856088d8da04a814cbf16418dfd5c7

SHA256
ad2502c6fec18dbbe3fdf5d14bd782175cff52a59c7d75a3806499e905a95c2f

SHA512
a367178983395fc8be5a4dd8ea4ead0f6984f78a93dcbace9e0393256747410c2e8f69045992efdf28e05ca09ea220bc2dfad168c0856426e16a7325ba001e66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc5444ca6d658c9d6035d951aad143a1

SHA1
0c4c6c4d6c165a1a60ae942b0c831ef34b1b519f

SHA256
7159b3b3dddd94b0fc9014032096720d882ce742edbb57da5cd3c63cd3d1b08c

SHA512
405fc785917c4e02f0ebd7c57e9af4e6f4846ccf06ef00c3ec78d11c70c38ea25ca0cf5f564fdb69f2991c6add1c6ee1783053b697377372359a4c470ff0c16f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8f7cd8a0503f68e17a789efc1df05bf

SHA1
4e27f23489e1d4348b35e4c4d51bb8762d2a0827

SHA256
4ac2f6332ec4370dc3f2f76a8399b009f053f9dc5888788978aba2f4c255291a

SHA512
224c2a894b3bb4633cb3b3de010d3f1e4986e5d6fe6804a6d453c668d51dcd48e61da11efeee11f9dff971c0d6d6f011729910f34dfb90a7caa13e75cfcce6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cecd83a5aab1eeaf52061b7a03bf6ef1

SHA1
565e8e81a631f5dca4b82e8c17ddf9f9989647b7

SHA256
11ab2aca3155961b9f5166dcb767f7b965f9fec50cb67c2bcec80861ef9079e7

SHA512
cf3f985df7c87ae54b6be93e09b49eb0471384eded35d73305b0b947c4a8171865705988d1b2022cc357bca03734e7b65bdf40eaa4bf8efd848983e8e83068e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bedfc4e89e2ced0250f111ad178a11c0

SHA1
c96248993cf6ac81b9d03ce8f5fae9c0581ca166

SHA256
3d06a91f8455d5319e63cbd9306d68c18df1f977755ef389fd2a8db737ec1e3e

SHA512
3d258e5fb2b8211c05ffdb6ae0338c47bfee6f180346d9b58babaccb36e69b232ba43c3fadea34cce592312fac8938e20cd15fe2319daf753937aaf589b8a641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
802ee64d4f881f0717f5aa54e83e58d9

SHA1
3946fffbdd0fb028a933f94b11aa3ec9b9fbf9ec

SHA256
fcab7849e740d2a1395de9f679099a0b1912ebafb65b1a49d0d82f3e291f8ddc

SHA512
88bb4818007cea16769b23b422cfb4496cd91ab902b05677bb57fae4e9c97c7ca48e08e2ea72b2ae256f95d50b53be915cc4d007cc89226fa26e9ea9172512a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1937aeb954fba0f01ca933f87481ff32

SHA1
c0eeebbead8fd0a09c6acc8c583985dce2da4f85

SHA256
ef6f62825c0ccbdfc3bdde4ecb8f72f467b4cdb5f591f5de67b0c2979bea95dd

SHA512
1b664d97c3fffb20a1630129be2dc1484f4daeb19660806aa3f2312fd37a9832d7bb3dcb90715a73fbf32341b723acb4206dc172b21783088644836fd610b287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7FEC.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar807C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit