5a25cec5efa849f8bab0d75de0e860bd576599cf3f3ed89cc6e847e2f19603d3

Analysis

max time kernel
137s
max time network
134s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows-11-v22H2-Security-Baseline/GPOs/{03A608E1-608B-4ECE-A44E-ACE3AF1ECD8B}/gpreport.xml
Size

283KB
MD5

aa6e3c50d6b75428f17b4a5a62a269c7
SHA1

ccf49a4ed74f26c9cdee60d69902383c178d89cd
SHA256

5d4466908917345bcd761001ce6a343a26e73ab2c03f5face7fe89790c0e44ff
SHA512

c6b6dc29682cec87a48340ae712e899b013a3500bd1f231f8cf6b7f3c64ec925e02e5cc1c536e083f9b65366b3948c572a21b201784b736af1d429800d1d0d7b
SSDEEP

1536:LF/vprvloZBZ/ZxZ4ZPZwZaZ8ZnZmZmZVZnZ3Z8ZqZ+ZwZ2ZWZ6ZEUBUsweUaCO9:BvprvrKlW24unbDYgfiXYyzX0wQk

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000032eb8da41bde01978b108f692fad12c8e7929b211fe6fc09a333be53a8489b65000000000e80000000020000200000000b969b3341019a872bddc919273e96a3d99d8f72a8143c5dbaaf008a2446d072200000003056e001e7ae9fa250248410b32ac34e576868fa8fa93675abc6e554fb5cf43d400000002fd2346e91ee0e566d8d9f608a867fb4ac5c9aabdea1f0a47d67df576634d1ef8bbcb77ed8ccb746a24b3236719a3b3e04f54a728330f681c92d5852e5d6d763	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD64D331-8929-11EE-9650-56AB2964BB14} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406814155"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd66920000000002000000000010660000000100002000000080bf05f969644ba3580a6c6b499cd5b045ae61eef5b06d37d79511392444b621000000000e80000000020000200000006c6de00c30cf689add18101241120f4387a3397ac22c2f0084140bd73cff1ea49000000094ee15f20dc05bbd432b8cb553adadb3022665c8571bd44250a4d187cec2c309c591450eb8e23bf6850af5ec16d877ae14fa7437334395c8e2bf0ce07a501070fda10a19eba4304dbd9cd5b007635848c4cf28283a2891cf9259548728304503895417686ad1f7284edf80a1cff95af89d6d3eb2c5ca228d7eae527fb7d761f565524ad2b2d4bcbc811f3aad1bedea7e40000000eb0b736b454fd677de0e4b46a8afa3d4b70d000a4050d97b5709411fb028f270bc0b445210a1a14e68edddd77bfa201de732fac7aa13b942247c352e38601206	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02db092361dda01	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2636 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2636 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2636 IEXPLORE.EXE
2636 IEXPLORE.EXE
2828 IEXPLORE.EXE
2828 IEXPLORE.EXE
2828 IEXPLORE.EXE
2828 IEXPLORE.EXE

pid	process
2636	IEXPLORE.EXE

pid	process
2636	IEXPLORE.EXE

pid	process
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2924 wrote to memory of 2088	2924	MSOXMLED.EXE	iexplore.exe
PID 2924 wrote to memory of 2088	2924	MSOXMLED.EXE	iexplore.exe
PID 2924 wrote to memory of 2088	2924	MSOXMLED.EXE	iexplore.exe
PID 2924 wrote to memory of 2088	2924	MSOXMLED.EXE	iexplore.exe
PID 2088 wrote to memory of 2636	2088	iexplore.exe	IEXPLORE.EXE
PID 2088 wrote to memory of 2636	2088	iexplore.exe	IEXPLORE.EXE
PID 2088 wrote to memory of 2636	2088	iexplore.exe	IEXPLORE.EXE
PID 2088 wrote to memory of 2636	2088	iexplore.exe	IEXPLORE.EXE
PID 2636 wrote to memory of 2828	2636	IEXPLORE.EXE	IEXPLORE.EXE
PID 2636 wrote to memory of 2828	2636	IEXPLORE.EXE	IEXPLORE.EXE
PID 2636 wrote to memory of 2828	2636	IEXPLORE.EXE	IEXPLORE.EXE
PID 2636 wrote to memory of 2828	2636	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Windows-11-v22H2-Security-Baseline\GPOs\{03A608E1-608B-4ECE-A44E-ACE3AF1ECD8B}\gpreport.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f9ba6e2eb111bf0fa2920fbc415fd36

SHA1
027eac93958e20555ff0a15b45b68acf150d769d

SHA256
d9d9fc3b7c0c2a3ea9473efea1d1b1d989c4e50f6f27ece619da2e433b7b84dd

SHA512
294c2988ea7365bab3d10c208c9c9a675e7256562f47e1e1abd56a2f6db6803069d128fda7c2d9a1ca45ef653278046655785cb02f0a5c97c211e165e6b918db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eba80e1a7bd99c064000d7ce2e9cf443

SHA1
03b58cb31d258f999c29c9caa246da2fba625618

SHA256
60a7f0121332da53d4caf3049422b2acc421083138130bf20f09a204417b7404

SHA512
c78e828a471968007ae0715c60481b4c9ee4c24fa05e73a17ce416b876582468b659a27149da37ab90f716f80aa2af53cfb560d0f5a85b58f276510dcc426e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1b7f7e46b5be157baf9be8ac1608980

SHA1
0fbe89fb37998bcf683fe426993c5baebe7e0ee2

SHA256
7af6cb5fcbc178c1d9d6575db2f7702e7ff4d647b3a1a9ce20d8df2c5b6cf240

SHA512
91f6140e360b7d6549a6894ac6933e988609e29079e0b2514f719b254a80e7eda4bdcf603e1506b135618b4151f97ad2798302312040102132dabf5ac349d110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61c8d64521086506e726d4af544805f0

SHA1
ab69856f530b0d10e682699834c8af65f1b95f14

SHA256
92fc499b0f6086964fc819e4c10114cb569f02d47a676f59c2ddb3e0035497f0

SHA512
780c6e7c85bf5fcfc4de0139ec60805984d20b475dd3736c01fb95486e085e5785b71b04a718b3d78d3d7b96e680a25a3f8997fb7508048c3dba97c028934e53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
affed9f82a44a58054a87e69a3074489

SHA1
5ac7b7c429c25fed6eb145479825ade1f0235c03

SHA256
597202e7e9bee018328b60691c76f96f704a9f3f4963879dc398cdccf9b17a42

SHA512
0f06c8174aaaf1ea92108ac108169b780c64dad9e6cbc6f47f2d55980ca39bd32dd5e0b5555a08cd9fb1af19b08fef568ea1c569b3560061b7eb63cff1ec9425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcaa8e646aae39284c9856c87c80122e

SHA1
23c4a5fa18aa862de08d70db609a05f0433f1179

SHA256
d2f11454b06f53b8619879e91f0726504ac4a177a4a13172cedc0891e86c45a6

SHA512
4e424ba78d7251cb3b713d650f3000a669f4b5d64faa092b69fb0fc6436bb5ab7c2c16ea49a3d7853cfd439a5159b6916bc55cde4e2dc2f2bab3f75e21c8115d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49051afd6385cbdbbc8314569594849a

SHA1
53b4846dd88fce693b3437cb5fbc7d69e1abdbd0

SHA256
5dff5b47e947ee3e99d30886964f6de69c013364726b91b1016877dc7979efb5

SHA512
73be8d8d5704310ca908e7a9ef5999f25374010f0e2747d77da4a87e8f3d97ead85339868af90c354b5a931b110d7266be4c05924b15a6867f2367b3d6a6e86b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0e2702ed15490294ab26db987290720

SHA1
f5b988e5fe1d44dc49f947d07cced162637e9fe8

SHA256
2e2006cc5c4cb3b6d8fa495f9f3e041b93abbce53adf56a0fc19e4bf3c8dd872

SHA512
9adf6477eaccdace6624be6ede12584a4cebc9277f3cfdc1cd869abad20d75214170473c34a362233cc34b1918fbd0ca4240c5d98ff58d67183b8c281c035cf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9c0adf0bba3000240f01f440a94e5f2

SHA1
4b51d77835f2efa19f247f15619fab02e4a9f0f0

SHA256
1d0477c23347baa3cf000420554375c98e5ff5c9ff10b85b93fd54d3f0b1f63f

SHA512
bed7422da441168289409d71b23fe380efb8da4c9c528e4f5a935fb5d7d8d339ff51430e7efa99a8488ea5a882a9d3cbfa7fb28c34da5b713ebeaa815bb21818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d16d3d05700f6e2582fc5ca92a20ca01

SHA1
872401731dd4e24aa65497238a0764bfb296d85b

SHA256
cdd59071a08d9700382b023f5f77198cd87c097dc9ce3205e73f56ee8ae3a99a

SHA512
93dd2e144f8f012a5d6b72975b7681a2399c092bc60489e3372f48ba2195bdcd3431dbdd05cb360f49bffe18aa09ec8828b6c259702df9a870dfc71fb5b7c0f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da9bcb56b0d160b52d584ae285842000

SHA1
51f859ebc59a480734619784b2ca985da9adcedf

SHA256
21206ef061031af7dba168bef6900eef4f1145904cdd9baf556b74ed4ea3aace

SHA512
6d1deb6e1f189c480c9182d8407e04a5fac3afc212b64e113c57954017d96cf79d1e57a05a37da5d2b0213930c6458bc0c4cf97efd22933f25e0ae9854ad1731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7707.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar77B5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit