24d2f00a1a35b70aaa6ddd836e6bb52c8d68953e81ab478e58f1a85375ceaf97

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idle_master_extended_v1.10.0/IdleMasterExtended.exe.xml
Size

4KB
MD5

5668e5f9a1818248ca6526ab65b2f4eb
SHA1

beb101e401e9b94f974bef6720cd68d44957b38b
SHA256

9af66a4e62d65c6b86fe56b11fea614ed4b2e8593d29efdb95eca8d3a162f5e2
SHA512

25c8aac4604606c47cce5669f9b9cac43248f3e846f8790b3f2a8369bbb310d1a3801b07eabec646aed5e3dc83e2f2ded951442e3dade3ef369cb0f7b9b2501e
SSDEEP

96:ur71O7KGmTUD9AvmvLAvjAvUAvzgQZtsvOAvPognbAveuBvrivOvfMAvxAvZQnL+:ur787nmA5r0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407178931"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e1a2e28720da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DD33E71-8C7B-11EE-BDF7-CA9958541264} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f54000000000200000000001066000000010000200000008109a572bc0fae447055ced9ed14fd41513185c680b1f1f01157c3c3b64fbe5f000000000e8000000002000020000000b819558c7041e94779d41776b7e905909ea7c2065190a39c9f1eba6c0585bde890000000acbaeeee1e8d80b4dd30a160279c01d99ec92a7fb7e07d545e09fbe7219179d2d4fbca1630a0894f524d5aa85e1932ef60b34b69d119f70a43785abf025669c10779c20cea87e1503571f991536ea9f7f57def6971c8327d268fc72fb168f06c3a1dc647ee8aaef18a68c1e80970a8d35de9095660c0123e056f465866376aafda5d6888f7a381cc43056d249ea81c7440000000bdc749cb1fc59be50982021b173351f966fe07157a664a3916a1a6afb4a8519bbc66136b04245200dad1b345c8a00327d987dfb1296fbc5df65cc4f2e24b4cc2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000e5f47e5fc470b7c7916ce97be425caedbb4abfffd6df2cb75ecfca8d72019aae000000000e80000000020000200000009c87171fb637ce682c5eeac539cc6f85a083ac0511727d8fa3c5738dab7c56972000000036b9fbd9c9c6acc833be75b34a55c0f460f655894c28d8bb00301a13744f38af40000000563b8b7f0426dc317b2139e956cd132de1c78c4a6fc53f8381b65ed3a261caedfa8be448e2158e9dd65942615ad470166e02a13a1f31d6973e2041cb29529d31	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2796	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2780	2136	MSOXMLED.EXE	28
PID 2136 wrote to memory of 2780	2136	MSOXMLED.EXE	28
PID 2136 wrote to memory of 2780	2136	MSOXMLED.EXE	28
PID 2136 wrote to memory of 2780	2136	MSOXMLED.EXE	28
PID 2780 wrote to memory of 2796	2780	iexplore.exe	29
PID 2780 wrote to memory of 2796	2780	iexplore.exe	29
PID 2780 wrote to memory of 2796	2780	iexplore.exe	29
PID 2780 wrote to memory of 2796	2780	iexplore.exe	29
PID 2796 wrote to memory of 2740	2796	IEXPLORE.EXE	30
PID 2796 wrote to memory of 2740	2796	IEXPLORE.EXE	30
PID 2796 wrote to memory of 2740	2796	IEXPLORE.EXE	30
PID 2796 wrote to memory of 2740	2796	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\idle_master_extended_v1.10.0\IdleMasterExtended.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2796 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed140e8a929c38ad03283662a577c4e1

SHA1
dc092f907003f604e363cded78f92f491fe97644

SHA256
ad3b89b0b7ed2a9253a0feb919ba832c34a41dbff027b2a9daefd514f761e864

SHA512
7ff23fc051336dbfdd9298ec328c9130a47af2136e7fbd3fb6b6d66c1e04d5d0b46c7a7aa27eab332bcb16a9ad31e83b3ff9ee5866010db4a7454d336a5631ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b5c355b11f1d4fec24461ec1df09c7c

SHA1
77b3e473620957d26f7cfa00436584fe58e4f10b

SHA256
609ea7db7494d4a786400f0041dce77afed614d257f891d7b1fa1a4b124649c8

SHA512
bcfaa9549eb8d4f3a245d5255c5fb9456a6be6c101b8c611b010d597c27018316f2f6422aca63e868ad6dcc86c007b2b174c17a46adc3bbb4eb447f9d11991ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
294571f8e479c8e5d9bc198b74f992b0

SHA1
d9df3f3ebb12d30c6926dd63b8c1f20f0277b858

SHA256
ed5087c09e9435f4d6b5da70271c0b0da681137c3f956fedc032285a2d6d671f

SHA512
5bb000efa5bede1e4818dfc6d94edf8b881c82e7bcced8f808afe40e8cef19c1f44110e25f2b5ee195dbb4d4a85bb41f4dc1d5072a873fb4c6daa20ea686500d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74cb6f13faa62470bd220606622bacd4

SHA1
482815d47fa03def2708e49e265fafba31c3886e

SHA256
fb9bafc925df3bef371bf548984cbfb2154d27ec3e26e9b2ecdacefdcc015f26

SHA512
985fadcc0f77e9a88e79d28f834d9fa695feee96716f906b7a31509448c864d18529d1d1148d14c561cc692534dddb419d4a261f8269bb711c44ae03dc8080e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25c356a00cd473e406e47c4a671b85ab

SHA1
b2b87389db726bf4df75d17c4b53c7b6e58ede2b

SHA256
923d962e27c70a8a14961c515ce0f3d732443984bc016938eabd49dca27b56b9

SHA512
067f61c36f62a36a328ac86ef4403b2181780802c3e99d2a720a6633cd6274517d018d53e76128b215cc953d7e9e98ca72851fc81f754a65257f9bcbbe016914

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d253658e42d775533339f2e7e2c47476

SHA1
75f951c700594cc926108935cdefe8b2b6b2d5e6

SHA256
46ee7563c328d9a20784fa2e78cbbd2fd765ae493469ad5e89d9b64ed1988b14

SHA512
4d01592ffec41ecd0bf3246de5375d1cd28ed7a60a150f68372c212475b71009efd8512d85619920793cf7f1c8c22552f39685e9acf6a9a32109315790a246df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efde56009bd3b2215f1f70d69b1a3219

SHA1
a1a2a51cb17e404dcbb8fc6a0e78e482f2391666

SHA256
b390f3e40ed58a501016e383f1b9830502910101582b68f6feec61f4f9545f2f

SHA512
a559d4b71978e75d78d09a02fe5cad48e3b9cf8534b6be2d47bcb42038394e5fa1a91fa7c47153050ac3d244ccdc96c2f2c1794bae999341e15616652cabf58c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e0caeafa52478baeb950e888c9f07a7

SHA1
78621ebc29800ac083ecfc04a3a98b9b5a5bb55b

SHA256
39b1422978f6f73c20b1a85794d112541f2a0c0c929072b6232e0fc6c8a4af02

SHA512
080270d3ca9a09c530798083ff156a9b900ca45c2642f7c8f226bf6d2f357cd2d662d9a0a7a4c48bf78ee7c954ebc9f37f18a7116c41853d2a732cf8d6bdd7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebff5f5d81970204c208b6e9fce8e43e

SHA1
54462315ac1f1a29123a75402df3af4bf2e13b4d

SHA256
06ddaed9b4b87bc14a607b8c23b9b7202f656f4cf29aa12ce36d98ef4e11c9a2

SHA512
a4492f1129d0bc60979d29774a664627ff6433e2e925491da224827b53677f82d76f47e0f37938636635f70f8581865798cc9c8ed251ae25a6cad73395d35e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3751d64f7372bd3f4b50246b2b070245

SHA1
fd63f4d9fc4f6bf52408da231e26319855706205

SHA256
abdffcff8598c38be6c15717b2e7461b6be82e3505fa9593f929d866aa28e197

SHA512
7a20b1b6172b1d28e0ad8d7e60d22320c28fa0ea6cb01c1d54d32640fc165044147c5bff6479207cd80b7de4750cd76c0066b5b3fdbf3bf236bd8dc3e6226c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cafc0364d4ed0707a44b6bbfcc51a9d5

SHA1
05dfd426c1db6a437f19dba1de414f2089da3eb1

SHA256
91fedb6da903008fd8f18158a11dba334b2976dd86b3f3750a6b9fc976ff6df0

SHA512
9c347e9c00fe2264c213b6f7bb813e84a06e31f360b6534110f19b8770e68a9b551bb81d128ce5907d4867524f53d4646810009f430f4f265139c8f757aa1f37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de3ac173939f1f4b865bc75e2a98d9c9

SHA1
53b3a681fc4d964bc6890db67eaf8b9a4b5dbc92

SHA256
3ddbc7c52f42281b4a7dc468c8b9352e17da95cb85d5f888b71e7ccef3864f48

SHA512
715e68164ad96ce832f560b35fc71be7177143b872d9d85e6f5c6b163f9d84a1352e9d5b74609325290bb26fbe8b33b81385999c8435b6257f5e09667a8548ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7774bb33ebfe4714554c217e69400a73

SHA1
1732246fba581fcb45305aae2f37fef8101fc1c5

SHA256
3200c5bb5f84200ccaa5ffa0de6d5c8b1e0d3f0391569063b9592ec5fee41cf1

SHA512
b64371985bf0d7e0db6b6be2079b330880ec7e1f5446b51e140c67bce8af1cd2cfb51b8e909eb3883b0d78f95d56b996dead73333be1e1906256f4cd25c31d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6634.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA106.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit