d8c60081cf31e7c9ac6f903e2bc1ee9b64ea95f4a8c7d7767a7303e2a6d75d95

Analysis

max time kernel
42s
max time network
19s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GRW.xml
Size

137KB
MD5

f8a04e48bdafedf7d2bc7fb25fea3faa
SHA1

ee9b58b465fe85340bb2caefbcea4ddc9e0bf5ae
SHA256

d8c60081cf31e7c9ac6f903e2bc1ee9b64ea95f4a8c7d7767a7303e2a6d75d95
SHA512

0b2815b45bb49348ba2edf37244aa7ac285f5fe2dc2081d1dfdcdfe022f948bcb87868b27a694915db39358ba4329e703cf289d75d630a15356bf9629c9ea004
SSDEEP

1536:sfB7MPKaNUKRGzlUGRuWyAtY1zy4pepyHw9sUa+bgwLgxRwv7h/rKdGdsOWH2Egw:9K0/doKTt07g2WNZIU+FihLS0BBF3z

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000133ebe8e7e0c314b5dfb1154397622df57543d5d5d9da3248de79bbdc9089aaa000000000e8000000002000020000000630f102fe58767f713addb0362a14c8453880504a23863c2d3bf22f87117784a200000008b328f0b7183beec335b644615788e1add663f513c25e3d6ec5203c19856d8d640000000fadb3ea176db6d9902aae4de9b23e8e8b02ffe22e547ba09b7ee447379617b3bbc598037138e72d8cee9b6ef2dd9ab8399281637626a36bb38e84ada5be1dc23	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10450bb84421da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008d5ea254cbc3cc499365b391a5fd669200000000020000000000106600000001000020000000d22254a26d3aecd78784de2e75f32aad9386ad613f8258db237b1aa0a3a39ae8000000000e8000000002000020000000c17ca2a11aa730127fa02a4a3ce22769dc0a5f4a98fa04f35d5cd7aa87a5ce839000000083be9944c95e0aecdcbdaf87d8f8d3c826544c0fe98ce0c5447ddc9495caa1e6d055426e854997c3aab24370f83bb48a29370e6b93b1f4d16ee6c32df4b05a70b939ca9931d8419cc5a32ca75fb8f82c3f19c40ec91f6810db1ded094fd7595517b085131aca140f3c8dc14711d8df0d6359d4d9546b36655ca9c6a352f9a5a0e2da34d54ee7905ed3426199b119365d400000008bd243c878b4c231556b4b4bdd38a1da4ab28b7e5b1875bc68a399d82128e6da8753d5c0fa92a10db38705442d504575b14ffa8bed36a1078d2fa60ca820f229	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E2E61031-8D37-11EE-8CE8-6AB3CEA7FED9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3008	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 3000	1124	MSOXMLED.EXE	28
PID 1124 wrote to memory of 3000	1124	MSOXMLED.EXE	28
PID 1124 wrote to memory of 3000	1124	MSOXMLED.EXE	28
PID 1124 wrote to memory of 3000	1124	MSOXMLED.EXE	28
PID 3000 wrote to memory of 3008	3000	iexplore.exe	29
PID 3000 wrote to memory of 3008	3000	iexplore.exe	29
PID 3000 wrote to memory of 3008	3000	iexplore.exe	29
PID 3000 wrote to memory of 3008	3000	iexplore.exe	29
PID 3008 wrote to memory of 2148	3008	IEXPLORE.EXE	30
PID 3008 wrote to memory of 2148	3008	IEXPLORE.EXE	30
PID 3008 wrote to memory of 2148	3008	IEXPLORE.EXE	30
PID 3008 wrote to memory of 2148	3008	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GRW.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9be9f235479a40ce55c1d13db654c079

SHA1
9b2958d5ba84a60a0a02f788d8899b1c7fe4f99a

SHA256
7872ca041626130fa14296f85fb1fa9da3e282d2931d7e2d86692f9b43a7f7af

SHA512
266dd93d7aab37ce1d388ff0cd0f5511833e77d7319a2b8add28cedbb8024c9565e1918a3b6ceeb9fec2cf114b2299819227477802c0b4080d29ecdd5943a22b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
085a6630976f87614b062c1fe5e325b6

SHA1
ed94982164fe7c4136d9aaf267ea3b88c328c60f

SHA256
67ed8cc1a0763dc8f8b9c03aa5bea5ac1d4f12c94d38e94dbd03574dc92cadb6

SHA512
1bc61e4ba6a47436f0a28472c05c1d4b69012915adbd469ff12c41570c49d7d310fdad285885afbdd49f7ea86befcf3bfc08a4259bcec7f793f93e66aeb9e396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92218baaec56cfd576e8168f72d395b4

SHA1
d99de66db2817724a7b7d6b47c023861f52bbc81

SHA256
e57d318ef288172df4f0c4fadb031fcd0a66b1aa0cc44ddcfcd835f5f6c642d3

SHA512
878915bd3a974ecfbe3a36e4b8a714338b4f0694872797b8f131661eccc395d2028d88eb3b5b82b949b382500c2952df230b7b7866c10ff943e6f5d6f9085abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09c5a7ce85879e48e4f05e2f40460d27

SHA1
fb5a0bd94a858633e13f08c7b16b253dcb6ebee1

SHA256
d94e2054d278bfb6f2959e8c9546a4b78eaae5444c60d54663f1b0d6a307695b

SHA512
557eaccc642e9b620ee0b883ca809de709af1d2525120fe202bc53028cd0918bf5a07c9c686c28ac8820852744bed4d963dba68d0b81a468be683068457e4ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d357d2fac2110d7508f93481bf0f46f6

SHA1
3f42b262b2fc5ddcf30c1c341d358003b8db6a3b

SHA256
2d93b1ec49900f29c41b7492c238c03f3001887b98ea2eeddfc980ea0a126588

SHA512
9da316660eb6ecdb255a9d2366092c530ee54d9d8938ecf05f0673805869b9b99a9ca76b19a16cb2a584edbbaa69c58cad82aee1b8860e6767989c91ea77357f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e9a0927b974079d5dfa1b247af89826

SHA1
d323a6e69532d3669db81f389631b52d5bd8cb4b

SHA256
0996085a9ddf687d47c2685931c920433a038d0724185f3b15a54227fc469a9e

SHA512
e959ba37ef51f71bcc3477756bb4d31d2d23b0d64cc567f1bf450611afda973262693658fab885aac4304816b065dbf508e1cdf5878f6401bdb5b5c7b28f525c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7547440bef72100781e9364844d1c20f

SHA1
c8f90cc58f18774c43cf3aae6d7e4b06fe147987

SHA256
5d4fff6437d5667c1d0cc330e15ed9b82cb9af3ac780d4bacd34024e7c5f53d0

SHA512
d80f4968fce68ec2fc1eb35c9f4f119717373e03709700f29cf6620292ad2258268b81eb55d1688af2b18465a31284b6dbbb6d7e1e8772f27be864f68b2eb3a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f8def69ee39fc855c0eb07a249699c2

SHA1
a50dd0781114c1f94879810de8127779e9056b77

SHA256
74aa43b2605b6af51bd31542ca0a0a1557f38e16917bf3d9dc71011681fd981c

SHA512
30d3358c337639ce3038eb0751f9f459fbb553fc15badfe057533c3911002d0efe8fe89d40282245339fb4dca9f049bf5e74b6df9b04dfc60304adb7dd7ae3ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5612caee02ad600190b93a33fd5d19e4

SHA1
daa2c3fb832697450ee9209ef66f8c9dc0deeda7

SHA256
8246af803f925a634896002721bfd7a2a75ef2c5269ca76862bf3ace75da3bc2

SHA512
a490542296eb3781d73627b554a610abe49eef55b6ad56db05db61506c4e4fed4db17659d4ce7b102a6b1109d89dde0100fd0bee0dbabae57d2921d46c72f419

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55C1.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5660.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit