fda45010d8297cf7afd9ebb35510cf2628daf5fb247f7dad2c765e91674e2b52

Analysis

max time kernel
143s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S3tupp__Pswrd--1231/files/libs/WsmPty.xml
Size

1KB
MD5

d6cbfa113b69c491de370e85ebac80e9
SHA1

33efa0a3a620361732f1ea4c47b725cb3ecb885d
SHA256

f45582748bf4c111556865185b668b2810d59a67146224d4fb25a7087401d65c
SHA512

a4bc97e506d594abcfd1188ecdceed419266c4f2555d126b75355ebcc9aae54604b0b7c6bdf8dfc1e69823c2a66fcd618664ab31fa67ad207b1ed8639589a8fb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80fb157aba3ada01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000e01b86cef2f3710384eaee9031af3a2d135d8a8b916c073983917615df172a91000000000e8000000002000020000000256ae8ca92d04843d108fbaf6bf50264bfda17048f47d9528217dae22fa4c3a620000000ec825e4944e842bf297ba011490117231a0e1138f0fda88cb9c2fa15b461d842400000009155005be7bf8c7376d3a4de9223e6f8b82d24e5e415ab39ec07feab5be7d222ca6e19a0e8ba329b0924727aab7a36e26a0ee3ecc66a77dbdfdb166549199248	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000068ebd7d0365f45f099850e8b074e1f21798230c93a1767a675891d5873eb32cf000000000e800000000200002000000046a53b3dd0cb0754ea444d82cbe794e59f512725063553ec50a109a9379d46c09000000085db4e5ff2c98a4a8e95471996ad242b81b053ba894be6c53d559a9eae43f25ddc5ad3705118cc8dd0f607f726c4254ded216994d594e5b2b7179eb9b5e2fdc4c86b4e2d9cc716c50b992fd88e35ff312c6beff759cf23322a94895fe5806a7065233e82fda0afa217544419e64d59cd0427c8a23d3286a09bd54db764eea3bb6441384c4497987333e861aed6bab17040000000a0867052a957c8dd9cc6017121a56718e117abb63222878d43f1937f887ddf615ed1b7d8994ee28cc76e102e79b4c115ffa8e068107465f3ce20d5ee8608d022	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5928CB1-A6AD-11EE-A80E-FA7D6BB1EAA3} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410059399"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2304	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2880	624	MSOXMLED.EXE	28
PID 624 wrote to memory of 2880	624	MSOXMLED.EXE	28
PID 624 wrote to memory of 2880	624	MSOXMLED.EXE	28
PID 624 wrote to memory of 2880	624	MSOXMLED.EXE	28
PID 2880 wrote to memory of 2304	2880	iexplore.exe	29
PID 2880 wrote to memory of 2304	2880	iexplore.exe	29
PID 2880 wrote to memory of 2304	2880	iexplore.exe	29
PID 2880 wrote to memory of 2304	2880	iexplore.exe	29
PID 2304 wrote to memory of 2732	2304	IEXPLORE.EXE	30
PID 2304 wrote to memory of 2732	2304	IEXPLORE.EXE	30
PID 2304 wrote to memory of 2732	2304	IEXPLORE.EXE	30
PID 2304 wrote to memory of 2732	2304	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\S3tupp__Pswrd--1231\files\libs\WsmPty.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0b980b633e16462e96cafaf1cecc0ac

SHA1
d0d2916446ae90fc14c52088a1c38804de24ce70

SHA256
e11fc0a17632bb59f3bb3d7f794af62bbf6866f3ceb4ae18ba1e680fe5fb1047

SHA512
ceefc420c46ce75275973d4efc367437dd4c66917e95a689cf17611dbf92145a6dbce30d79bbf6d2d2e4dd3169782cce796d4d95c44b594fc261b53b5514cb61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
681d180d77786ecffc2a7080ff7a8ac5

SHA1
c4ea002179f8d006d011ac62ed08a6ebce23a347

SHA256
ce8d8bb0389ab0a7ed8a9b63a9f398a8ddac6229e35a0871c925fbea899bb5a1

SHA512
484286d05acc8cb7b18a99a27e8d7f37ae8e8faabb302521a0957c67b404b333fcc52fc963c7951c7356d31bb989a04bf423159d041d213c37b1ed9300122f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
153054bc6fead70634a63847a6f1a91c

SHA1
3b5ba3080f25d3b3f0ec59823f08088ebd5d813b

SHA256
94e5c8abde45913dc1f39ce38b5a1ade6ca467c97a7e6f82b8a2e7bcb3a9d430

SHA512
058b1cfc80cab25757a22370096c4355011e154f1af7f7a69536db779b7ddff831a7b6a5963a2c0424c8de11820bb694d0d1facdcee6072ea2cc852ad9445b1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10dc6b7d65004e5b98b90b613839e79b

SHA1
ba14d33ae65c1d64e1f8cfd9cef913f1981f816b

SHA256
2ddf39ab8e488c36013b9d4fb4f999bda80e74aadb564e74e9e3e36a5fbbe29d

SHA512
b52a1debe1651cfdae6e907ce2a75abea29e44beb3d2c23c5f7c74dafaddbde0e9b9c3ce8b84fbdca5f4edf5206a2b3bcbebb017336c8625c306710bf1a45a21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fa7d4bbde7db302e91bd278e260438d

SHA1
e482bf8306ac40db23a66248ada6a7f705f226b5

SHA256
b4f848e3fc1a2d24e96cc0a7ff42d44d3c92cdd847dea067cb04824e347fe61d

SHA512
666e8ca8c8d5dce1621c59f05e21bcd14ddb898c41ad77f77bd03aea09c732da6cfd3ce6c0232c811b0f448bdd8501636692c936b1c56e35177519043cf9d891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cfd20e6860d75d6ab8519cfdb4cc9d3

SHA1
592cddb0bc2c55a14ff5f035455d0b22a9b5d300

SHA256
b5791b04e9e581105937fb5216ce4f8200d18d7fd3c4c049136cfa1fca2a819d

SHA512
f091146259c6d8ea068d7d22a94ad1ea29c620c7b6120fe1439368995cb8acdfedb3c9ece7de7fe83f432664ce2275644f764c2d9f702fea1a16af75db92152d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17e726de59267587cff8e3ea5578df4b

SHA1
b376bc14e0df4d1fc997d1466fa366786ed3e358

SHA256
3ad9e9d27c26b93db645f4410ea18bff4fb5852516c6c5ddd76d3802fd33f490

SHA512
0b1133de1592aaa10f2f87d924bd103b270821f9323abe17a171c7425f01b2debb792711e899d25f0082d90e8d146478cad331ae6b3bd685053cfc44ace52dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74e45c077aa7d9242c02eb7f9f0ab847

SHA1
b0fd696a60c21f4722afe4b6e1535dc03af609bd

SHA256
0b5d6464cfdb011b5b340b767de69e5ef717ea18de2421964c21bf0e96a2f6f8

SHA512
370081ba7ab1c9eb457f0902dae4a119c5c3e0d49ca8251caac597474c2f516faf14b5ef298305d81cb06363bbba2ad272aa4181ada61ed2a6ca67b130705804

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e99193c45efbc888757d5213a308d50c

SHA1
10082761e71d3ca3a4208eeee826a6431aa45e8f

SHA256
c33e3d4511acd3750db987cab0dd5eb032e0ca258e841a668ad8fb77505fdc04

SHA512
7142286fe958aa64fe1e07db6576b4469751afecd779d60db33eed7741ddd0c519d52b78d021bc694e3de3b7a2d8af39d84681d83f537fd422a70df3faf8cc3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccdf38983b1a633a293a567a6491d163

SHA1
947d164a1c9ba9f2296b3fafb0dde5bfa91fbb9e

SHA256
1c515f5a385e7cb75e96e08b25a85a465c9fd55f606d583295ec8d8ae34dfca6

SHA512
beb84247e7453d34b316e2585e0a1ad90c54de3e1cec778d68de9beb380b50cd134ccaba6ff02c636a31f56476bf70400db2d46fe7875b5e73cb757512c55c0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b23dfdd259e7aa5e3ee64080f435927

SHA1
18088a6babc621a8576f8a6ba4f23d10cc54015f

SHA256
e716e841a69a32b04befe9ba47784884f7f20822cb7f9a568b799644f26f5ad0

SHA512
4a80fa4d97d1057fc3335794ee8ccc914ff0dc746c8d9a93eac29f10d8d388468db9c353d71c9a351d272c5e9b2a61ccc212112dd80a70bb77c72d562b0f6e30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53cccdc0bcd07e734eb538c1088ff2ef

SHA1
b0bacf5cf10789503df767c99abfc64f59a66887

SHA256
5656651714054c11effaeb8f4dad678d4e84d5e19c24a9e3074384e064f14f89

SHA512
2c4eacb933f7dc1c93f65022d697f29e4bd00b1f0b2cf77da901fb115528f8cd94fa1eefd30e1057dd5af30fd789d811d1e04e94d9b3544232df07c19d1a571c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05baf02e23c823b1e096f04d4011f94b

SHA1
756321e6ca37f40e5d835de2bf03d3fd332a5455

SHA256
cf21e96ff3fcd0c8c8feab1a0d10b731824f527f1bb43ac337c1240fde64ce2f

SHA512
7dfa23012d8a2d7972e09ae6dd4685de6f696de1b4eada122266cb23d0a73bb48f5a57b65a3ef779bc573d0bbe1253766cc2bc6852110443ac0e642e97801b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46D2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B59.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit