a3fbe1bdecfef6680c6f91f7a21eeabc11220b7e3130e710241699ca0f828424

Analysis

max time kernel
197s
max time network
229s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Excel/xl/link/Excel/PO/page.html
Size

19KB
MD5

a99eba08a837777ca726dbe6949b68db
SHA1

3347e3043496786a8b912e3c321b2f6c33e5b4ea
SHA256

be8578d26da2c5da354ac7f9701a235ad6a44f4bab1fb1722c394d0902a2027a
SHA512

d45051d566720906a73aa0c4bde5f5e3f6c858b36a67757b5e1ff780de44c1ecaf6941cb996f60a0c82ba0ad8617184fc745fba3c52b6b6e24e4f8f21c85aab9
SSDEEP

384:EurcxRYDNeBpypb8turcxRYDNeBairurcxRYDNeB57iOiw:lDQpypb8QDQaiiDQ5efw

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c19300000000002000000000010660000000100002000000009a018e89324bbf024c66d17789bd436870945e52b82ab442d08b07d310a3cba000000000e8000000002000020000000b25721c06b865a0c25b3e920c9b5b8c354d929c25985612d42bed46b7195f76320000000bfa9404e8ac90654ef4855ae3762a03d2990c9ccd9f6cdc526c918ce16beb4fe400000003cf57a0cea65ffc11b0e627d6658828ee7c3dbba487736be206f04112aa32e8fca0056dace1656c9efbc7b9a29d9796a459ab0f4001665319ed2fbb95b92cd83	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410212981"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c193000000000020000000000106600000001000020000000fe1f05c7a2528787fee85fb40a2bce0b9dc33deb3bf679df54b86402ab582f1e000000000e8000000002000020000000eba52468764b8ca5e49fa6354c19bde3cf906b81ce7bfe44f53f42efafceceda90000000a6db7ef55a2611ac940ce3021182f2d7e970928c6496e6b952e7e514cf6d2391009e60fb799b27e0e3e6d9ce1905f7e7446c3e52e25ba2d7ec49f769d2e7e436ea96ba1f6dd69a4cda5ac9be4c67341d5e322572f810143c566a7fa2784b673168d43d3f4b1e2411169941eb0a5deca8d090c9c3d58feedecd8b14d8a1544822b990a82869078491e182c87ece4203c140000000db1a45ca922ccc6b5cdc6ca20775e7b8dc32ef78b9bafae8740371ef8882bcc896df41c5274e5c858c4ed1ed0c6a91d533cd5d7a936a869bf3d6213899aab452	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206d9d2e203cda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38C35B21-A813-11EE-A581-D2016227024C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2752 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2752 iexplore.exe
2752 iexplore.exe
2204 IEXPLORE.EXE
2204 IEXPLORE.EXE
2204 IEXPLORE.EXE
2204 IEXPLORE.EXE

pid	process
2752	iexplore.exe

pid	process
2752	iexplore.exe
2752	iexplore.exe
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2752 wrote to memory of 2204	2752	iexplore.exe	IEXPLORE.EXE
PID 2752 wrote to memory of 2204	2752	iexplore.exe	IEXPLORE.EXE
PID 2752 wrote to memory of 2204	2752	iexplore.exe	IEXPLORE.EXE
PID 2752 wrote to memory of 2204	2752	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Excel\xl\link\Excel\PO\page.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2284cce55fe5d4a181b5893ce9bc346a

SHA1
b91b9cb403407c137d73b009018aa6da9e28a50d

SHA256
a831f257b66c8bd820d291c4ba18f2d74894e17f31d2eb0df8a56616553b0374

SHA512
7e8074ca6cf571086deecee0f6b1278741c7df202d3ac93dd6ab3f046aefc4915d2550038dc168247f537c6bc9338812bb8b244f38e2f76de3fad30514ffa903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5f7bc5b7b8d211078428f616c37f914

SHA1
b7c7791494e8d74c1a50ccacf9cb8a42ea5547b7

SHA256
324f7f34f87ec47348c64f3229c5e1931a33c11c43ecbbf6c0991acead80a950

SHA512
b8a70f6d326b5d93aea54cc40401782f8176a0b02b459497762b0317034bb9f0d6bcd69f90adcf363b1bd86d383a569f15e11598ba08f5b9d6751f5dfbf074e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcbc72487ce4929e6dd81399bdbbb20f

SHA1
a9a0e39b7fa56c4e3438bd72712fb222d3c6df2a

SHA256
3235be556e2a2a194b971d8272e5186ad516f8abbf40540bec36e60c926e89dd

SHA512
0cdf0b3f00671fe404553382069dfa587b189d637e0244fe7e06af8aeba319ba4970c2cf5f531f18f125c1eabdc550a4f5993bae7f30ba0b03855420939a6c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3db8227934b65ad0a422375f9a352631

SHA1
d1be95a585d72d4450d8600d5921e7d8888fa38f

SHA256
7484f13d4ab8b1e800224609bc95229f4ba9ccaf5e3452edb5603e97e7ef9560

SHA512
00275b676de3e091a56c5797d2444b2316b0b380d0fcef644121d6e3e3584aa945c16d83402a54464847b7a0a6c503c971b41c980632aedbc6586279fe32a63f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cac0e6b186433cd5c1e66c7226ca118

SHA1
b12f19edd45718f3c131fe2594513e6c98ccd942

SHA256
a52808f1dfe33f712a7787b0b220a85acd73d521ef9c778356b7a534ea2a36e8

SHA512
4a18745cc382ccd4ee5b5e7020015f716c778092d14a4a6306cba431b712c0eeb9686a789a20b8f54be99b8a37c1e214be47774a55db132cdaf29b48d31b22f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8c6e039a045fda9326d79bde2d07e40

SHA1
b60fdadaa4ec6ce91604227972a99a92e5ed8308

SHA256
7c57270f12eb3b46d670e745bccec9abf96588fd44f7c6cdf0425e3c5a03ee58

SHA512
214505b6cfc715549c42320b2faadc466d0cf90b15e740dcbb7d6d852ac3e67613060402646e480822e9a6a1764452f6ef190f7930d82b003e68bfe41067a8bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffa6e91fef8d7fc4d5c02b7a063ef06c

SHA1
468343040df31bb77a9ea5a849d5304601d025df

SHA256
36733108f2d093c938d82d8d55facc32e85b428e45bfbd89eb4044c2e4c6b6ef

SHA512
ac70d6ab6cfca6b5847b697935a8d93569e5e1d7487737756ba180620c2307fae4f390e1685e1d2316e6740098fb520bab98d14598b558499408e9b5351d4630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e97a80e8da13e7720113f9c4dc2f8818

SHA1
294d6e59c3530febdef1e486e79ff11a2e5d2369

SHA256
9d7fc4c51db34fd6336343fb0804410781fa4912fd103ea2ea2f4a6f76875dab

SHA512
38b574017fe836d9f62c918291d256c605abe785603c9b7b78b597757fb75f6d6b2f0165cd5bf2e19d96b5c1f30f2b75d9a5f6b2617cbdddb9c4884c8831981e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87d972ca5985c41e13d81b8a544d285d

SHA1
3d59ab47a3c5b8761a659757acc11fccb86d2c40

SHA256
deef860846bf1ccab4f95faddcddb637fd36d356cb2c2e1e3e95ff61863fe072

SHA512
74d1abf10af92c38af7a323a3818654e75f7e2a41afe9fee5e76367f38122833074875d79d9a8d9799d58c50f5d0d8ae2abfc53393d448b4a76beaae892141fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b56b722bb6e7ce3c1c4b605985a1917

SHA1
0a8bf0e57fee6ef097c7e223d5174351e45fe507

SHA256
6dd14d44e474592d901326233b2e364da12f9b7ea82895531c20f908972488a6

SHA512
0e0f7b4f713309830005402ec0d520f758c2ce98902b6bfb19241596657370b1bba3bb4d391adf0130a2101a07eaa7b0c83a1000d3d9e407291d4f372a62987f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8e89d6b91c8e860d90b1bd6fae9a6e2

SHA1
49e8e74566af7ce1aeeed95a83de4be6e72e74bf

SHA256
fd9f7db61a6c13fcf7019ca2959c689d4dd248ff358d6e07c33e9ab7c251df89

SHA512
825a4894fe3005685e09d055272e405ee74e8bbb0bc5fec2344fc0e620799d72964c2cbd52875650d39a5d053c4cce26d3f2d5b33d86601097962e362ce39827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac0e3fb68f3bfe261416a8a155eb61dd

SHA1
f25feee9aba7cefbc9a95b4a85b0cb4b78050951

SHA256
2d17579a9ebf882e16a335a1798c91dce285ad8ac008ce5728ac2323a93c61b3

SHA512
3ef25bce29657f82fef02d9bcafc4bcd943f75fb711dbea83bee47748f6702ef65ac5d3b586b50efef8f9f15124d6850af004b807789a47babc1e2a8f1d4b153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
238cc17728083dc9178b10fbab4136a7

SHA1
f0a9a8f53bfc3d9990759bc834e3c5b87fa7a778

SHA256
5e06f5d438fea22cb2e84edce1f06f223cf8585d8d2ec944bbba47f749b5cbd1

SHA512
378c5a9ce673a65c42072810cb70fb83c985e1d39382fc679be1da177d589bc82397d918dd86cdf4fb1bc03d5da7bde0ea48f6b41dbcdeaa0422b6472c1d81e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78f687ccab3a831238cde7d2cd05d9bd

SHA1
75e52bb9faf44ff07165c9f2d3ffadfd7e8f144e

SHA256
305b0a6cd448c0801fb9f36abaa4768408c84bbd0c140bf7e1e817ed7b0e9c42

SHA512
79957092a9bc357ca9bd3dd3980d9d0e13804017f30e4a65562dcc8eaa485b4520d795ab7dceae042c48bfe99c1568aba4a0c2cdb909653bc3c5bc14cd14b82d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79c8b527d3f2ab713d4f87d2a289f604

SHA1
f0a8d0fb22d2d20930584a7fc789832f39f533e7

SHA256
36a62b46ec323dc79cf54bd511e07ec566b74ef2af1d85eefd67626600003db5

SHA512
2e972ab0edca719ec36d4a55494d3a0af8ba35b3c2ac80e2726170565d19384725a08a8d2321b695f44b6a965b5f9160b08733b8261551cacec2246b19246a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7698.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7E5A.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit