0432dca5d3f8623103c1e112f052a4ed7990d550b029c445858ffc94a9abe65b

Resubmissions

15/04/2024, 17:37

240415-v66nksed8w 7

15/04/2024, 17:34

240415-v5ll1sed3z 7

15/04/2024, 17:30

240415-v3fmzsca66 3

15/04/2024, 17:27

240415-v1vdcseb8w 7

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsPowerShell/v1.0/Modules/Microsoft.Windows.Bcd.Cmdlets/Microsoft.Windows.Bcd.Cmdlets.Format.xml
Size

5KB
MD5

7ea886d135ac103fd63063dca7e150a3
SHA1

a10f3d3ea34be2266be6611625136cad5ea8fa44
SHA256

a31837f742c1cc25397d8b06bf182b71f926035554cf575bbba34029f3da3403
SHA512

45b1ac8f92b8957c502726475d39a2a3f262be6aa8e4616d16549c4c45bc95f6729a0a47e8dafd75a396d931695f8e2329a6e918835bdc72a24dfdc2aa3a900d
SSDEEP

96:qAmLl6umMlRLTpBTUvmvQA6umMsSOEKzZBfEDgcRPx:qLlXHLTLUUQAHsoKz0DgcRPx

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{979F9941-FB4E-11EE-8B56-EE69C2CE6029} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3052	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2212	2252	MSOXMLED.EXE	28
PID 2252 wrote to memory of 2212	2252	MSOXMLED.EXE	28
PID 2252 wrote to memory of 2212	2252	MSOXMLED.EXE	28
PID 2252 wrote to memory of 2212	2252	MSOXMLED.EXE	28
PID 2212 wrote to memory of 3052	2212	iexplore.exe	29
PID 2212 wrote to memory of 3052	2212	iexplore.exe	29
PID 2212 wrote to memory of 3052	2212	iexplore.exe	29
PID 2212 wrote to memory of 3052	2212	iexplore.exe	29
PID 3052 wrote to memory of 2608	3052	IEXPLORE.EXE	30
PID 3052 wrote to memory of 2608	3052	IEXPLORE.EXE	30
PID 3052 wrote to memory of 2608	3052	IEXPLORE.EXE	30
PID 3052 wrote to memory of 2608	3052	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\WindowsPowerShell\v1.0\Modules\Microsoft.Windows.Bcd.Cmdlets\Microsoft.Windows.Bcd.Cmdlets.Format.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edf8c863339ff86b4444265bc2d2d3fb

SHA1
2255d1cfa6c3eb766d9d338e7b656b190e7ccec5

SHA256
a817d9ad692786e13bb3ac4215d9ebf51fd8fa296439a910acb97061f27878b0

SHA512
f172a9fd02e9a5d9954329f94a71ca66e556f9ecd8fccd1001467b4c2b38403cca673d64ef808464f0a674ea8e9ed1e5edb0acf689faa918293b7e07334dc056

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89dcd7a58455243e68b88dc21958b606

SHA1
10405084bcd2f53fe677f8ff07f3129cd3938a68

SHA256
65d914c7650afc1f99b91af4c8b469e41c9fe32e2dbf4e4f7465302509d4c7da

SHA512
fbe3b790b74007329543a1cf9d650c2f598b6cd0047c628e9ebd995876cf09994772fa45594b29afbc7dca5cdefaa62c7f83177420c01ca5e09b5d055532960e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74030aef3bc9bea9b6bcffcfdf174aa2

SHA1
181b347a3e8baa09723f9c17569df9575fc7a391

SHA256
1cc36fc9dbf34beeecc61904dc583436a9a162d83145850d3ba9d148842b424b

SHA512
da0c29b804294045dd428f73d89d7c07ba56dac3074db9b766011c57ce893f7e501a6d7a1c5b825b3cd757720916628599ad8d488d27564804da5917f5fd6a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ed60dd7cc07f354fca3e5a1591f17c7

SHA1
dad69afec1d7801210a73661b4fe72f7f911f7af

SHA256
2395c53cd70f38174f6577d9ccdb724bfd1e8c805b9206161c7dfe8887ae7a7a

SHA512
773ea46e2a79b3d68ad8876fb8fe2bbd2b7e812e687651c860c73f61f1ffa6870290703744761e4d1985692279df1e9f84beac54a681ab5cffee660fa50d4c96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7630e83c9478eb69bb7ca9fa987a4203

SHA1
365f4af5543be8eb44a018e3031d04d4ddf4a1c9

SHA256
7edbab44f53bb5db3a503fb6775db2fa4f692525f9435317a444bf253ae6d126

SHA512
12572c91acea287ab3aa898bf5aa797768450abaf41e76ec1e1f4d7d1462a78c8beb293de2ce75f1350b3b7abc686df8751f3e80f4de251daa9c678513644395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad758a6b774164c0e556d937bde6cc48

SHA1
c1c44ed9db3fb7ff250ab2cd533ebd151bf53dfd

SHA256
d6432e5859e370ba3a6849f737b94dc1ead38f6504494abcf6160373fe9fbec6

SHA512
5ac4f262d3e32c74fee2e0002965d2057d2079bd4e7151a6d2b38e6cf5ce517d581e0665d94722b7ac2df1a8dcc80bcf33622744caaeee99677abdfbd02f5bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdad826ac52acca04e87b4b62cc137f1

SHA1
2ad993dcb5122a21fd99fdd66e69d2174b7549d3

SHA256
13dfd3db544590b8773b485001b29f2cfc23a8c6a42dfaf7e65c052bf87311ad

SHA512
d66e5f652822d8df205e83f26a399ffa2ae78ffb100b494a7c96b5de17ca1e239d82a5cc91a1c4685f99ef52af43e2eed2dce426a12c788c4f5a482f98819230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b20d4de2d158e25e5a6e8925e0771940

SHA1
2b092643ab2f136d71e50a80637c22059cb2e5c7

SHA256
ee3f710104a6eb03958630cdb9b524eb851b7d9d462aad27e7e38b4b4406bd4a

SHA512
7fe9cc5bc3c234ee6a5f9e95fab3b27d42cbfe6e0a9994e91104a2e353bc842b07c8b207dbd23308b8b7725bee4cd79327a65c6f27a73b9c051cbdf8db4576c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97654ec7999e85eea8072531a25ba542

SHA1
f9cbdbba28555b5729e4d988f3ca153c45371f71

SHA256
1e2a779a53c7e31e6aaf9012398c724ac3a3eb693753ea0ee46d8c434ef5bab7

SHA512
30b726c4256dc53a62882197c9df8179988c8d57ff81af7da796e4bf27f5ff2eb5c15c61aeaec77f1a5e141b0c69502cb02f3ca6b4af35601ff541488303f6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A1D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B10.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit