0432dca5d3f8623103c1e112f052a4ed7990d550b029c445858ffc94a9abe65b

Resubmissions

15/04/2024, 17:37

240415-v66nksed8w 7

15/04/2024, 17:34

240415-v5ll1sed3z 7

15/04/2024, 17:30

240415-v3fmzsca66 3

15/04/2024, 17:27

240415-v1vdcseb8w 7

Analysis

max time kernel
17s
max time network
20s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsPowerShell/v1.0/Modules/Microsoft.PowerShell.LocalAccounts/1.0.0.0/LocalAccounts.format.xml
Size

3KB
MD5

7c5d2125dc6ff83578160e2411f3e50c
SHA1

d889cc3c474624572024c4be39ad25acdb893551
SHA256

0b5b8eecd3e4d9b12ab98fd98dd9551d27dd01fdadf5f118f1ef52834d483281
SHA512

00064a1bb36a7b3cb17df8a385e055ea2d8e2d4cef7e04a7ce454039c08359b98ea6e00571b347e723d2e7844a047e5bae16e61037b86aa9b747fb4322a89c5d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C23C1D1-FB4E-11EE-B2DC-EA263619F6CB} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2996	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3032	2904	MSOXMLED.EXE	28
PID 2904 wrote to memory of 3032	2904	MSOXMLED.EXE	28
PID 2904 wrote to memory of 3032	2904	MSOXMLED.EXE	28
PID 2904 wrote to memory of 3032	2904	MSOXMLED.EXE	28
PID 3032 wrote to memory of 2996	3032	iexplore.exe	29
PID 3032 wrote to memory of 2996	3032	iexplore.exe	29
PID 3032 wrote to memory of 2996	3032	iexplore.exe	29
PID 3032 wrote to memory of 2996	3032	iexplore.exe	29
PID 2996 wrote to memory of 2664	2996	IEXPLORE.EXE	30
PID 2996 wrote to memory of 2664	2996	IEXPLORE.EXE	30
PID 2996 wrote to memory of 2664	2996	IEXPLORE.EXE	30
PID 2996 wrote to memory of 2664	2996	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\LocalAccounts.format.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1116397383363115da870c6a37959f41

SHA1
cba334e94b286a3d9127c59d1d84ae8fbe790417

SHA256
9487b91f5a7e7bf74c2f35c9c577801646841231cc55f2fe04326d3cecac8df2

SHA512
d16dd69603e61314b0326be74e8e4fae7550d9d33c7744c620676218c9e9290928b272d80f83182b08ed22dc4c56cd5cc3ae4ce4bbeabcb0afb1378f7169bd3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24f889d02f96c7460a46c04dd6d2cc66

SHA1
abf48d37c88ca4a33cd424d7907fcfb16148e07f

SHA256
8adc67f41f00dd8d640a9ec7c5464a0e4cb876140c52d157e97256778aff3bb8

SHA512
dcb4c0eadb2c630c11ab101b77f5452fb011a83febc241ab1c5453bc63728e25b1f80a6d9094edf39ab6b5df7c62f1fd604b5a6326da66529e4064084cb31842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ad6cb466c120b9ca8a6a0272f9b5eb4

SHA1
e739d29ad5cea2a541cab1c94738b394920b0dd7

SHA256
f626166cca6830d32d1e86dfec8026ce3b7fc9fd577ca249fedd82df061b62ea

SHA512
979a065fe8a61ee502fa253cd5a769d7709ab5d6038e00f2e6f32f6ce85ce9c76296cf608f99b23bab824461be897c61e6ad8b0e8e0db645c538fec47cb66fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
034a4a2952dba487e348d00c1e7409f9

SHA1
bb3d1e9e5bd09e756ccbdd5b57886e61234122cc

SHA256
24ada51444720e0e440a669232caed894f486d563b96bd89cf1d01f596d5d3ab

SHA512
fd785afff4c1a7d06d0b656de76cfa40c27abd2a0c38746065c45ef8ccbefdc7680a4f586d852f6ca4b9e28b8ccce768aa6ec5cfa3502efa1dd7bcf5dc740728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23cdd604791058930a92368fd80026c4

SHA1
49d206dae91907156714217ab1cd111fb3cc9c65

SHA256
242b94daf9529811142cbdaf90e01b20aba15edc12dd8988385a7290b4304cc6

SHA512
31a4d34679f9bf9ef539c03c61f6255c17db4d0f5f6baee809952e7494f706edd8c0f7d59c3de8d9bf5677b34db4d660a4d1522c62f6a1990c12e5f19eac35c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b64c891890c2b259dd06ae50b4a3f35

SHA1
a2aeb215c7daeea73fe75006f305e2eb37f649d4

SHA256
4e6efa39b4427db765ee0a50053cba699d3c0b2c69489844ec4458ba624476f4

SHA512
6ee809783bc00c811e165632bd1416666e4bd0ed1154895c3ed93826e615ffde1fa1f12580ef2efb2fc656feee889598c8e9ec87a12b2d8fbcd8ba1130cd69e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4af06f51fe2e15d7df46d283eced0bb3

SHA1
7b5fab0afce19a2bd0eceb0e97dcbe67d9a15c46

SHA256
078db7087a19077954f56723059cbf62eda76b5d0480c77e0a6c2d66a43b58d0

SHA512
f79b245f98dfe2846c5737c00e5ce99ba81f460910a769aa518d1c1245e98232bec7d8fd2815e110c330c551fc82b93fc44ae6dd6009443a7f0faed072da53ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbadf11d5bbe550d0fe6c8f72e7ddd9e

SHA1
ade8e0f06bb30256099b3667b6156626ff44ec87

SHA256
6f0e2e93949615725724579fd307b9890af0efd1475c7d53ba93bcdf097a0e9b

SHA512
433d048ed1ffd8c54d4aec7d36e77956c36ef09f888c3ce02b15c1d2327523aad4b85242c4a5a4fab92424ac3063f4f1d3701aa346ab078ea76332024e461d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4a0dd6babeb3170d9705864d8a84b9d

SHA1
363973c4da8f7fc9b819a1675ebe3c48c04e0c7e

SHA256
43411ff88e26a8102949b8c78b6aa0e988eee08c129f3c818235e403288548f2

SHA512
46db74bbfbbfdd0d57fde73594e58b5e04e84d2588114dd264fd4486598f23e45bcca707b87a59abe19bc5f293ed9231d87f127d9ec0e86196dabcf7a00ce1b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22934b3ede5073f8f035326537cabbb8

SHA1
25509ecaee3cec14c1cc125206943bbd91999c39

SHA256
f7633506b6a20684ff4384ab330b7d9759adb4fe26e502375b80bc5d251aa3d8

SHA512
d22c79468356bf9d0d83a54f20dbfc03921ac78812bad92856e531a98df4c161b17ab3be9fb249ae145bb9e730cecd0dcc7f352a9039616be081c9754d0ec6de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ce44ed29fb0a27fe7e126fe780bf158

SHA1
a1a62e1ed16e5e5bab664252ac93b2d040d17b68

SHA256
65611d46ed23968a2192c3379552a6599759ee3fc59cf897e8736719164f8734

SHA512
81d05a983e1ae822b5fe661ef6c2a2fc07d9ea18b9f4db345e8465e98ee4aa094ba84832408b71db2310bedc6d61fd36ff0c8a5e8950fb733eee489ccde7dbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC286.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3A2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC3F5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit