0432dca5d3f8623103c1e112f052a4ed7990d550b029c445858ffc94a9abe65b

Resubmissions

15/04/2024, 17:37

240415-v66nksed8w 7

15/04/2024, 17:34

240415-v5ll1sed3z 7

15/04/2024, 17:30

240415-v3fmzsca66 3

15/04/2024, 17:27

240415-v1vdcseb8w 7

Analysis

max time kernel
35s
max time network
23s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsPowerShell/v1.0/Modules/VMDirectStorage/VMDirectStorage.format.xml
Size

2KB
MD5

bc6ce0f52536b4253fe9c8620f8f34a3
SHA1

705774934a56d1343e237f672f088450333bda3d
SHA256

e9755fc8c1f065e111561c5fe0a88cd09c13dab00132aaef8c98b8cc8c854c39
SHA512

1fd2bb944e243643d27db0d8f1189b35351714bd20d115412c5c7d5ac710bc178d7f27e15a59106277b01c1688af9dcbdf637e002ae4ea148ad00ca8a2382f7d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2175B371-FB4F-11EE-A6F5-7EEA931DE775} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2728	1460	MSOXMLED.EXE	28
PID 1460 wrote to memory of 2728	1460	MSOXMLED.EXE	28
PID 1460 wrote to memory of 2728	1460	MSOXMLED.EXE	28
PID 1460 wrote to memory of 2728	1460	MSOXMLED.EXE	28
PID 2728 wrote to memory of 2612	2728	iexplore.exe	29
PID 2728 wrote to memory of 2612	2728	iexplore.exe	29
PID 2728 wrote to memory of 2612	2728	iexplore.exe	29
PID 2728 wrote to memory of 2612	2728	iexplore.exe	29
PID 2612 wrote to memory of 2528	2612	IEXPLORE.EXE	30
PID 2612 wrote to memory of 2528	2612	IEXPLORE.EXE	30
PID 2612 wrote to memory of 2528	2612	IEXPLORE.EXE	30
PID 2612 wrote to memory of 2528	2612	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\WindowsPowerShell\v1.0\Modules\VMDirectStorage\VMDirectStorage.format.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9baa2e585cb2be07edb8e77ec72c8cfd

SHA1
9dd5a4b393dc9e0f259faed97580077fbb31f2cc

SHA256
3c6050a693b8d5e76032f5421c41c8a13998e5efa0861d4dc2f553e9ddf85be2

SHA512
975471e465e8fd6c7b90193db699b82837527a79debbb448e0bc66c9337e9d1df569ee4dbf0e59a01b55f9d512566f09f356c1370c071d451e645de273b7249a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
066a9c4a062e6b006a7bd61dc07e04b6

SHA1
c0739bee3cb92f37b7f3caccef4a7fb51eb2c536

SHA256
ead063d54b39661fb46cae49f6dbd0fdfff79e2d65568ea74f8cdaec589dfaa1

SHA512
95366c3c96ff3bdd38b326cbb467b404a9d30db17e761494c6b64bdccc6609d7f4bf099c1eba0eb12d0a85bf85cb06ad8d5f034487fa53129e2dc450252f3c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3d8a2e317eecee4b9fd9be778791ee5

SHA1
e2a1d4be10008eada4d1632d37cf6be2d981a14e

SHA256
d03e318bb682de3ddd83c808270e3de52642636cb1c4c7d40010fa4633219233

SHA512
1c0e81baddf059a88865c0dad8d13fac0a523594f8098443e1d06938e8c1d04fbe89d3946494f20162b1a7876f6ca88a782b4715be943e49e5c44dda125bdca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf1f608b7745b23ab6c5f0a35b2f05c5

SHA1
93858f56962e3c0de28d5ad24646839dfa515722

SHA256
7c5ae1318882b172968c11ff7ad2d997929f837705daf68388954f3b02370bae

SHA512
ebe16f4df0566a77f7cc2eb0cb943f3b515952d19828f3e412f97e3edac0ec30510e1ee80033e3fd9a5f04715c16b8a57b6b6033278c81cbe97acbd914154ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d444ab1c3c8f310cda72c3000103be8

SHA1
cb1db7c4d681c8b6765cf206f2c54de4ff7fa8f2

SHA256
d9f12a1e83d7ec88e31a8cc1a8b9c339112319ff86abf264339289c2c1174d75

SHA512
65d54f6b611a6f8e96b02cae6554e266d42621760dc86d258cfaed9d393d463dec9df529ca7c1cbe8cc126d57c3ce8397d0d02cba8da54ff88f61e7f5976bb27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e714c19dfe468dcbcd1e2e302efff19

SHA1
7687135536642c39d66b7708d3fc38b59a590663

SHA256
72983ab0f208f7c1bdd619b510c80bfd1509587275db1ba3f3141f6b6d04e63a

SHA512
210de30fbb32b0fbb5304a41d0f2db103960b7e3d0ff0c4e842fbfe50fe112365d7cfb7381cd384efa5a69cd34b3c642b950c4534aad3cf435fce8698b299ba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
198ae560893a931fe1542ab94be06ccb

SHA1
199167ed3c9d2795d3ffcf5c5438b391dce3ccee

SHA256
52609be1e0757e6f9ba140ba7baf4a317edb34969a80d5dba6c644811a795a9b

SHA512
6dc287664d19810f012e294f45e6cefa045c02232ac50f0da4a2ebabb6759fb8b7a65c859b7d0372130fbc12b35ced94748d9c446c55962c7f5fbf6e7daefd13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f6fe8bd43db1a3aac95d21304d935b7

SHA1
5ca763995d5a71d977a03bf1b531033f47cd31d7

SHA256
3e62662cd1d197ebcdb5249dd4375d897e7290b13d731e8d1146da58d808f888

SHA512
1754aa21d4e46fe2c7dc4515856d12ae50a8d0d1fde5514d73904f1e5394163b08437ff2d7f272c6b153e01082066daf5ce05f19b5de58c3250ed022da82a8e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0e0fc24aad0edf5779ca4faabc9b840

SHA1
e0950ff728f261051d16780997504f5dd3fb6e51

SHA256
fa974ae188466f99c9708bd05759ba96c95e368e9529e3cdf70ab570333109ca

SHA512
4ff9e9240ae63ab6e3033afa61dd1fd3522489207bede4abb39e0c28483177a5338035a4d994ad002d574cd2309abb1f94955b789a34068b548aeb4e5effe963

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8D05.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E31.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8E55.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit