0c0795955730ac1988aa527cd4dc21d9c8ac7ae9d4837b5e63f50e870171ec87

Analysis

max time kernel
119s
max time network
139s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

software2_17_6_23/lua/Date.xml
Size

5B
MD5

ad42f6697b035b7580e4fef93be20b4d
SHA1

32faaecac742100f7753f0c1d0aa0add01b4046b
SHA256

0b8e9e995d8d77f1e4770f0f79665aee6f3f70247b3735422daba73df4c3096f
SHA512

225d05b918519458a8fcc1e6493a4e854c004da76f6250b8f52197f47094f71ee984725c31446a1967f0d55f4dc74793dd44d932f2bdf50d77d4288d663bf1ab

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420083934"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000d11612ce5778180dcc2cdf04ec98304db7a15a92b14b86844469f059720ab01c000000000e8000000002000020000000942f8b04aee86c946f23badeb44bcd08499195a69137ed1c8a6fefd42bfb9fbc20000000724ca2adcfdb60fa8fc8bd3745b045f1432ccd3c86c28ae1e2e8546b265564f440000000a9f1e04c58ee7157ce625500d57df6b9e83eabb687c62ba64d604b3863f91a85ae9ca2cb80217c18540ba29bcb005ff272f6b7cc495f6696c671e10c8f6ebb33	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000fc179eed6fe73f397ee1d52af79c69e57ef5b27f02f15d8f27d88a577c890cb3000000000e80000000020000200000003952ec1bd769bd09bb0fe69c17441020af49cfe485a3643663c004472236638990000000fce7bef5b96949c709d49df48385c2900c2ab1e5c0a4ad6d2321b2b2c2ebc97d646fefbc074b9bc9c66fdf83ee4d24a520797c5c23b8345e523393b36ce2119e816ecfe5a122a28fe7d2dc95e5de9cc77e2dc2d50cf8845a314186e563dee89a47c2022eb5238e3344268b3ef9a6f4b156ef311c8ff06b111c32aac8c98ebdbe29d8e5940a21ce8922d3339c9a32da3240000000f677a3c6bc3c7947d1d137097508080040edbce356fd8cbd4381dba07615d2b38bdff0f73d1663e35a091b3c45a31d9d81aef8314b7a240475a17be361e919f1	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D63C0F31-01D9-11EF-9907-E698D2733004} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c02a9eaae695da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2976 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2976 IEXPLORE.EXE
2976 IEXPLORE.EXE
2568 IEXPLORE.EXE
2568 IEXPLORE.EXE
2568 IEXPLORE.EXE
2568 IEXPLORE.EXE

pid	process
2976	IEXPLORE.EXE

pid	process
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2016 wrote to memory of 2448	2016	MSOXMLED.EXE	iexplore.exe
PID 2016 wrote to memory of 2448	2016	MSOXMLED.EXE	iexplore.exe
PID 2016 wrote to memory of 2448	2016	MSOXMLED.EXE	iexplore.exe
PID 2016 wrote to memory of 2448	2016	MSOXMLED.EXE	iexplore.exe
PID 2448 wrote to memory of 2976	2448	iexplore.exe	IEXPLORE.EXE
PID 2448 wrote to memory of 2976	2448	iexplore.exe	IEXPLORE.EXE
PID 2448 wrote to memory of 2976	2448	iexplore.exe	IEXPLORE.EXE
PID 2448 wrote to memory of 2976	2448	iexplore.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 2568	2976	IEXPLORE.EXE	IEXPLORE.EXE
PID 2976 wrote to memory of 2568	2976	IEXPLORE.EXE	IEXPLORE.EXE
PID 2976 wrote to memory of 2568	2976	IEXPLORE.EXE	IEXPLORE.EXE
PID 2976 wrote to memory of 2568	2976	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\software2_17_6_23\lua\Date.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
370b1f0cf359d1aea1bd3643431db851

SHA1
f65c1a1cb55523eb20ed83ce4c677f8d6b1b8c6c

SHA256
6d23f381fd1d09e5b6af12d7cfe7f9b60464a31bbf60192e048399d355a703b1

SHA512
0419e353feae738abf85d5786dd4a00954c4e078994a5dfe9e9c8c383b2afcdd9d2b4fdda2a2543798f9a3588f80410c646f730664ca7d7cfebecbf474fd63b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd637eb21ecbf6ce031c5b0b253196b1

SHA1
38bdf0f5c3ebd96c64610e96b007cec5cf4f2034

SHA256
f315ebd22c406f66c5a3226328d12769337c6331adee0265648fc12d3f3a98e6

SHA512
de962f0aa550d79657e2627db559d722065aeff556357c07fad09d1ae3823d154c3370670455eb4ba0d261602d158a7365ce12f81e5ebfbf32a47d8c1b4af811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
761dbd07df714462bc412f9d74370559

SHA1
aac4dd3a4f21b38095a12d96b7d7e5969bb65a00

SHA256
f6f0349ac8e4f7915ba9e7d465f739b65beaab8881fa5c306ddb80acb05058ee

SHA512
ecd7563c3b857f6220d1fe051161ee296a0c088fe57d5ae69df4ef3262a71e7c23086194c59a47d2f278d1b57c296d69f9f05921311104e13920d0d618578812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98a1a4b017943be02778a93e44952a65

SHA1
b58e852dd58ffd1cbe599b202f2ea1aa25597878

SHA256
d77fc622d67eee477cb026ad9d1454dc982e222058869f4450ab341fc569c8e5

SHA512
530bec99ceb25f1497408ec95dcafaed75744619ca9cc30f8c392b43ed09d5c50fc1286d49a995ad289780c1df3d23900c50907f421b7c903d7cb4e771d23536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16e1955217e3aa2da7a652c2570cab71

SHA1
46c812dc09ebc21ccf1360d97d6c02992ab9e47e

SHA256
0f21394a53eae1a129cd86b04d0ef3b67a2c3ae65b24a5efeb4d00bb8cf7d038

SHA512
d8c521e7768abc4827d533bb2e5dc989e581fb50043fe5b3db2a8ab389cb3c25a35cd211b005915394adc1b487a06ea8930fc9b9108896f092d4517e236c800f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb6c8e014e2e039089b3569b2ad31ea2

SHA1
8c6577133aaaba7bf7e333e9056f07e778a43790

SHA256
dad13bcdbbdd773e82711e321e878bb85025c0ec0a686493ba03843bd7e9fcd6

SHA512
30f793f92cad9df65aa786be3c7ae998ee4ed7a191b6cffa86eb63f95856ff8e239bc60c5fd980cb196ff287fe510fe8141741b860903744360ac2bb64533258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d796fdaaebb2b2f8103942feb8740344

SHA1
c09526880fbb7a7711c969979084a091aca94c02

SHA256
504b4540c951098a91c95e9ccd28d013defd0be75c3f3bada81c6c7c98b12432

SHA512
c38d4693d0a5af98457f7e2357ca198144e980d358323e23a740af1c5dde05657a5c56a31d8c59aeefd8d47ab54a1a6d742d14cb6008c8c9dbacecf0e66fd556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
faa56372f33db4ba499b79b03a509c9c

SHA1
0114bca3e8491e8920daf2bb2be4a668ff60dfa2

SHA256
9d440e5b6dd1fa245b8d5f6b66077d4baafbc66290360c9330e7c5d674db407a

SHA512
bf9d388b4bda78d79833defc94f1769132045f3720a2ad244995a04b65da9873ecc6e4fc536427a4eedb2c5b96d72cd4c5227834fba63d098702087f5e74c7f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8b9dec5f0472bb62da842423aef6929

SHA1
d4e6c8c8ca06792cb27317dcdb397f89ca386d35

SHA256
c0a03ad11ca2fc01cc0253ff933fed4343d5b48e694b8b5811b208d06a4a8d26

SHA512
ab7aa42bff90f227bd14ba216f37aaccd30187ecb587f194fdb29ded329e7b9c2d1fccb6a7240abe0b90fff096e60d3f674b5a2c5a8901f24a5936aba80f1c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1d7b5fbf84e62c5ac12d10c6054e7fb

SHA1
e955a8044154d3736cba68bef9a43807407436ce

SHA256
29656620ab2f76a66b291290c8391b798cdb914e3928bcaaa2c2a0e9846e6786

SHA512
c1b90e04271ffa990448ebb5941087f5e1ac1e0c83249b0420d1e2eb7c8937d8f6a22a1ca541ac1c367ef871978a80cfc994afd93abcef70798e62013198ffbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35A3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3695.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit