739d8e382768ca1c159c50425bc7773bc2e7e3d91705fc41d3b32035b2811daa

Analysis

max time kernel
1563s
max time network
1564s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Packaged/Main.xml
Size

1KB
MD5

7b53ebd64e5781e02eaefb6739a6b556
SHA1

d5332b200cf5dcea0419afdb66a15d89b9eb619f
SHA256

b975c9251ef7394dcc69f49e54dc5aa5e8df32f9b5e8c687484ddd840eb94d20
SHA512

c4a25c07e19760547e91818ba6e9ec3fe89206c29429668731c7563b7407cb56d8c0adca519bf96dc82a1631e82cfe63b68439cad4102ea2a1df438bac8400fd

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a89270c297da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000d49bcee242a83b729a79b51817adaf7c94d7af6a1f7b3049e3f4e1b8a80ff9a1000000000e8000000002000020000000968a1b22c0510a6b1a913512d676d8294f0b336d4b83e80acc0a6defcf2aa9e690000000d497fe9cfc42f55b599913bec482f11c5f05e7d1563a1b43ea3ae5a1f3269e3143f1c51c81176983983e5cdad8c9bd6d39c62851ef39fd6c09cf321b658ac1f594724278b5392bbad80910ba5c3bc2689b180059f41442d97789c84accbe2e3c8b85cc1a662fba16a6d2361a7ace42c59714cf410acc47c84d7c5973bf78367825cd2848bbc7f681d769466d0658f9ef400000004dcf4aced85a1fa2cdb9008804db4abaacd6eddf636e04b1e7df758bbea6d5aa76bda92b5c148b7152dfef538a2108d76cef8342c0d5759179b9dfb62a901992	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000949f19dcad5ae81b6db8449e7db42acc5f5666d524dc86fab6e59ce869b4b0ac000000000e80000000020000200000003c985139a395bc239f7fb109bbeb13b7923e2d7c28898d87a1e173593351e694200000008f58363f3b622a1b8601b7b2b13bffbdda40bf3e69aa1a338b72591804b47cdd40000000ac9ac56dd82d10263c13815b5823a743d6eb25ff897b264e75a2d98acf118071162ec5fdc3d4565d41bf490890367f961a58c4fcd3ccd479f4ab1ea49fb1e7e6	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420288272"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C24A591-03B5-11EF-BECC-D2EFD46A7D0E} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2148	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1980	2928	MSOXMLED.EXE	28
PID 2928 wrote to memory of 1980	2928	MSOXMLED.EXE	28
PID 2928 wrote to memory of 1980	2928	MSOXMLED.EXE	28
PID 2928 wrote to memory of 1980	2928	MSOXMLED.EXE	28
PID 1980 wrote to memory of 2148	1980	iexplore.exe	29
PID 1980 wrote to memory of 2148	1980	iexplore.exe	29
PID 1980 wrote to memory of 2148	1980	iexplore.exe	29
PID 1980 wrote to memory of 2148	1980	iexplore.exe	29
PID 2148 wrote to memory of 2604	2148	IEXPLORE.EXE	30
PID 2148 wrote to memory of 2604	2148	IEXPLORE.EXE	30
PID 2148 wrote to memory of 2604	2148	IEXPLORE.EXE	30
PID 2148 wrote to memory of 2604	2148	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Packaged\Main.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ceec18b67bc3c74f5739f985dfc82e9

SHA1
b5700f6bf52b5ee327fa6b9c28264880a068381c

SHA256
88eb9be58d2894c6a2543c51182cce82d521f643473b9b049602fe769173b0e9

SHA512
7f7c3ef135b33a4e15dca72c6ba99a582019376c3bef71c047dc28915e3d9f78f4b3d19cfca3ef53a2fae91102c07b34ea4426b8fe95caf56e224bdbe14d2aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
755d57ba554d45e2c7e1e3a1998a0c6d

SHA1
8372e1958d4f4866fc9a3df1dc6a87269d841669

SHA256
3c893965e70d3c17c1cc1998b19e61526aa08deeec43400d55cb7c6f5bfedc00

SHA512
c918a455117e4f56aa0726a22db4b6d6a54eb2f10b569304f7c2413ec44300d95339411e3a695c8edf7056f3b2b26125354ef6dfacf4a1dbe1b5a6a592a2fe3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f23785bab5fd97461c2edee646b7625

SHA1
1da8f94d0dc9f08a76aeae2e1f1003c3f507f92a

SHA256
4760ce8f7e8e472eeff0090f78dd2674de1c7e55a8172e2eaf7bfa56593a0010

SHA512
635da75c2ed92d35b7aedfd1f22b2276feeeab6e29ca2712e1c6c7581bf8195fe5329542f302eaa4f52bf36419c24fb95848cdab44d704bec725a2db302cfe27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87b9c1189795adba05acb31fb9589e3a

SHA1
d2fd55763ba5834e1418a61dc94689e8376af07c

SHA256
23a632b4be7e770b902a1de3317584c582132c4370c7f4c1054b01b427bc3f27

SHA512
35d4da217c3cecba19dcf03409cd74feb831cab0eb3cf395e9a592a9e13aa901b0ebfa34a1d4d328a6a8473941c422b21828b72753f4cd5506bf739450b6dabb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9549023fbedeafca92b7a88c16b6b854

SHA1
3d7a12418f6bafb5197df434beafb9d1cc91c12f

SHA256
fbf4d720f879feb1343a6ed6642a3fad0317452f30a6fcab1ad44a64856fffd8

SHA512
4b6a6b2d40e4049313cfab8ebbb0e6609633d8b655b17900b3ac88e2ddf9451b03e661db1b8704d92a4658deec0f4d7f71d1a7688e6e70398fec9caf99bd10b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88bd618d17eb2747455048ae9fd460d2

SHA1
51f773710c1639feddeef30cd5a0d2498ccd637e

SHA256
26a3e39220ada23d98237d51fef02a465160b47b2514d50fff36b4da7e72f13e

SHA512
f8461d9d1775e700d1c09433c3e1019b3ab35520558769dfa0bece2201678bdeb33eb907c87cf163b152b302a4b5b7eea6437b911913f1f8669681e91d911314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5730401c25c646802a3284216204dac3

SHA1
6a79ae0e33bc34926f42da22b6cbde4c765f5e0b

SHA256
4f046a7b651caf769c395c4e9ea920423bc6fd23f912c83a15efe22afab5dcf7

SHA512
f40b518f5043dfb3955b01255e31d4915a0215e53122c7816a6891b0d5ddd8db6cf4ef4378c46990a58a801e063bbd9bd04323e4af1bd4c98a197590a2f75119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc35be910f1d9d7ca354526046944a6a

SHA1
a9b259be5ec7af86defd77bc458fc0d0db4d6287

SHA256
5b17fe816e21d1bb4fe5dede247b21344a839d21e7d8537837b321ba81afd843

SHA512
f43ff98272607758996aefecb09210331a903e0d47b721715b5b849b3ddc3580aa907255cc5226f9ec9f20869ede7848b3ee37417d5015614b2d28c868df0b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2713.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29B9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit