739d8e382768ca1c159c50425bc7773bc2e7e3d91705fc41d3b32035b2811daa

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Packaged/Utils.xml
Size

1KB
MD5

73e051427246dd4ca45935b1a4bd7e2d
SHA1

7216f05041252f1c3a9d84aacdf84ef62f1a1045
SHA256

b7b8b412ab1e4f32da8a7cd42aeaa6e7d8d340cf14977d3e87f7d8f5eb689b0f
SHA512

3fc10dea91962244389214d189c141466f5630e99b01af5761738ce884df14050cd08a43802dc45bbe9117290c34143b85a75694b6301954b51972180dca1e36

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B6772C11-03B5-11EF-A6D5-5A791E92BC44} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2188	1640	MSOXMLED.EXE	28
PID 1640 wrote to memory of 2188	1640	MSOXMLED.EXE	28
PID 1640 wrote to memory of 2188	1640	MSOXMLED.EXE	28
PID 1640 wrote to memory of 2188	1640	MSOXMLED.EXE	28
PID 2188 wrote to memory of 2296	2188	iexplore.exe	29
PID 2188 wrote to memory of 2296	2188	iexplore.exe	29
PID 2188 wrote to memory of 2296	2188	iexplore.exe	29
PID 2188 wrote to memory of 2296	2188	iexplore.exe	29
PID 2296 wrote to memory of 2872	2296	IEXPLORE.EXE	30
PID 2296 wrote to memory of 2872	2296	IEXPLORE.EXE	30
PID 2296 wrote to memory of 2872	2296	IEXPLORE.EXE	30
PID 2296 wrote to memory of 2872	2296	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Packaged\Utils.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec034deaa5923ea56ad45a54385fc168

SHA1
a3a6407c9dbf1506f2d15225c62e703a1512bc6c

SHA256
f96052e2618ff2b15c5d0a1f873fdaffead7d29e0c3a685291b9329675ad732c

SHA512
977152019d4d399cd10dd68f7eed5dc1f15beae9d1d420e5413064fffb59dbc30ce6ce71707b21ca8773ee031d32377044794481993d1864f6df9440e88436ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ae2a22ec42338fb04977fb152504a51

SHA1
dfcce5dcbbbfffbad495605e48aeee154585b4ba

SHA256
1436e4eb33aff48a2ab33e3a791ab7c640b82417171b4877dba6a9e3ab4f6b90

SHA512
c425dd4118457b969cdcb5e65316a22be138d03db4e640750d694e4ec6857fa2378a44d980e8d6b2458892ef0a948053c5a642d3c11560a9d9e80f3471b789c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
070052799b09edbc73cdb005c885dc11

SHA1
7d95a47dadc4f4474c02e9b341b34b68e4918251

SHA256
38df1663a93d38acee6dff7cb06b6edc9127e441c585731b5ab8780b24001e0c

SHA512
605d154fe243dfc52edc44b69d376780bef853349764e8445aae674189b10f5ed5ac22c4b61991c5fd86e1b010e233380606700caa595307bfced3dbb4a37de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1242788ada2e82f1a947e6807b654207

SHA1
f348c4905bcb2654630902ae49c1ef00694b7728

SHA256
47e47edfc45dd059400dc71eecdfc9a4eba9f3d5739eed655eb96aecdb228d2a

SHA512
f96c04ddd7e232375b8a8134f70ae8581606232f6787911db39064acb83910b44259cb992f7863256add150a7bf4a9493c687a82addfb574611353e3caca65ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90bc7403e2b23fcef5f05edad86ba9ba

SHA1
6aa78d47aaf7d37a8a71dc2f3894f931459728dd

SHA256
9a7981265a4ddeb3a42c507348673229e20d4639d081495901f20355e168a500

SHA512
6c72191d01c91c11e74b51346342d052ddfe48a149b1e9e877febffb843f4810fb2ed2eac0a274fba79d734ee1bd1698af30586043ca0e6444e3652a802811d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09d5918aec6619ee1a5cafee7d8202c9

SHA1
4caf2669f1b42ed3328d3a793b5cca645b76d181

SHA256
6bc9627c12ff57237bbd3de6ad64a54bdf30fdafc3c224fd8fe95b47928c2577

SHA512
f8c3462770062d4e0c2480d39b49af2532b3f9c5b64fb370c118e21754726e6aac2d1917f1b4027f7ddce9725258acbf2afea9deb8a55c361d3fedae61d1ab9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f6b03696120112e5f674dc184bc2ee5

SHA1
9194964ca1af8b7ba410d021dde2e913c4a40578

SHA256
a71cf840006806d31b3b7ff833d03d1c79a8fb76a05f2a04b2a16bce313634f3

SHA512
50bbaddcb5bbb189756b02b8a3380de8b47a295a8a6dd4f249f9901a6ecfa527af6d0f624f5d09a35bae91ffc0b74473c05ab5b0d690ebd62ad1acf345fbdc97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2047043258c2b2825b14b27516744f0d

SHA1
4d60436c3bec2a8e4b73f9f2aed19facef3f77b1

SHA256
2279c4e5f93e15fcc6053921e6e7d7b6efb4101a92c2d3774971bb37c5a48a77

SHA512
b0fc24691ecaca47699442ca29af9798bd4c7d27e888dc94b77ea1a3be86f6d060c800cb73db288fe6146596091c962be1f5be2d100ef2e7891ceaffa2c5078e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD25E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD3DD.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit