965915376568ddfd2a20dea2884023d5ea71fd20fe7f3d9a98f06af653fa3254

Analysis

max time kernel
135s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965915376568ddfd2a20dea2884023d5ea71fd20fe7f3d9a98f06af653fa3254.xml
Size

303B
MD5

8dd1caa3180460b5f163e3c66963304a
SHA1

e4be1c5ff39c4139117e77b8aaa944e3785d208e
SHA256

965915376568ddfd2a20dea2884023d5ea71fd20fe7f3d9a98f06af653fa3254
SHA512

9cbd2067b587849105f6ced234d135a39f983166a5ea016531dcbe75fb30aec812461b7ccff6a2cdb18a399a724dcea82935afc001709cf4f691ce8b56744a1b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ab826af5dbda01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95FA91D1-47E8-11EF-98E6-E649859EC46C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000006fd435ec8ea82d8f571238b6f3d489ad976f74a65e79f6b69b0badbbbaf3efb4000000000e8000000002000020000000fe9b9f060ba18ef9cdd69ef07909ecf42673b9d18c1437dcb69974ba3c076227200000005713fe7c56cdc1f3cac59622fa35b6a4bb9f0bd4444bc6e23ee3366d737de20e4000000034a58bd77c7a67a857acfd8d640beac589737e38875ad9ae59b988171f22c93a16877d225b7e17dfbb7c39d1461cc040480322632684e09b15781630fc1cfb86	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000a726b426232ebcc9605f5c74c9dc87e3548f06bc5e9a91483081d0e651fc1256000000000e8000000002000020000000014a84780c93d3eed49339cf239aeabbd3113a669e05c45a6b4b8d3af7fff9909000000034b99854d757ca625f4bf4d513b688c71b7f0fbada55909aefac9680c2d521bdc3f8a2109403ad05c7dd470d0657799ceef44f58acf3d15b1d915da30d651212d67ef0232c2248516eed05087694cfeadc9a0bb02717a69ce9d1a18a9e0c7e50ebe4239712857d48fd3acca93d18e604883dee95fa53787946c44b1ce8d46a98e1dc80f6db91113facbd247d2d46ac9440000000e436157ffee632c3be47dfaf7ec65efddfbd5196be15b5bb5f9f357ad7fb707d4e3011499b0dd9fe4630d748bf98d67cf01afee45c29ecc56414b89f1e736733	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427786843"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
352	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
352	IEXPLORE.EXE
352	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2124	2016	MSOXMLED.EXE	30
PID 2016 wrote to memory of 2124	2016	MSOXMLED.EXE	30
PID 2016 wrote to memory of 2124	2016	MSOXMLED.EXE	30
PID 2016 wrote to memory of 2124	2016	MSOXMLED.EXE	30
PID 2124 wrote to memory of 352	2124	iexplore.exe	31
PID 2124 wrote to memory of 352	2124	iexplore.exe	31
PID 2124 wrote to memory of 352	2124	iexplore.exe	31
PID 2124 wrote to memory of 352	2124	iexplore.exe	31
PID 352 wrote to memory of 2176	352	IEXPLORE.EXE	32
PID 352 wrote to memory of 2176	352	IEXPLORE.EXE	32
PID 352 wrote to memory of 2176	352	IEXPLORE.EXE	32
PID 352 wrote to memory of 2176	352	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\965915376568ddfd2a20dea2884023d5ea71fd20fe7f3d9a98f06af653fa3254.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
690b60cd1e66946ab06709dfec0073b3

SHA1
c50b3246cd68883663d2eea81b47a38d1d8d9dd7

SHA256
a6093a42d033c68991ad36d0bfcb86ef07de0f237caf244f8748755e67a1e780

SHA512
c6fdd158ec062d2d515b9b7118f4947d482ce10c3ea52ef8e3301d4451767d50580a68527d88859006c4205ab23a1167a844bb1816109e7e2f6b1a80cc3828ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
477c7f3cd46f930e634e7dbe42763a3e

SHA1
dcc755e03bb15d83ba42dbd642bdb6d6c627c2d9

SHA256
332286822cd3b982e364541f00b965e170d7419e08750eeb3f81531cc813c9c2

SHA512
9e6437eb69d7b39ac5e37ede7dea9bf84be999e953381d043677d4c82989ea31fa13327b059b02cb1285cde9370e5d1fca5ac80093a1cfa6904d8589ca214a8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9030fb7b062873ca101499a2b08f53fb

SHA1
b28ba28e981681cf84d210dc256e03542538eded

SHA256
7f1068e4ddac945424d6c1ccfadaacc284627550012ab81fb1f0b251deda43cd

SHA512
965d7bd24777b0f7d30f520f762e352a63be30fae9244931d595d2d2adfd6b58358ae971a9ea5d2b6b1ff1189208f2aa46e5d8d5c8d476fb885625ecbe1542ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd1b048adf8cedb3c9dd6f507efbc40f

SHA1
4e33968f786b33b58d26a7e74e523349010af6f5

SHA256
23cbf466076f1453e53e4be024c1b98406060762d639978c3d4b5e24771c7263

SHA512
b2c1b15ab6c452f58143c009140834bc583ec58d9a10319c79eb892046bb5b047bf866cff0d73acafd0164ed3bf3c436ecc2f3a1f62bf382ca33f61684ea3d5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc6b2ab8186c7e36770901034e84aae1

SHA1
01b2bb5c6f0aebca81ea7ee09497559783b610b7

SHA256
f23f05974b73fe48ec44e3886cfcd01966de85ccc76d56fb1ef6a8817a95203e

SHA512
13b68dea5fd91289d86e7775f013a1e9bf2abee41d82357fc7d597a98f153ef0d8862727989fd6851547ba4f9ad33ebac07cbf1eff2ba1e455228b64a6df17c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a073396639fdf0292d1702a2c5a3967f

SHA1
be0df9d15f07651f89ca92129591a7830d67b77c

SHA256
479f1429db23cf67dbf71d109ee61fd0084d286fe394a7706b89442ad1a9d115

SHA512
c773ecf3e1d221b15d0fd9dc725129e6aa94a7ea465b1ceb36846ab5343f5ace1a88d9828a7f300621328bc0dfa909114682fb740f037fb7634eccfb6325f66d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfbc856005bcbe9fd5cbce12baafee17

SHA1
5438b93ab2f60f62bb3696f43cfb1cfd66eb95a8

SHA256
ecb7b63cc699105c06a9e2b5b3bfee71624d95c780f9a4485f682a93ae825f4b

SHA512
19054d8eb0c8293fb5e3775005be60d88a6b82654dcbf006bdb6a532971d2f1f8d88640ecd957610f6d5aab61f9491ddc650aa1792381219893c274311ba91e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69188df22a6be355dce8a4011544287e

SHA1
66c37c7ce51cd4f15886bcb82106706178a6486e

SHA256
3048b3cedd3c9c1a93939e414773523ec5fea33e3e7144f76c30956e248214b4

SHA512
3f11a19b4e60688d29bc752f52f20a8a1d8badc8f4edead2d2145f9de7d2af16fbee7a4b86dab8a214513e079e9c9895bc0614809a9f6e1391739dcfced80745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcffc67cf44808dcaa439cf7c117e185

SHA1
6eb9cf6c5b06f9d264c301feb5d273a015195b0f

SHA256
ccea930861390defc164df02ab56a735b8cf24aabefecdc92bb18b817be5fdf6

SHA512
93953e880e77678b2cd2436a002dcf8eb7491e2bc5cdceda98ace6cff3c789400c524bbb7f8d0ecb340d465bbb4230cb069f796f0c5615b2ba136dd99d98e88e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e250abb9a118116b56df0a2cd2abfc90

SHA1
acfa97cfbfd5d3646fb8aaa92d9dc4fe3728f8f3

SHA256
2c7eda55cd8b1c569f1ba7563d44e527c3a2e556d58e9f8191be91abd950b16b

SHA512
452144642be00c22efd2ad2d88391db02842e45967dca77b49a0ccbdc171393af6a0ab5f449165124f6c9417e4c9a24eb619bdc72d64951b7e285dbb925e92ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d3c94257e0e245c1771b79c8d45530a

SHA1
30e4675a050f16ca97810240fa25d1196cf6fc1d

SHA256
e13aa314063af89d54acba482f8d19704334bfdd6bbb8666c7a090a54d343939

SHA512
74f13972df07eeefb8356ba82e15fe1a2c7682d9bbd5ee0873e52b2035f49fe2c90d87044ec48c26e26ddd8a3243f976dda0e66e3b6582a890508f9d85c4f0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB166.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB5BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit