Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:03
Static task
static1
Behavioral task
behavioral1
Sample
opensearch.xml
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
opensearch.xml
Resource
win10v2004-20241007-en
General
-
Target
opensearch.xml
-
Size
536B
-
MD5
b7e32da2f991d892126ce43046af1c27
-
SHA1
6b46683e4a6c87f485f832dd5489566110f97617
-
SHA256
2776acb416038d5af1e52506e080e2c6ed643095eb9d9dfe9ab91dbf726d70c9
-
SHA512
47b382bfe6291b6fad6764a6477a9826e120c1aaa3d9e1e151accd09d616c84593caa9b1cf1061245bca62f89cb8c5a5daa237d9dc10de711fb2a48f81f9de08
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSOXMLED.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1EABE9B1-9EDE-11EF-9733-46BBF83CD43C} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b931f3ea32db01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437348103" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000095c33568bbbe714e574012d0f79f546f27d81821fb94eda07b23dde445f947d1000000000e8000000002000020000000005c75c30e14ccd87ba3bd2fe6d25ea526addb7065a1ac27171f346e3ef245b420000000fc668d53355c8a3f978e4658a840787418ab3bf343efb455f9b1d0441e8cf3ac400000008e21b375f2f217d9cd401f728516c040c0a7bc5f8f354a4cfaef3cc5eaf042efb6ab08a41ba19ca7e521627c38e127a1b8a8ecdf17d954909c047307db84ac72 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000000fb8f8b30429ef8bdef28b1c0a02c3d8a8c21687174509be25053976dee9acf7000000000e800000000200002000000000bc69c2a18ffe092cb308ae1d76936eb317dc757321ec72ec7a7f60b4b0f043900000001fdd33acd8724ccb418a123eac5b2daa2dce1d84b9f01a4b2b03ce3a2b7adbe5d68dc02e739d96ee06a115410f5bf9209fb1d2a1adf457aaecea65256f163cf648fafb8143dfee1e81b7633cf66e85ea6d856a3da32bb4e317a17f1a45c92236a951e2c7a5fecbbff2ee02e45b62de4de541927db0a9bd64a164eb385ba90b32ba747e093e5396b7acb9859b523c1ffe40000000f4b7dece7dcf3cc5abb06150fdcf0a4c151f1344e2ccb104af735652f1f4ba145cdd76a20d2af9eb75ead4c91a44af1f7a4d7a7bfbc77f856577bf64ae7ae298 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2920 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2920 IEXPLORE.EXE 2920 IEXPLORE.EXE 2268 IEXPLORE.EXE 2268 IEXPLORE.EXE 2268 IEXPLORE.EXE 2268 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2916 2504 MSOXMLED.EXE 30 PID 2504 wrote to memory of 2916 2504 MSOXMLED.EXE 30 PID 2504 wrote to memory of 2916 2504 MSOXMLED.EXE 30 PID 2504 wrote to memory of 2916 2504 MSOXMLED.EXE 30 PID 2916 wrote to memory of 2920 2916 iexplore.exe 31 PID 2916 wrote to memory of 2920 2916 iexplore.exe 31 PID 2916 wrote to memory of 2920 2916 iexplore.exe 31 PID 2916 wrote to memory of 2920 2916 iexplore.exe 31 PID 2920 wrote to memory of 2268 2920 IEXPLORE.EXE 32 PID 2920 wrote to memory of 2268 2920 IEXPLORE.EXE 32 PID 2920 wrote to memory of 2268 2920 IEXPLORE.EXE 32 PID 2920 wrote to memory of 2268 2920 IEXPLORE.EXE 32
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\opensearch.xml"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e215cf5a9ceadf65af74c13a8eef7a3
SHA19b7f4c793fcd393ec4b7a80776befe18bedfa768
SHA256ec1f00672b97fc9c49a7f1c8d5d75b38576bc6e207b77eda831e394a951dea38
SHA5128e895ce5260d50deb1096813795c0cd6de0d8c12eb370acd6799a77f57f1006fc5c33caa6fe73b874bc559e9597991c2a951a4b9934b5ec92f4f80c3c5bd24e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59cd9b8a92c079971323d1a720afce16b
SHA10852b5641ce6d75cc79dfe3efc905d73c0eab88b
SHA2562ef9ce18a85448d1b235754cccf4c3900d1fb2603009d65115429cfc70afab67
SHA512ccf87ac90d254b4dea7d0cd66dd112b0dc0f7a254f522279cc0b000ef3a813bd5e3f4c10abd298e842f0fe40c686fd8d5954e4302b8b170ffecfb0e5cf5edd21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528c187fb22c4b2b4ce42269b04e6446e
SHA172f4957b5ef61cf080072e90afdc1b15ad007019
SHA256e8c74e727da070e0ab88362d38d2c53aad75aac7c5ceb109c27068ae2b6ca5ac
SHA51250ae8e70b55f9db2b0bec4c1c8119aeb2ea3f9455fd99937b1a0e86ec5e96d73cf2b114b9f8eb6662f87ecac4ef9d15f17370474ca75000bdb648c4f152d2a5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538a6e6e5147a79f2e7c8da4c5638956c
SHA19348438ccae0584e8262c22880567c6d6200d871
SHA2564d1073d9ab9c785e6b5b35bdb1d6374c887bd439befc3981ff3512eb7e592e94
SHA5122062f5b8487dd751c2dad6e54df0f4017a73c95e2a5ff86bb69e8d260751f05937ab9527d9bf03753e833cf62e79573f2dc6161c34932c1485e00d2487190e07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e31a5daa1b024478915b4063adc163f6
SHA1d835802f0af4b4ef7265d26a3b8c38f002b4dcaa
SHA256d3e33f9b925252225c5ba6b238c16e286943c3c30b8d81b11e99fe83c6d04757
SHA5122dfee9d13b2ffd30d29e5269126dc39a47e0ef8229e630906d3952816f577e4a118998ffd8649eb8553b652b7cd9fe2022c2354d6c154f685989b9b5342c7f69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b157467fee4d1bed00e2253cccdbff9
SHA1980cbc1853f84b264ee2de46ce839958865d81b5
SHA256e24d708ff5b0e804a2ee00a966cebb556f7eb1766ee89b7f51566e1bef5a8650
SHA5123dd01eb313660174d4f76bf8f044fcaec84b4115241ae17aa403deca59877f25f6476129ab7ecc8778e40635cff97352abf723d8b6a4cda87e5a07ed897bb42a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50030bd6d22dd4e19bdf256d95cd49fd4
SHA109dfda9a9b34650723de526b1ef5dce004ff96c3
SHA25667753d3a644b043fcea38126c854baacd68a297ca635ea2bc177b209121b9a57
SHA512bd2d6cedfbb91b3fffb8bd795b9cbcdfb79b9471d1c280b3dd0848ce97a9c1bd9ebd34c3c56cdb795f2dfae5705f262d06a54fb5f075e150fa765b88ede86a55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf2466f1c6776309dcd935bd5c7c24b5
SHA1f5d82bb693fe0ce247acefeb56f22100c14ebb89
SHA25672813e7d2ab55e887b2ad7e7ed1bc752f80e00a2690e5e47f853b475af3f054e
SHA5123587491fe0c7faf8ed4de3c6a9e58ea740772b7b0a88c6a4349bc92715b8f66d929734d1132a03c015ca7457c437acb001bc9d93299116a6fb2d11a4ed73bc4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bc84ccf53dd33ec57aaf7524f806f2f
SHA1f4a478765ca7497bdd12a0ae5e3e4f9b234bd28d
SHA256747d5e6941aa7da6de15e0c04d9463f7635fbc52ddc39b0813329a511440cba1
SHA51266c6b7dec9ceb87c65e833e37f70e97d07faec85d79156c05c69dc1021b41050c117b9896284ebfd965c062b2ce6e5f54e1357c33d555e4d8d0e7d273a9f9f0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533369a104462c0242ef27e0ca5565c9c
SHA1cd4a0366a75e4a2dbdffac9742cdad86445fd5a6
SHA256d400286a4b1b74d6b719bc3a4bdee17ae8e64d5191474785e52a057bc86d787f
SHA512b67ef2e3593041edb6b5397514371e705d7de72cc9a3cabf0452807ed1411e774ba022155b2bc854090b0cbb2a691c76ecb7ebca59f53ff64889a33b41d9eb72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d6cb21c41f7e8b0ee13b8df08974de5
SHA19c62225215c505bff92a4c17a10170120e6ed63e
SHA256cebe9bc93954d33addaa18ec7498c63b45847326830dc7d4a82470753097edd3
SHA51249106aeba7a5d6a767fed66b600b1d9f0eeb53cf79bd9c3691deea3d06b4e2eedf87cd1df579aeb170aa175d56f8a50b1338e15380fce7784db7016aaeaf2692
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9a5964727d93d2643ccedf75f13633b
SHA12c963d74e736cb1260752866a3a8d0b2766e1148
SHA25689247f77641afdc0141de7766d7d9c26dba8ada40b7ba2acc90d5162f4ce6dd4
SHA512b7a865b995f78e3c5deacde719a451c26a805ba57cd1b200ae691b3c7aadac662e449e28781d6c0c8a432f5800bb43c6a70358e654d4b5881cc5c046efa0c10c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5416cd4b605237dac972dd885cb318cce
SHA1cd575e55978589d8cc64c0235fb19d79a1cbe551
SHA256a5d03b0ad6f0d2fa36d7ecbc6a48209c328c8b077238b10c75a97dbbc2f58f80
SHA51235ca8b24006c7ae9594152db3b99a1518444996b426d79081e78bd0eecf3fb2cf2fac4d9eb5d9973b956b8ae4fcfc44c93958c505167a58b13b8a7e2b8ebe6de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525a3993e176746edff1999f9adcdc3be
SHA1301e29e6d21e889f4f92ee6b91436fa11e6e1b59
SHA2563db8b317768fc4ab18088b33b40745366221b692309ab2315e50a710f0533912
SHA512f978351af13937fa57321a17af8529c5c0c4c2a0ce07d83b2893d2453e98aae8f7eecdee32d27b93fc949d7c13b58328ef2c05b64ce67846bb40bf7cd740289d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a549152cea8a41c94a5a3f7522550cb0
SHA1f95d5697c192de171d2d295c69e3967b1216934a
SHA2565a54a44f3182997f164b854022b39e587f7f4d701aeb0eb1c42c357f70377c4a
SHA512b7b7c1ac73ca9b566fa245fac0aa36233532c2e717d3d75e9f25634e5774ead130974b666c495e3821e7e6c98e9675073fa86ced4aca9663a6c4583990c753c0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b