08f954abe8213cdcb39cf791b0bd8b172401e0b02757cc17bbddfea1237c5fea

General

Target

p1[1].php.xml
Size

24KB
MD5

dbc5eb61684510fb9bb1282e1ca2e16e
SHA1

53c67abc3374ec69dde3a8657a357432a9b769ea
SHA256

08f954abe8213cdcb39cf791b0bd8b172401e0b02757cc17bbddfea1237c5fea
SHA512

3a2ef2d45bd75731a6e0130052aa7e1a96f6656c9f1c9f69cb3b153f5c7280361e53571b76d182bef69e43212f85adf9c1108baf835006d6d0410dcca881328a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70283b4b847ed701	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "333673413"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c5b36cb27e04349b276f06969fd06a6000000000200000000001066000000010000200000009435b488840cb3faa2e7d211e112511ab0e46c2750437a3b600966c69dd0be09000000000e8000000002000020000000ae62b9091af55f33b261686fb31dd0d2193658569209ff598db153a2b59270af20000000dc566d5d36778dba84b9c5f2996ea9169001212fe4466b9024300a359b59b7f540000000b4337a05228a1b510a3e559be3164284beb72ef3847489da62baf1c2869303eaba8f6d84d28ad807651bf89a258477c4a1c4df076fdd3d1b0e8e0f527d539052	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7522DDF1-EA77-11EB-9947-C2D62708C606} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c5b36cb27e04349b276f06969fd06a6000000000200000000001066000000010000200000001d5740462f9eba16782ca17a77884a6df32eee6b31c8127fd2dfa60f82117d89000000000e8000000002000020000000a89c81444318a524eb9c0ec1321f0a029a7b2a591b3d3978c4701f56db0e4dcc9000000056637fb1439c494d0752e9835add59b7889917dcbaefcc4328c5168836b86678aab2030503960800f0f2c7afdb571786991aefe18b871baaaa09b3bbb2a92a8f78d7782a4008ecfb1cc20c7e85f2cbcbed1d10abef4ba24d282160741cb0353e0b3cf3f52ccb7aadd4f7554aa5492483ea3b969ddd5ae1bccd354c4c62786ba24e942b5c249da48440d4b737fc277da840000000a91584adc42f1c493d33ec781a6511d6ddc5558232ecbab132cdc40e9b36a1098a4d4dc98e21f3b96a29b729d35e95073d8f245bff3c587dc7c98290e15bfbf8	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1888 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1888 IEXPLORE.EXE
1888 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE

pid	process
1888	IEXPLORE.EXE

pid	process
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1892 wrote to memory of 1992	1892	MSOXMLED.EXE	iexplore.exe
PID 1892 wrote to memory of 1992	1892	MSOXMLED.EXE	iexplore.exe
PID 1892 wrote to memory of 1992	1892	MSOXMLED.EXE	iexplore.exe
PID 1892 wrote to memory of 1992	1892	MSOXMLED.EXE	iexplore.exe
PID 1992 wrote to memory of 1888	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1888	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1888	1992	iexplore.exe	IEXPLORE.EXE
PID 1992 wrote to memory of 1888	1992	iexplore.exe	IEXPLORE.EXE
PID 1888 wrote to memory of 1680	1888	IEXPLORE.EXE	IEXPLORE.EXE
PID 1888 wrote to memory of 1680	1888	IEXPLORE.EXE	IEXPLORE.EXE
PID 1888 wrote to memory of 1680	1888	IEXPLORE.EXE	IEXPLORE.EXE
PID 1888 wrote to memory of 1680	1888	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\p1[1].php.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I56J3LEI.txt

MD5
f100502886be3040b8161ab517495370

SHA1
0cd4d886ec334c37380d28f3b834cb564189609f

SHA256
a9d53fbe7c211f49b3044c28b2903f11de2f6b52565247de604506ade5807632

SHA512
9929a0e4e4a10996c9ec459429cff885bd0ba1551c7d73c79ff4cb5150d264ea595e8e616845bc8337398cf30bb7f0ffe3dc47f3b6e7ac33bea5bb3ecbc72657

Download Submit
memory/1680-64-0x0000000000000000-mapping.dmp

Download
memory/1888-63-0x0000000000000000-mapping.dmp

Download
memory/1892-60-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1992-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing