868d61ab45680a6fb0ee0cd78f47a39858a30e326c97ae8e1ff5d0937b6e54fc

Analysis

max time kernel
119s
max time network
156s
platform
windows7_x64
resource
win7v20210408
submitted
30-08-2021 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dhl/dhl/fonts/material-design-iconic-font/fonts/Material-Design-Iconic-Font.svg.xml
Size

233KB
MD5

381f7754080ed2299a7c66a2504dff02
SHA1

8557b1551b91a0dba3ea6273b4aad98885ae77ac
SHA256

dcb3de1ca419903bcee5322ca91f2895b9c6482919423e0cce263d62bbe171ea
SHA512

fc49ac4e9712f3aa53d177af4db6b5a913193ecc8887850c08856a01d684ad96612f11f814b908a1aac296f0675949e2a80ae9f90bba91fad354a544bce06875

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a3780ac79dd701	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{311AA8C1-09BA-11EC-9C72-EA91F6580701} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007907f706af8d5e46b9f1fdfb392f3c4a00000000020000000000106600000001000020000000189abed244ccce2bd775cc94807eed7142db99c0dc300189052d96e506803aa5000000000e80000000020000200000002ebdd9c32f38bd9e0274f970fb9909ec4acd2da3a56181f4afd311946bcd22b420000000155ae1731552d82625f611b00b3660c4fe45395824bffa07b5beb353ec8cb8ff40000000d2b6f9db04e81e364db138e69b0bc661abe43808edbd4642e43861f83b884b67198e12dd4029d2f56cb4876da88cc012483cb61b464b745f57e44a31aca6ea1b	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007907f706af8d5e46b9f1fdfb392f3c4a00000000020000000000106600000001000020000000ba2f0641192b3668420e2e726e39faba37c68dfc8e75678ab1e89b5014bf1963000000000e8000000002000020000000af272286b186fa5cb91bd50bf84ef12b01448c0827c3a7df9039ec2d4ad4827d900000005d94c3fd62aeb2fd6b4418af242d386759898a26eb9a36e32ce24f8eeb320487aa60f90c5a4a097d75c7ff2c6ba3ae3bde3b2bcade9929a7254278aca4b0c40649855125d643185ef4c083a31f88943484d35be202ecb9b72dc26e0a9029ebb254bfbcce18805e8b63668054ef58cc8025a8b1ec4c21ea2b206b28c1bc82e48fcaa1ae2031a829332f3ecfef80d1ffa2400000008a3bae16329d2cefef11dc5bcfa92e51fc5283574de7255e304ace9e3fc295203eaaaf3ad68eac1e71babcd074e363149a9077a461c2adc8dff1b92077f4dcfb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "337110565"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1028 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1028 IEXPLORE.EXE
1028 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE

pid	process
1028	IEXPLORE.EXE

pid	process
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1048 wrote to memory of 1096	1048	MSOXMLED.EXE	iexplore.exe
PID 1048 wrote to memory of 1096	1048	MSOXMLED.EXE	iexplore.exe
PID 1048 wrote to memory of 1096	1048	MSOXMLED.EXE	iexplore.exe
PID 1048 wrote to memory of 1096	1048	MSOXMLED.EXE	iexplore.exe
PID 1096 wrote to memory of 1028	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1028	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1028	1096	iexplore.exe	IEXPLORE.EXE
PID 1096 wrote to memory of 1028	1096	iexplore.exe	IEXPLORE.EXE
PID 1028 wrote to memory of 1208	1028	IEXPLORE.EXE	IEXPLORE.EXE
PID 1028 wrote to memory of 1208	1028	IEXPLORE.EXE	IEXPLORE.EXE
PID 1028 wrote to memory of 1208	1028	IEXPLORE.EXE	IEXPLORE.EXE
PID 1028 wrote to memory of 1208	1028	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\dhl\dhl\fonts\material-design-iconic-font\fonts\Material-Design-Iconic-Font.svg.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VU701JSJ.txt
MD5
adc80529a74fdebc84908f41fc331b26

SHA1
c0cfd6b774b56db33b8ff21dc1e21fa028ad731c

SHA256
517ea1de63b3ea4daebc27f7ab0c4c0f3237bdd40e0f6f53ea428fe0b23d2409

SHA512
a02a6ec58dc6b974b86ebae212ddab13efc40a174a99aaab19f3609a1876f407042392bf5cdd5ecc04e75858a98089ff48e3b80110e3ef64b78aca32350b2a8c

Download Submit
memory/1028-63-0x0000000000000000-mapping.dmp

Download
memory/1028-64-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmp

Filesize
8KB

Download
memory/1028-65-0x0000000001EE0000-0x0000000001EF0000-memory.dmp

Filesize
64KB

Download
memory/1048-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1096-61-0x0000000000000000-mapping.dmp

Download
memory/1208-66-0x0000000000000000-mapping.dmp

Download