868d61ab45680a6fb0ee0cd78f47a39858a30e326c97ae8e1ff5d0937b6e54fc

Analysis

max time kernel
135s
max time network
216s
platform
windows7_x64
resource
win7v20210408
submitted
30-08-2021 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dhl/dhl/images/img.svg.xml
Size

1KB
MD5

3fecc9db35d5d2a9e6e71ab4b02d22e5
SHA1

628ba2f505b480097445aaf08649a08242bd6847
SHA256

362bcaa42090e36611031bec6bdaa0600375ef847092cca195c58d3bae9b4419
SHA512

c0d70d0f914d3d9f29366c9886f174580675334ec79ba77158c4cf184075540dd7d25b3f35f7129c1fae764527574daec29f5fb8434817ccbef6951b332cdd5e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B104B8F1-09B9-11EC-896A-766459B397AD} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f3f292c69dd701	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e3b5c59e1d93441a52c528b6d82560600000000020000000000106600000001000020000000dbd9d514f92fedac1b657a8531129e95107c978c8e032a68464987391fe3c53d000000000e800000000200002000000035525ed5228a0b5e4b4823ae70604fc7ad39edd1ac4b9291ec392030dec99ec590000000d950f48a0509faa98278ae80b65fc179ccb31c316d7ac317c2033ff497a80711639d347f1d7e91d65c8d8fa1a3e014b3b68ce3f922dc409f49a71fb6d07b427ff4dda898d61b8bcac729f00321940672bb654572141eb9cfd40f588340b56e698fc2acdf5799727349fc32fdb0e39f52b22f7832e65f822d2d3df5d0e90b35547efff4746f990ead872c585eec976db9400000002bc47c2d29cf737458e215c1898d96150f8bd166c43ca55159ed30b7a7b12ac70662eac71970f8811e42541748d70edf8be367b0e42d82b1ce3f33f9707318f6	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "337110353"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e3b5c59e1d93441a52c528b6d82560600000000020000000000106600000001000020000000e3d7c5ef517ee6e56b587a79a5923ed002201809e6aa7b5a4e36194baeaa7fa4000000000e80000000020000200000009acfe83bde33793552ba6c82ebfe6c063f38bdc10475caaea747799757e811d320000000b55f2f258d33e680114bd087e23255ed43065bc2b0fb10084b1af910bffda65640000000e0a59a2e0f0df3f24b4b937d7f5731263c2487dc8d2ae316d15ca5a4911c30ca2ede91772a72c405d89b2127bbaebfbb0030ba36ac5318a49419afc4ccfb70d4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1748 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1748 IEXPLORE.EXE
1748 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE
1680 IEXPLORE.EXE

pid	process
1748	IEXPLORE.EXE

pid	process
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 520 wrote to memory of 1892	520	MSOXMLED.EXE	iexplore.exe
PID 520 wrote to memory of 1892	520	MSOXMLED.EXE	iexplore.exe
PID 520 wrote to memory of 1892	520	MSOXMLED.EXE	iexplore.exe
PID 520 wrote to memory of 1892	520	MSOXMLED.EXE	iexplore.exe
PID 1892 wrote to memory of 1748	1892	iexplore.exe	IEXPLORE.EXE
PID 1892 wrote to memory of 1748	1892	iexplore.exe	IEXPLORE.EXE
PID 1892 wrote to memory of 1748	1892	iexplore.exe	IEXPLORE.EXE
PID 1892 wrote to memory of 1748	1892	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1680	1748	IEXPLORE.EXE	IEXPLORE.EXE
PID 1748 wrote to memory of 1680	1748	IEXPLORE.EXE	IEXPLORE.EXE
PID 1748 wrote to memory of 1680	1748	IEXPLORE.EXE	IEXPLORE.EXE
PID 1748 wrote to memory of 1680	1748	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\dhl\dhl\images\img.svg.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2CDT8JKZ.txt

MD5
9234302c54efcf95b2839952f9864733

SHA1
96b42a765529aecf344bee3b1f29436788e90299

SHA256
ec105a323a5190f37a9a96eebf8584e437cc6dbf8c6cc7f21b017ab6ff1b5b59

SHA512
73cfacfc7f36c1928c98a166b358d85c305f9f806ca07aa53c5a88a75420f3da3bc0ea746d0758a2337f673e83cf4d85b083a583f16900e5a9cd3882c43beef3

Download Submit
memory/520-60-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1680-65-0x0000000000000000-mapping.dmp

Download
memory/1680-67-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1748-64-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

Filesize
8KB

Download
memory/1892-61-0x0000000000000000-mapping.dmp

Download