Resubmissions
17/03/2022, 11:50
220317-nzwrgadcd8 1017/03/2022, 11:47
220317-nxz14sdcc9 1017/03/2022, 11:43
220317-nvn6tsbfar 1017/03/2022, 11:40
220317-nsw4nadcb7 117/03/2022, 11:36
220317-nqrfdsbehp 1017/03/2022, 11:31
220317-nmv96sbegl 1Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17/03/2022, 11:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://1drv.ms/u/s!AnWE7BCdi_7hgxBogqt9g3XXAdK7?e=C53B24
Resource
win7-20220310-en
windows7_x64
0 signatures
0 seconds
General
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a000000000200000000001066000000010000200000005459fbde921226281236d461b479a82f74f7fd9066ccdd62d205abd2dc00e727000000000e8000000002000020000000284b734aa08d0058b1c954573329cb23d4349c9423ee28a18c3171570db60f362000000029d224600f108628c63fac308082cf0f46b881faaa7f59ea0c7622aae0f21dbf40000000d2efb418c7514e103377f24039473b35ff1456c9fa4c01e9595632680869cab3c7f0bdb61829197112062d54c49fe75cd5941946a4e4fe7dd52cacedfd69226e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "336" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3638581380" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1621" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947828" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3638581380" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "413" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = a74ca3d5f439d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "336" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "1794" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1653" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "64" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "23" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947828" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "378" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "16" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "32" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "80" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "80" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "447" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1536" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com\ = "304" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1605" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f323031e69ff0a4483a9b6c67c2edc8a0000000002000000000010660000000100002000000094d1382bd30e623e505ac7b81a3fd51ba9e9fbc65ecff1586971765f9b60065f000000000e800000000200002000000067e2572fafa22f1d090ec2f0ff3b7a08b3800e628e864b75df9bf07746cd89b220000000f425d81e58066c8cd002be1d2967ffdea19152172bc49377f2c579f06f300a99400000000fda3145c1d4f59367b930add37d6e20998502c4b1796a32a456835052e8361a87a15084d2fbd0bda58dfb4947737fd361de891a1110dfa49464f73baec5f4a5 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1635" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\onenote.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1612" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "43" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "360" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\live.com\Total = "512" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "64" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DOMStorage\onenote.officeapps.live.com IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 220 iexplore.exe 220 iexplore.exe 220 iexplore.exe 220 iexplore.exe 220 iexplore.exe 220 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 220 iexplore.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 220 iexplore.exe 220 iexplore.exe 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 220 iexplore.exe 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 2324 IEXPLORE.EXE 1728 IEXPLORE.EXE 1728 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE 4452 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 220 wrote to memory of 1728 220 iexplore.exe 79 PID 220 wrote to memory of 1728 220 iexplore.exe 79 PID 220 wrote to memory of 1728 220 iexplore.exe 79 PID 220 wrote to memory of 2324 220 iexplore.exe 88 PID 220 wrote to memory of 2324 220 iexplore.exe 88 PID 220 wrote to memory of 2324 220 iexplore.exe 88 PID 220 wrote to memory of 4452 220 iexplore.exe 93 PID 220 wrote to memory of 4452 220 iexplore.exe 93 PID 220 wrote to memory of 4452 220 iexplore.exe 93
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://1drv.ms/u/s!AnWE7BCdi_7hgxBogqt9g3XXAdK7?e=C53B241⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17426 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17440 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4452
-