c72289d015d5661eea3043a76d53c92e72b164527468a3b547fd3e8585fc1cdd

Analysis

max time kernel
233s
max time network
261s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assets/css/fonts/glyphicons/glyphicons-halflings-regular.xml
Size

61KB
MD5

32941d6330044744c02493835b799e90
SHA1

3ef91859cbec165ac97df6957b176f69e8d6a04d
SHA256

d168d50a88c730b4e6830dc0da2a2b51dae4658a77d9619943c27b8ecfc19d1a
SHA512

c4847ea43f1de7621fda5e54211f313c90d5aa043e39cca99a7c24842e69f3ae20ae28c47f5046b5d9d89872e2b8c1a49e74db3fc40b61aa1be92be1a2c637a6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002ac9f8316cd801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000013e9ebf408e7199453711b7d08656da02bbbc200bfac1145c932b0310157c86000000000e800000000200002000000067c1bd05515ccfcb38023713e015ea7b571713d03c946d5c21f7cbfde5bef647900000000db8b03db7891d0b558b75efa5e8f7f730f3596a45e1912f79550c581bb548d4abb187dfc481016847a84d9447f9471aac6622e25abf4a9c43b49c4f72d58d9274bbfcf4b2a3fa314653958fb71bb07e4bfa20f57ba931cef6b4213c82e9822c1bdba144cb1024ad8f66452d3c69b38257b20a0f4146a3a11ac44c03fbca2074dda01a465e8d956502463abea93134eb400000001df1bd929f58360daa334f1320a59b006d040acd9319ca3bc3186b1f7c3fa95e3e4fe4fca8bf6ce4b01b531c3e0c3e47ed53c506cc3e10c0aa4b5e43e3da65f2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359806442"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B7C47D1-D825-11EC-829A-4E0428891AFE} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000694e2c63f35d3073018c171c4230d221239fe76aac85f11a2db7f7b23d22ae0b000000000e80000000020000200000002c85087131374973004280270c69ec6b5a10af88dd5a64906b074641d692f1202000000010e3346777abf568766123963fb5953416e1ce9c387e1918aba44f6f20264db34000000014385632db2e80d18c6d4d829a2210f85429a7f4d282222ffbedd5085e69b1d77d567ca298bf174dba75bee9d7809699c46cc0920e7c40158760ff98fc5721af	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1484 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1484 IEXPLORE.EXE
1484 IEXPLORE.EXE
608 IEXPLORE.EXE
608 IEXPLORE.EXE
608 IEXPLORE.EXE
608 IEXPLORE.EXE

pid	process
1484	IEXPLORE.EXE

pid	process
1484	IEXPLORE.EXE
1484	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1580 wrote to memory of 1808	1580	MSOXMLED.EXE	iexplore.exe
PID 1580 wrote to memory of 1808	1580	MSOXMLED.EXE	iexplore.exe
PID 1580 wrote to memory of 1808	1580	MSOXMLED.EXE	iexplore.exe
PID 1580 wrote to memory of 1808	1580	MSOXMLED.EXE	iexplore.exe
PID 1808 wrote to memory of 1484	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1484	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1484	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1484	1808	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 608	1484	IEXPLORE.EXE	IEXPLORE.EXE
PID 1484 wrote to memory of 608	1484	IEXPLORE.EXE	IEXPLORE.EXE
PID 1484 wrote to memory of 608	1484	IEXPLORE.EXE	IEXPLORE.EXE
PID 1484 wrote to memory of 608	1484	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\assets\css\fonts\glyphicons\glyphicons-halflings-regular.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JHU7SUSU.txt
Filesize
599B

MD5
2f5feaee4d04eae54f20b9c1ef6e735c

SHA1
d93f58b89190acdfe054d19e78724f94b5a66255

SHA256
e856f8ae95e1d5d916f1c4e9984a1a1ca968245968f0ac6f891723a877574bbd

SHA512
613ba4d12bbacff2c76eabc29ed99f95bf94d195a4fa4809f6b4183fc85f01e4cb646818e9b66c41b9fa9040cad9c21168be6a1d925e8f0d116dcdd179c6406f

Download Submit
memory/1580-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download