084b5fe98759c66887bc908a308084f4e5c10931197c24a230d2e8133fe4ec6b

Analysis

max time kernel
102s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Micr/Microsoft/assets/fonts/fontawesome-webfont5b62.xml
Size

382KB
MD5

d7c639084f684d66a1bc66855d193ed8
SHA1

c0522272bbaef2acb3d341912754d6ea2d0ecfc0
SHA256

8e3586389bb4cd01b3f85bb3b622739bde6627f28bba63a020c223ca9cf1b9ae
SHA512

cd4c1d6756aa4d8e98ef4f7549ef2d73cc407bbba17a22ba31ddefbf74cd51de8a5c51a200db7f99e408f38988444a44156e7dc1136775b5cf6376972770ed29

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8024fcb69074d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30962832"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360726731"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30962832"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2825917656"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043099a93b0a2dd41b22bfbb30670caee00000000020000000000106600000001000020000000dcc4a62aa8c0976e3f3c9865fc5df0f4a41aa22be2d588a499c742778dd9b95c000000000e800000000200002000000025dae4fe7c35df9d762d4bb5d54680e9d2aecdbc1c32acee4eb1173955597cff200000004d21f1f1bf547de8823a1285ec5aea73a587dfcb58776927acc5f41371f8353840000000af8d9cacfa34eb8ea3d332429bbac651c6a898bfd7aca7840cd0a65b6bdf2240eee761c3a9097d4f9f54af85249fa7fb11ea35a0e3c5188d9389867f446ca453	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2994198054"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30962832"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D33E45F6-E083-11EC-A58B-66F9B3FFC396} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2825917656"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043099a93b0a2dd41b22bfbb30670caee00000000020000000000106600000001000020000000a3cdd89ae97e4fed084dff9a7e3b078d0e06b17146084f3012f6067ec2fc52a1000000000e8000000002000020000000b857a250c1fbb176ce6860dd2d540ea0429208d52737525e422e4cbe44e5d10b20000000cefd6af0f74a73a8a313eb0c9a8d18fadbeec90b6f35fa853cb8fbff05a41ac540000000dc01b11e9eec4cfefdaefc39532f873631431f439cb1d6e2284dc38d83c8fa4697d0acdc840df9580b311b27afe0917bec00c6d30990ef9224a54502bfc0e6e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60109fb69074d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

876 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

876 iexplore.exe
876 iexplore.exe
5008 IEXPLORE.EXE
5008 IEXPLORE.EXE
5008 IEXPLORE.EXE
5008 IEXPLORE.EXE

pid	process
876	iexplore.exe

pid	process
876	iexplore.exe
876	iexplore.exe
5008	IEXPLORE.EXE
5008	IEXPLORE.EXE
5008	IEXPLORE.EXE
5008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 4500 wrote to memory of 876	4500	MSOXMLED.EXE	iexplore.exe
PID 4500 wrote to memory of 876	4500	MSOXMLED.EXE	iexplore.exe
PID 876 wrote to memory of 5008	876	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 5008	876	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 5008	876	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Micr\Microsoft\assets\fonts\fontawesome-webfont5b62.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Micr\Microsoft\assets\fonts\fontawesome-webfont5b62.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0eaec8b890892eb6f45b0022a6c5e366

SHA1
ec76b986b97e770ee53c0f5f8dee04277603554e

SHA256
e503b7264fb02e971a08cba4637c405ae0fff509b7947aed4b2f6fe9f96ad5fd

SHA512
93e851e272bd1a7a66e3153a062013ccdb161349dc9b73edc80c9eb01136287a3b5468070a3d9df8b5462c8341dc4968710939383dc8fb3510402337821d4cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f7d823b046784d494441e830fdeac6cb

SHA1
5a93bf62bf60428677d15b45c2328b6ded4e434b

SHA256
dbc42f4231b8758fc5efb97f039a97694bf3dec8324cc88997d98448dcd9a99f

SHA512
8769bacc2ce61c2da26cb1121ca534834b99407edb0e0a214fbff7ef85d2c00c58c9e2e4ecfc1e396d391df8825a47d4f55df6964fe6d5e1949331321c8bd5a2

Download Submit
memory/4500-130-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-132-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-131-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-133-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-134-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-135-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-136-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-137-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download
memory/4500-138-0x00007FFC95270000-0x00007FFC95280000-memory.dmp

Filesize
64KB

Download