d59f2c7602a5992a8b388ddca04c6b4f88bfd21229b30cba380efdbda4c1776b

Analysis

max time kernel
141s
max time network
185s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

supportboard/supportboard/media/apps/business messages.xml
Size

1KB
MD5

b7727941c0e8a117b6cfd8f06a1cb7ed
SHA1

046b32605384cf010d87e8ac57462c12514cab5e
SHA256

5722617974160d10a2564c051caf679e6686955012aa626f1dcf163e20ebcedd
SHA512

5d0c32efbc34e6f3425d63822d30c9be09cfcb1a5b8c2404ad483d75d52a93e537f592c9d7178b2a01d043143bed3743d616096888bcec82ce2063cee18dc833

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{56BB9521-2759-11ED-A964-EAF6071D98F9} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000662e91b2ed9c9341dba39f98a014021f8cdf32f4a6974b763863ba7a41c8599a000000000e8000000002000020000000828393b4160d9ac3d26f92f866e6b6991c60372d55818b5eb3b01b02c58b5c6e90000000c6f7f000eb66d82b7afb3a3145d32f9b98c39baa1bef9c0945f4974a7e751c482988bd53739f65533bb6e981b8798d3bf4237686c36fd7b70cf1720eb35692f5c937d2ec7c5f4cb50ee2bdc065a035c12ae7ab291b6ca4310ed25a71bfbfbdcccff318de4ca8fca8f610e641ce184b776b2697415375ba3f06d92645486b99aa9c2606a1ef07ea481c64bb702f9396fd400000003452ee7ed2831d1f7f94499dac601c20ee80b8a80bd8efd9df18c2162e91e6499dd3479754b7ff0cceef100504c1ef946ade12d0ea4464e1a01b8cfdb8123eed	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 803ad83966bbd801	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "368515028"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000003794c87539fe3dc7901369db26f4b1c3e0a64534c63559a002281a3be6353ecd000000000e80000000020000200000003ddd9ca91e24fe41fdd83b5ebd1826fd039423b17e3af49acc30f41b0876b81720000000a218fc9859bce203e6b61c558646791c77f5a2922dbc7f229331b9a8336be6324000000030ddd9468bf26ecf74e8475328f0ccfa4f1489ca848c7743d723d399cd20480b9dd04af7061af68610b880fd1fe24470504469adfda2955cd251390d243ae6f2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1628 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1628 IEXPLORE.EXE
1628 IEXPLORE.EXE
1636 IEXPLORE.EXE
1636 IEXPLORE.EXE
1636 IEXPLORE.EXE
1636 IEXPLORE.EXE

pid	process
1628	IEXPLORE.EXE

pid	process
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1220 wrote to memory of 1664	1220	MSOXMLED.EXE	iexplore.exe
PID 1220 wrote to memory of 1664	1220	MSOXMLED.EXE	iexplore.exe
PID 1220 wrote to memory of 1664	1220	MSOXMLED.EXE	iexplore.exe
PID 1220 wrote to memory of 1664	1220	MSOXMLED.EXE	iexplore.exe
PID 1664 wrote to memory of 1628	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 1628	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 1628	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 1628	1664	iexplore.exe	IEXPLORE.EXE
PID 1628 wrote to memory of 1636	1628	IEXPLORE.EXE	IEXPLORE.EXE
PID 1628 wrote to memory of 1636	1628	IEXPLORE.EXE	IEXPLORE.EXE
PID 1628 wrote to memory of 1636	1628	IEXPLORE.EXE	IEXPLORE.EXE
PID 1628 wrote to memory of 1636	1628	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\supportboard\supportboard\media\apps\business messages.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\21PRFLNQ.txt
Filesize
602B

MD5
f033bdd042283d0cf9b164898ec996d1

SHA1
58cd4741a13d0b49423ecd0d949cb49942403d5c

SHA256
8b70995d569898a8e285aac0a9767847f98f46faaffaf208679885aab6a2c0e7

SHA512
347d9f8c2155239aabca1dbf188dcf6392de3418218f172de29fbf32f120fee1ac2d4420d461a43b2a0e75cb485284eca961dad456a7edb9f3bf235d99885cf5

Download Submit
memory/1220-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download