2c63e762ad58d8532531e374225649be5f1c85454ed50a67b4823797a9609d71

Analysis

max time kernel
135s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2022 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.pdf/About/en-US/AutoPlay.xml
Size

4KB
MD5

935c602dad3f4335bd16c269e66dbfaa
SHA1

3df4dc6d55af20f0593d807fb4fdefb23cc3355a
SHA256

8773998440c8d534fa69833174d05d09088f07e6e5c0e41d7c04a229c7903879
SHA512

05abffc0ce836f7438bc711a9d2b5ceb8f3f1c48be2ac9c1a91d286aed6fc4c8d740ae802dcd2cc65d066972dc8daa84ad8a10fa775d66cb5f3de34688d975ec
SSDEEP

96:LeD5pmCRsKp7RqiPKhB3a1jejcM64iVDJaqV:ELRRp74a1AbodJ7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1706872839"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986064"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06f656c50cfd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1768749142"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000f7b7a1325c978ef65b3429f2d8d32572b8f3bbc518703060ee6a3e0da414e298000000000e800000000200002000000032093d1796e1eba3df28f873c5519d113d92375dda1c303f54537476ed4f9c4b20000000faa4d25a125c03335ee19c07b1da20fc7723e20ba5be253dcf90fb8d44160b3e400000004e3c9216c5675a3f159dd238807a05a3ee4d3139edefe8fb9e091246e4491d084ffec6c059afd2868088fc80e94cd60a94ff8abd49355181c2c343e1fe98c747	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d017576c50cfd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986064"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1706872839"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986064"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370704670"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000006d375b69da67cf6233b8de3f650dc14fbbe16c211c55d397487576af478c497a000000000e8000000002000020000000d3e512066fa9617f881b2abcaaeec312a01dfdf47f9734ec0f3a5ccbc64c2a33200000007c06115642362511e1d3ef81e7df1247d1387c02f1a941a96a95ec805cc35e8b400000004130213d9ccb618d70ad92297d199a6e7043bd89ec42f09d2cf2d6e5f2dcfc2205afa6c311c35f49744a02d28ea9fecbb8017d64d3ea6bd2dfd7e7c2c6eb9525	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8CFC3B74-3B43-11ED-AECB-D2A4FF929712} = "0"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2256 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2256 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2256 iexplore.exe
2256 iexplore.exe
3692 IEXPLORE.EXE
3692 IEXPLORE.EXE
3692 IEXPLORE.EXE
3692 IEXPLORE.EXE

pid	process
2256	iexplore.exe

pid	process
2256	iexplore.exe

pid	process
2256	iexplore.exe
2256	iexplore.exe
3692	IEXPLORE.EXE
3692	IEXPLORE.EXE
3692	IEXPLORE.EXE
3692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 3664 wrote to memory of 2256	3664	MSOXMLED.EXE	iexplore.exe
PID 3664 wrote to memory of 2256	3664	MSOXMLED.EXE	iexplore.exe
PID 2256 wrote to memory of 3692	2256	iexplore.exe	IEXPLORE.EXE
PID 2256 wrote to memory of 3692	2256	iexplore.exe	IEXPLORE.EXE
PID 2256 wrote to memory of 3692	2256	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Document.pdf\About\en-US\AutoPlay.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Document.pdf\About\en-US\AutoPlay.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
Filesize
631B

MD5
54f5dac59e9c2be8229dded05837d48b

SHA1
a3a4a2325439daa22af599624c7d07d7eb24391c

SHA256
81d755ca9b28ec7f47d0fd4627c55c42840fa294ab7e9987ef88a5f7b1e15113

SHA512
aa2b6b442f9225b621bc79b92d3fdbb2c4c2ea69dfc9a4325aacda7f384b36984878d4be71e9e556f2a5c36399fc3091509e7d0421b601ad1a381d8a2cba8d7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize
240B

MD5
6160c9889ecedb4e7ad5bd224b14c11a

SHA1
07eb288a8ce1739367fe27dc897a604bec2f51e4

SHA256
26b5e8ff5e97c2e91323dbb17af3b5adc73ae49e65b32db9bb51fadf096fbece

SHA512
e525be25f4fb32d4350f6f70d82f74edaf79be7b73ea94270b28525b72b5d76e08d58248a7042be2b3af834b8a2f0fc90bae3483d22bc377fe0124b7d08547ac

Download Submit
memory/3664-132-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-133-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-134-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-135-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-136-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-137-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-138-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-139-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download
memory/3664-140-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp

Filesize
64KB

Download