6108fe6c491d95e6869c3605197c261d341159ae4a565ca8613184aae5020b74

Analysis

max time kernel
110s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAVAntivirus/rsRemediation.exe.xml
Size

176B
MD5

07c7bd25442b92d5e654d2b47ea63ec0
SHA1

4c1a65c73edf4dac58f7c6d1e0094ced79647736
SHA256

8305f905b29a9202d59bc06753ac1acc00b3b4c8b951d820ca7ac850e7a4f7cc
SHA512

6204fb64c90537dab7f64b8d99430e8bfa7d4759bd22b2bfe7959f59beffc001cfce1e3ea80fff21deeda91cede3c48726aff7433e6a9b9e32c1f239f53b909b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2997207357"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986368"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DDCE8B3C-3C73-11ED-89AC-DA88DC7FA106} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370835361"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a07df3b380d0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986368"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986368"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000002f0af4a05c1f4949458d7dca29e6ba4a7c5c04b22b94f4312f454e8798a775d4000000000e8000000002000020000000738356fad64aa6663723dcb548806824e8c7a1e789d42af8b1fc5fac23c31b1a2000000021c2edab3df8a3550837cbee0cd74aef56329eb19220a91153c9ef6affd1a28e400000003e60499f70186070c5a88e4c4ec33e668480ca585c07257ed6c1361a5941c30bcf6e21dfeb50bb9d9d4817566f017cc67a198d473344eb6ae169c56842af6c23	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c3a8b480d0d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000001292940a906b68b0a89e126db4d139e51995597fd8ea3fd663496ef60006f805000000000e800000000200002000000085b4aef6b2286e0d2f8e2c23d0d71a40cb4685db8def6cd3107ea7fd6b0267eb20000000e4a1ac4c88e09af7b834eb8f90f0578b848442293fa2ac0cb58f63dea074ceff40000000c0b618d668207619eb63ae2a6d855001e857ee0e899cc14884bf5e6e9285a4bdfa8af0257b000b4e21e63fdcecafbacdd72f58df6108417d659d99d8279a1551	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3009082982"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2997207357"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4752 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4752 iexplore.exe
4752 iexplore.exe
1232 IEXPLORE.EXE
1232 IEXPLORE.EXE
1232 IEXPLORE.EXE
1232 IEXPLORE.EXE

pid	process
4752	iexplore.exe

pid	process
4752	iexplore.exe
4752	iexplore.exe
1232	IEXPLORE.EXE
1232	IEXPLORE.EXE
1232	IEXPLORE.EXE
1232	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 4244 wrote to memory of 4752	4244	MSOXMLED.EXE	iexplore.exe
PID 4244 wrote to memory of 4752	4244	MSOXMLED.EXE	iexplore.exe
PID 4752 wrote to memory of 1232	4752	iexplore.exe	IEXPLORE.EXE
PID 4752 wrote to memory of 1232	4752	iexplore.exe	IEXPLORE.EXE
PID 4752 wrote to memory of 1232	4752	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\RAVAntivirus\rsRemediation.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\RAVAntivirus\rsRemediation.exe.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4752 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
07149bdd639826419e083a26419257c2

SHA1
a8e6f0b4f6fc6e51803f4c9e46af728969de3f67

SHA256
ebbe45f802e0679a14fc030c6cbcfa453183b54d5f26e7f26b40b377f97598cd

SHA512
79630d054c2da35857dae03406e467294128a69fe4e0ccf10976e3a2d01645f2cf6ce5b1b90110872d04ee82dff29103e8e14439ff38c6309ec84fcf171623ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
fc226c3fb64dce1bbb4afe276258aae2

SHA1
ef8ed097d8890ca34b86ce1f8a5c838368c45eb6

SHA256
40c7a800b998698e49c4fbf46fd57ff27e422198bccc4ec2ab0b35812a1b7540

SHA512
390fb38657523f57ea81f4bb9a74bf9a6f7b04c8be881761005a92a7d3de9adbe86075b38984fa6b9d8b2bff7a15993afd5a64a40f17375594e45db5168fac33

Download Submit
memory/4244-132-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-133-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-134-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-135-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-136-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-137-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-138-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-139-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download
memory/4244-140-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

Filesize
64KB

Download