94759b1194a150628556187c1fb455762671ada958c6a8a9e8e25849163e4564

Analysis

max time kernel
384s
max time network
681s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Data/package/Program Files (x86)/Microsoft Analysis Services/AS OLEDB/110/Cartridges/sql2000.xml
Size

32KB
MD5

ac29c853a64282340ef729348b8f1d67
SHA1

302686cc7c3fe0a66a3ed4256a962426ea9786d4
SHA256

e4ab45c17b706f7689e7c854f7b95b14ceb7f445344253e1e062498b19196bfb
SHA512

a3abc6c6eb93ed3dd57fb144eccd5313f4df5622db337c5a6151c752aef2befe21aaaa854d2e84d083e6ecf4168906f568380402695231f44bafdd4cc3e7f797
SSDEEP

384:53l2bYjk3EfI9S6J9S6KS8Y542cyRANEffPaWlDGAYwfDjY/AnM/0wz8b2:5l2l3EfkdcyRANEHPaWlDVYU/wz8b2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000ba0694853d035ffa6a4d4a6184cb50e43bf135e4afee2188cfdbb2970ae4d8b5000000000e8000000002000020000000775fbe744cc7845e7b633d8a99f41298f13449889f96c0ad7846c8dccb293e9d200000005446efc84346d771d075026440fab930167bb9cc236e632b3dff89599220bc08400000001fd51f7e2ab26d6880292384725a572f487eb774abbce843606c391885b80becaf65336de139d8887ed80276407379364fa598af85638beef49e9eaf3b335e10	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7008362524d8d801	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A4F50D1-4417-11ED-93F0-EAF6071D98F9} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000005f66ead538f252e0c283fb40feb798f99da680cd92d6902eb68e92f86cca4cea000000000e800000000200002000000010f9039a38c73aaafb472f8cff3b2e3019d60b4fd70d9237b7d58fdabc495b4690000000407f5fd8789f9cd4363d2c578d5f60b66877458af8a582a327feabd862dea49500deae56bb8a664c18acc0e4353b19fd8f1ec70aac4e7f758a852b0f7207b4fe7a16499aee07382c2512cac2232cba81fa385dbd7a327a8696db40f4808b6652753e38723a2fe228965007718f5f05207f81a114e96a44c84e02cef1c808983643ea4427f9c9e2e4d9af6ddfea6c1f084000000060edad0118c8ef5d4e547e66cadbff3964f7ece17529de63c1d79ceb75c3857e5129a1aa7379d17e208b6018e0ef6eca04966004354b6b75bfe41aa1493430c7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371675231"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1616 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1616 IEXPLORE.EXE
1616 IEXPLORE.EXE
1740 IEXPLORE.EXE
1740 IEXPLORE.EXE
1740 IEXPLORE.EXE
1740 IEXPLORE.EXE

pid	process
1616	IEXPLORE.EXE

pid	process
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 588 wrote to memory of 1048	588	MSOXMLED.EXE	iexplore.exe
PID 588 wrote to memory of 1048	588	MSOXMLED.EXE	iexplore.exe
PID 588 wrote to memory of 1048	588	MSOXMLED.EXE	iexplore.exe
PID 588 wrote to memory of 1048	588	MSOXMLED.EXE	iexplore.exe
PID 1048 wrote to memory of 1616	1048	iexplore.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 1616	1048	iexplore.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 1616	1048	iexplore.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 1616	1048	iexplore.exe	IEXPLORE.EXE
PID 1616 wrote to memory of 1740	1616	IEXPLORE.EXE	IEXPLORE.EXE
PID 1616 wrote to memory of 1740	1616	IEXPLORE.EXE	IEXPLORE.EXE
PID 1616 wrote to memory of 1740	1616	IEXPLORE.EXE	IEXPLORE.EXE
PID 1616 wrote to memory of 1740	1616	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Data\package\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Cartridges\sql2000.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7VQRBHWN.txt
Filesize
607B

MD5
995ab2a51b1bf978f86b0f364fbd7035

SHA1
758c82bf9f59c621c44e9066948af17140c78a23

SHA256
40eee38db5f32bb553c083e0aa29330e22331fe8f5ec45d799ef19cf214bdf4b

SHA512
19e98434f05264b32816eca1707c3943d5d14482bc512c915e84a9b626469d9b4303dc91076cea49755eec80fa5e839cd84ca99c004beb1c7dc5f1a5ee3999d7

Download Submit
memory/588-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download