e2bae85cda82589d5dda7835c71aef169dda99a4fd27048350906d48db43c348

Analysis

max time kernel
105s
max time network
195s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

package/Program Files (x86)/Microsoft Analysis Services/AS OLEDB/110/Cartridges/orcl7.xml
Size

33KB
MD5

69efd1c266511f8ab64385235c3d54b2
SHA1

94af77e0d2116c263e5798e0fbf7410df4333eb3
SHA256

0374baec5b67bba27b929ce1bfadb009cbfb10d67632d158fbaf8b6b941d5b6d
SHA512

956383dbf08fa9d9618f403ff55052535b946c261afaba86d3fe52651c409b05789581c231091944f803eabcf26870b6de86aedc1fcb481f18ef6633caf476b7
SSDEEP

384:5xrkkbx3AoEXI9S6J9S6KS8Y542cyRyH5kr3lDGyYufDjY/0nM/hwz8Da:b4k2oEXkdcyRyH5kr3lDJYaEwz8Da

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F2239D1-46CF-11ED-9D78-7225AF48583A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000028581507ba96dba62635446a438db74aa993be1fda80a5f1f9a441d233668479000000000e8000000002000020000000b07f7a1552eae75d18c901730c8663ff67c90802a876cf652d7cecb963ae8203900000004348718eb9807e369814f4ca81bc7bfb0e0de012e38cbd62ed65987bbc27422b0b9d8dbd53036c88064620c8c712dcd6f51f76eff3713f27a3a8c29d3f6c70dfb4586cf3e993cd01e7acf545181af59716ada86791d797c037fd4f7bc15a12562a185525b20528613e12836f826fa22dfc809ab4de97455f6acd6dd747c39aed44375374039b9e31f36c995b5d050a644000000090905213e857c58ade92aceebcb607bea9a338036133cac80e3964d4e75064a588f3909b9c46d98b3976b4d3239499f777cda4a575d4d56f9bf02ed4f5475055	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4002e744dcdad801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371974207"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000e8bf50395b3250ab8fd200a1435e69000f2dfd4eaed554db9496b284ae3358a9000000000e8000000002000020000000ebf3aea2d847b1712d05ce397eebef62a67f39d030907165d4629e6a81c50f8d200000001197022f1637b8bccdac5ac881f3d74b7304026e49ad1e36f92ad9833ac0747d4000000084c9bb89e5c5d581376630dfd02daff6ab904538ddfd3cd0ca15498bc9f3ec3ec37a1c90fca7a80b3d3e87914e70416f1b078ff84c501276ac1a3522a547264b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1056 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1056 IEXPLORE.EXE
1056 IEXPLORE.EXE
1780 IEXPLORE.EXE
1780 IEXPLORE.EXE
1780 IEXPLORE.EXE
1780 IEXPLORE.EXE

pid	process
1056	IEXPLORE.EXE

pid	process
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 840 wrote to memory of 596	840	MSOXMLED.EXE	iexplore.exe
PID 840 wrote to memory of 596	840	MSOXMLED.EXE	iexplore.exe
PID 840 wrote to memory of 596	840	MSOXMLED.EXE	iexplore.exe
PID 840 wrote to memory of 596	840	MSOXMLED.EXE	iexplore.exe
PID 596 wrote to memory of 1056	596	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 1056	596	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 1056	596	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 1056	596	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1780	1056	IEXPLORE.EXE	IEXPLORE.EXE
PID 1056 wrote to memory of 1780	1056	IEXPLORE.EXE	IEXPLORE.EXE
PID 1056 wrote to memory of 1780	1056	IEXPLORE.EXE	IEXPLORE.EXE
PID 1056 wrote to memory of 1780	1056	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\package\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Cartridges\orcl7.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\26YZD9LA.txt
Filesize
596B

MD5
929aa99216af30a4cc8d5a06aea8964d

SHA1
8e76b9fe2061cb76699d27e683c6703f978953b5

SHA256
e384390a64d9abb5097bcd298c5848d23c4ed2912e09e5f5394e650a429c9a1e

SHA512
ed03c0a89227dc1f423fe152d3035c2a22707bc178e1f7da4cf817b86c278da9565c7ce4ded6ee71f7e24d41f2ce5ecf45fabaa6e0957caff1a6dd08548d1377

Download Submit
memory/840-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download