e2bae85cda82589d5dda7835c71aef169dda99a4fd27048350906d48db43c348

Analysis

max time kernel
135s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2022 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

package/Program Files (x86)/Microsoft Analysis Services/AS OLEDB/110/Cartridges/orcl7.xml
Size

33KB
MD5

69efd1c266511f8ab64385235c3d54b2
SHA1

94af77e0d2116c263e5798e0fbf7410df4333eb3
SHA256

0374baec5b67bba27b929ce1bfadb009cbfb10d67632d158fbaf8b6b941d5b6d
SHA512

956383dbf08fa9d9618f403ff55052535b946c261afaba86d3fe52651c409b05789581c231091944f803eabcf26870b6de86aedc1fcb481f18ef6633caf476b7
SSDEEP

384:5xrkkbx3AoEXI9S6J9S6KS8Y542cyRyH5kr3lDGyYufDjY/0nM/hwz8Da:b4k2oEXkdcyRyH5kr3lDJYaEwz8Da

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000f7eabc5c7545212efcb8d5ef7d40fe01133858c1c7222576df9406ef788f3722000000000e8000000002000020000000a6a1c64a8f28f48fbdf7fb7f79eefe7aa805ff3f677c42126a5bfc93898be06520000000d0e4f455ef696e2931078412c1a99ddc76b12c5561b4047c38e8cb76aaa56b9140000000cb9402a26bf28069a3e0e39e73859efae1edf2114d60f1c3445d053671ca9e8c4be6b0c85a25ecdcc35459aa2163a0164e82f5375d927008858b66ba405388b5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371981411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7068020feddad801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000b70b0a16e0e28e4ccf78681d3e10dc6b1c82f713a5076b3dfddef77d6b986590000000000e800000000200002000000098d197c3988f73cdc84ef9101d26026b5ad7d9c6d74ff8ff124563a41b18ef6c20000000c3ebe659ecf9f428dae110904955ddcf68761691662dddcb52fe43733f421a5c40000000ad0034fbc6d964ad12fc6f8d30ed0a2ef884c3a544c7f344d27d022b6e3aa7b48e3ac8002749abf574ee08c6da1eb2e94e0b8582ce63d7e33f9909ae43a8879a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "230571703"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989037"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989037"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c0100feddad801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3911F145-46E0-11ED-B696-520B3B914C01} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "230571703"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "241353967"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989037"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1060 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1060 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1060 iexplore.exe
1060 iexplore.exe
1716 IEXPLORE.EXE
1716 IEXPLORE.EXE
1716 IEXPLORE.EXE
1716 IEXPLORE.EXE

pid	process
1060	iexplore.exe

pid	process
1060	iexplore.exe

pid	process
1060	iexplore.exe
1060	iexplore.exe
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 4332 wrote to memory of 1060	4332	MSOXMLED.EXE	iexplore.exe
PID 4332 wrote to memory of 1060	4332	MSOXMLED.EXE	iexplore.exe
PID 1060 wrote to memory of 1716	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 1716	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 1716	1060	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\package\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Cartridges\orcl7.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\package\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Cartridges\orcl7.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
50e10d0c1d47ed3dad34cfcd6a9d764c

SHA1
7ccc215400c6c89e794dcf3b8d7b7ed006e94fec

SHA256
4e194f75beef2d97e3b4e3fdf4a49b5ce0b5f7f112097d3093b33d257b2912a3

SHA512
7f67c1ac984e0f2de6cb3e12fe856a86a0e6f1d690ad668fa11c94932c5846f12008fc375187e0c93f40026613096184e36aa4804896f736aeb1bec27fb265aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
0cd5adfebbaffe4f7734afbb551cbe0e

SHA1
ab352e8f9920e9ac405983eface9785a8b9c3022

SHA256
a7f95f9f996a11efd616cc777e1cc72b0eb173adb043d4af1c4cda9c391e9f3a

SHA512
a67195f36547409a32af9d84b42758d2b039cbcdf4f9fbaf1caf0cb57cb344068bb7d3cab48d1764ae389102339df476c977329a8332448aebbcdae7d8d9e700

Download Submit
memory/4332-132-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-134-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-133-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-135-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-136-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-137-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-138-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-139-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download
memory/4332-140-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

Filesize
64KB

Download