e2bae85cda82589d5dda7835c71aef169dda99a4fd27048350906d48db43c348

Analysis

max time kernel
118s
max time network
259s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

package/Program Files (x86)/Microsoft Analysis Services/AS OLEDB/110/Cartridges/sql90.xml
Size

95KB
MD5

7bcb78a5002bafbb8ebd1b3d3ea7a56c
SHA1

27b495895e189bb26ba5bb884dce933131485acd
SHA256

a0b013c7d76354298b4b9c5293634da45ef971b8f013e0e2d49ce1c6fd326d18
SHA512

482fc566d875bf08bcc554907084218686bd8f4c8a2f395db509fc2473e8a5f56577a6a6d9cee6a8de6b31d4164d8e32babc22bad327a0c8747d90cde1153d41
SSDEEP

1536:9ZqkdcyRoiSHSTQf3GlDTYfq0QKUo1o5omoKomo7v2FAv:9ZqkdcyRoiSHKQf3GlDTYfRvQAv

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0494636eddad801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371981477"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BFA4B71-46E0-11ED-8C11-42FEA5F7B9B2} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000d961f6b6661bdcf891b1f4ea18295bb0a7ce1b55f46e52a3ba3b194cc43fe5d3000000000e8000000002000020000000225d0f0ce9942e6e8e0764441acbc4ee0000e35f48cca9a23491b905862eb9aa90000000ef3853d86d919a6d3d938d820fe912a7ddb7beaee2204f4303db5142153f6310d4c6a96eb3654d6e47e76280e8a0b647d3213ef88a7a48e35a84a6567868f6b30142b9a57627ce7fce8dabb71b35f016d72834aae7f6616b54d5d0961cdc5a0c9fad725e444343641fb712c8f366951c03b8dd42c213659069685cae78f7795c109478964290b4054d883e4dcec274594000000063cdc6301c82a363f50dc64dbebe5441b09f67878d33f49dc2efe9d0ca5a079fe43d9cdf898210c0e27cc67fb19cf09cb8e36b30325503bfe74cedfac2d5e635	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000694d8155260e33c06bf15e0f4dd81ccce12200b103e0cfd8daac2f4e7c24a99e000000000e8000000002000020000000ebf4409015fba71c5ad5dc9da74e9dc8b2dee1a710da6281610c9a3dde5507a7200000005340f18097a230b6cbfef02a5f80262681380fa0effcf36d6cbdababf00bc539400000005e4c577431f3f0a5a658749e1a98b47e1eedaf10b18260294f34fdc1d1890a565a838f0e2daedc3f9169724eee2fd354d9a121d9048706590efe2cbd0c35dc1b	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1204 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1204 IEXPLORE.EXE
1204 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE

pid	process
1204	IEXPLORE.EXE

pid	process
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1948 wrote to memory of 844	1948	MSOXMLED.EXE	iexplore.exe
PID 1948 wrote to memory of 844	1948	MSOXMLED.EXE	iexplore.exe
PID 1948 wrote to memory of 844	1948	MSOXMLED.EXE	iexplore.exe
PID 1948 wrote to memory of 844	1948	MSOXMLED.EXE	iexplore.exe
PID 844 wrote to memory of 1204	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 1204	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 1204	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 1204	844	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1960	1204	IEXPLORE.EXE	IEXPLORE.EXE
PID 1204 wrote to memory of 1960	1204	IEXPLORE.EXE	IEXPLORE.EXE
PID 1204 wrote to memory of 1960	1204	IEXPLORE.EXE	IEXPLORE.EXE
PID 1204 wrote to memory of 1960	1204	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\package\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\Cartridges\sql90.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C0O8X2P5.txt
Filesize
601B

MD5
693f8a611a2b6b85d503b618e8c62016

SHA1
fb2a3845491086ecac74f683b73e8629db770389

SHA256
24f12cea2f8fb530ad5f3b7dc593defb7f328e05c9e84f89f8c3b93d13460c7b

SHA512
b9f3381d10e0211deea2e57e61d8dd5a0a134ecc4a10ffc54286ecf5632a9dbe223ed2c7fcd6b53c3e2a541d295033e38fddc41d6b4caeeacf4eea7e85de719f

Download Submit
memory/1948-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download