039c7deb147774e9f48a601c75c9345b23b435058cbe5ced19a79990a3796885

Analysis

max time kernel
126s
max time network
176s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

packages/Assets/Assets.xml
Size

1KB
MD5

230955481388f2c0f33bedbf0a34aec2
SHA1

c3215ac5986e79f62ad4d547e733647c4ffa22a0
SHA256

312fc9721a900f9407009f56881ee337ebdb3c5b563d235ac5b2b4b4d2712132
SHA512

a4b60dc3839b9a65e1122e397d4b6ba29ab94e59da5ba459a00d61bd8b912162be6ec72ed0c2398aa2f89258b3054e8c6471cbc4a325010251152a8332051acc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000008e1e965bc79608f92aa0187579c9f7f05947e59a2b4377ee60b0ea4a39b82b4c000000000e80000000020000200000000cf026960c20c8c7332f5600fdc771e2ea8f7bbcc3c1e81c7fb9d78e69c3827320000000dd3b6eeefe5e73808de4d6eee394a186376212e7636dd2f8d44dfb546cc22dc3400000004cd2766d2b7659cb8ef779185abd49639d88071c817a324b0ed7ab8c84f509861d9111036a2005061e3bda58e2c3b02ae0df8446624600bb9c243c4a7f57c532	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602bdc84a3ead801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373709051"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000fe89a4916ad72808649d04d025028e29db79202f3910f9c8457cb4d9104df203000000000e80000000020000200000001496188a78e484346494ea6182038a75e604a0d0607f98c6d9173743071ecc0990000000dfe55116f61d1909469aefb5deb0d494efb9fcc859a4a4ab9d24f462e329562d5c9645d2f07b98a14e5570504c513ecaf4f8bb19d8bdadfbfcf22daa321f340015e9909f7786b1b05515d0f72133b99aea17cbfd6189e1e3aded6956dbe9a8f6e341e3177137e60291266e6ac33213ff3a384ea7a66f6ace2a691f0e6e373d6e43bc919a65a0b6c587ff08ab7a0adc6940000000152409091c7d38918f5ce060cd01e4b553485e50c9006a8568c798fbeec5ce903ffe17b39ed8cadecc7e44b7ff88d0c75e21eb156860d008cf8d736875570513	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF722D21-5696-11ED-AD07-6AC8E2464E73} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1520 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1520 IEXPLORE.EXE
1520 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE

pid	process
1520	IEXPLORE.EXE

pid	process
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 988 wrote to memory of 660	988	MSOXMLED.EXE	iexplore.exe
PID 988 wrote to memory of 660	988	MSOXMLED.EXE	iexplore.exe
PID 988 wrote to memory of 660	988	MSOXMLED.EXE	iexplore.exe
PID 988 wrote to memory of 660	988	MSOXMLED.EXE	iexplore.exe
PID 660 wrote to memory of 1520	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1520	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1520	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1520	660	iexplore.exe	IEXPLORE.EXE
PID 1520 wrote to memory of 584	1520	IEXPLORE.EXE	IEXPLORE.EXE
PID 1520 wrote to memory of 584	1520	IEXPLORE.EXE	IEXPLORE.EXE
PID 1520 wrote to memory of 584	1520	IEXPLORE.EXE	IEXPLORE.EXE
PID 1520 wrote to memory of 584	1520	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\packages\Assets\Assets.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:988
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T2ODJ94S.txt

Filesize
607B

MD5
ee9a20e7aee262205bd338d828b51b6c

SHA1
ed57eb57eca1bb0e09d41a56dfd91fd6d841b07c

SHA256
4b860b90599332cd9142304a6c3629be21be72b16cb6716e485bd6e540bdd4ad

SHA512
311d7e204014f9a677ffbc66e399ebaffa547e95e4a7cd20a178ffbcd7d895de909d6976c0fca9af51ca5f03773f83e5e9f4bb67173c659d015f91baa9122a89

Download Submit
memory/988-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download