e7ffcc5ab285fed3905a98b3af9fd30b1782f2a4560755cd8ac35a39908d3c10

Analysis

max time kernel
136s
max time network
242s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2022 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

text/part0000_split_069.xml
Size

930B
MD5

26ec0173153f430c47b8b41274696756
SHA1

517dbe52764f2148a5e142c98ce5e5fd65ec9f2e
SHA256

0796e85ea5a066a02ed7566e9453cb196313fcdd6ebee0232528ecc32f202058
SHA512

0afc97912964167ede1b968c337bf0bdbe99d8356124a720aab607001f3ab0a13e90ce1e8a69c516b89107b6e1850b0385fdb4289deae1f90b0ee8545c38cd82

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009648c73473cbeb499e81989969140cdc00000000020000000000106600000001000020000000df109a7524392fbbf7d09985d9886035e0664f31ab60805971b477dcf1d745c4000000000e800000000200002000000095d7cfffe2366c0b0e7f5b04fd89011ef349bdf1ad79c6ee3180a2970ed6ce8f20000000999652702015203024bfa7e9f6c2dff8d61ca1178fc7cf8aa110acbad515bb4c4000000037d9d001e396dc9ccfae33a85a7c9ad459be049fd2559d852ca97f167e478594efc7ca3ce01f613395b254a766230ea68e8549f79bfb99e77a738ada101657f9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375676468"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C86369E-680A-11ED-A973-CED42B755F53} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "573365017"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "689146369"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375627882"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375644476"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009648c73473cbeb499e81989969140cdc00000000020000000000106600000001000020000000c18f2e2723bc87ccb250ea7e590d4d273aafb1ced9acf502e3806afeef6433ed000000000e8000000002000020000000ac4e42b54d8f6eb42fbc06b66c3796c480a64d948c707969045ecdf97594f8db2000000088bf148bd650269d38f0502af193a71468d9524fe2a01ddf5601650df901e1c8400000006d57bd1cb10a1f92408415d1280124237c6442a1a945a4e041b292c888e3cf1609378a597fb500775226242e51e10124ef08669ff226cae01df75dadbb493e22	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007f672b17fcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997527"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "573365017"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90462e2b17fcd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2640 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2640 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2640 iexplore.exe
2640 iexplore.exe
3772 IEXPLORE.EXE
3772 IEXPLORE.EXE
3772 IEXPLORE.EXE
3772 IEXPLORE.EXE

pid	process
2640	iexplore.exe

pid	process
2640	iexplore.exe

pid	process
2640	iexplore.exe
2640	iexplore.exe
3772	IEXPLORE.EXE
3772	IEXPLORE.EXE
3772	IEXPLORE.EXE
3772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 2344 wrote to memory of 2640	2344	MSOXMLED.EXE	iexplore.exe
PID 2344 wrote to memory of 2640	2344	MSOXMLED.EXE	iexplore.exe
PID 2640 wrote to memory of 3772	2640	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 3772	2640	iexplore.exe	IEXPLORE.EXE
PID 2640 wrote to memory of 3772	2640	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_069.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_069.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7b35d09c8d594ddc91418302b68198a6

SHA1
74cd30ebe4bb6d31cb7a0b2987590f9ce9ff8659

SHA256
286981a655ce6984be66771a091daa1bea33a43cb7233ac74d2f43825281ec05

SHA512
a19a14c619d3ae1600595c4e21a1ae9112548029bfacfe0fb877ff0a7cf5d147370364444a044b94b69a088f58ce8035d42ef33d756f9afcb970fe2c32b8dd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
225732384d8a1f20a10278d451d59e52

SHA1
04d1185089d8c1c30582228f02c359d56901e8ab

SHA256
94fe47b67e38446b25a9367fd4d20dca038e7dfa3b8c835c4ef8b64a493ffd08

SHA512
f851546a9cfcc37ceac74a825630e83725a645ff1af3e221b0eaeb3a990599124c801e2406672c0b496ef58fcba67a167f44ec644020077f1846f88e7f3a2b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G1SBAN8O.cookie

Filesize
615B

MD5
d2de21fb634d5cb0f7899858e6a7acc4

SHA1
cd220f1833249625019b0b4d48c4b77be672ccfe

SHA256
142cccb7a88d221e2d6b09741b09137974d75386b3a18689baa040163b9b966e

SHA512
b76be7920c8e4f674089f3cea2a8898091fdae5d462628c3f66394653756c209d9a21949867682f3a521a058d32be3bda481768f0ddd422c38cb30a489b1a5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\L12NLCEY.cookie

Filesize
615B

MD5
cd6f66082f7277369d046aa8be906ef4

SHA1
46987d8cf91e6de5c72bee6252f7bb494553a678

SHA256
f53ad5674011eb771e7fa6d27fcfb398a0116a5737a8683f361a217529f89002

SHA512
55c906921b549cba067c5e58fcd64c95accc524277f8645f17a51317fce58ca73096f4fcf115a147f482bfdb112ae0cf74ba445d936b24f6f799c3614bd0df32

Download Submit
memory/2344-120-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-121-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-122-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-123-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-125-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-126-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-124-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download
memory/2344-127-0x00007FF9A9380000-0x00007FF9A9390000-memory.dmp

Filesize
64KB

Download