e7ffcc5ab285fed3905a98b3af9fd30b1782f2a4560755cd8ac35a39908d3c10

Analysis

max time kernel
144s
max time network
227s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2022 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

text/part0000_split_070.xml
Size

9KB
MD5

a5b17a15e0a264bfe14355ac8d0fdd5e
SHA1

868dc6e37be61e55f44658be175254bb42097ae5
SHA256

a27a2214e7d3b9f8e5bd1d8c72146a9193876d5d6195d1a1d04b31919c5489fc
SHA512

8906d3000b09a8c4a1a3f42a4b1cb9a866549942c5b6d52be6f7b1a984a39dda0456f99c44614cbe9b926128bab830210e2c53c12770751e323c4f3bbda763db
SSDEEP

192:bgvD4hNdYXec77Lme+PfXhWoPvYuBbYvT3Z:bwshNe97XmeuXhWoPvYuBbYvT3Z

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997527"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fcab58f4a10ab849b20faf1646ac42180000000002000000000010660000000100002000000029a90b037a041ee09ba56d229916d2101fbd3b57173ae7dbbcf24d9dabd37dee000000000e8000000002000020000000b18a63115dda14a3efa10e278f2162ad3b5d6b348b90859f4d10e8c4060fdbb22000000026d799fae3f53d7f34fb7dc0388dc90d462a3b00e32144743cc0a3cfd0f29e4140000000f30e68e824392480a79f05be74e668b918d633b4fe40bc236b5df63bfeef65e1c8a394a5250304205cddaf3497bd53455962d763e3559bb1177f6eb78ad8b55d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "440652117"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fcab58f4a10ab849b20faf1646ac42180000000002000000000010660000000100002000000000fc404410fc7cca90b719ed3fc606b00bed18ac6053b3546ee34d961452cbb0000000000e80000000020000200000008a6aa1a3a8fc25b1c11c301cab4379a87d1c1dd5fa0052ef59d87dc7626346e220000000fd724800ba55670ed94ef83042ce7dec27163b88f7a53b6d2d4fc104295958eb40000000d2390d4f579fcc872367d7922a3932ac5ee6aa606ae70b83f5f2092d02bf29f770289de4cc6f4e7b24d9c362c7358f877f06ad23c3eb5cfee343ead3e3f6c525	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006a921a17fcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a005521a17fcd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375644453"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44ADDE2E-680A-11ED-A7A3-7AFE47082869} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "440652117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375627859"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375676444"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2776 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2776 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2776 iexplore.exe
2776 iexplore.exe
2616 IEXPLORE.EXE
2616 IEXPLORE.EXE
2616 IEXPLORE.EXE
2616 IEXPLORE.EXE

pid	process
2776	iexplore.exe

pid	process
2776	iexplore.exe

pid	process
2776	iexplore.exe
2776	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 2336 wrote to memory of 2776	2336	MSOXMLED.EXE	iexplore.exe
PID 2336 wrote to memory of 2776	2336	MSOXMLED.EXE	iexplore.exe
PID 2776 wrote to memory of 2616	2776	iexplore.exe	IEXPLORE.EXE
PID 2776 wrote to memory of 2616	2776	iexplore.exe	IEXPLORE.EXE
PID 2776 wrote to memory of 2616	2776	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_070.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_070.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GRZPDISD.cookie

Filesize
610B

MD5
ddfe66cf9ee2b3f606ce9efb40539658

SHA1
bc5baf87c61cc8981f7c77730e048ec879e811cc

SHA256
0523355c01aa301a79265f98081236bf6b3441ce7dee4311c4c3f3e68da08f7b

SHA512
3a2ad805d51eabe4d369705f23d0bdb7ba980e832d09737611d3f2afc0e77d6afbdb8c9de8718c212d3f1dd8472290c85d628fb48a9f1b7fd8e2eea868a7713f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OVZAIGQU.cookie

Filesize
610B

MD5
ddd4d210d16a4a25424e6f9dbbb57e81

SHA1
6af7edb8ca53f715d556fb677d779a3e39295c47

SHA256
186b080e9d712ae1e6674d7dabb850fd85b971a3ee328d69878971d5ec39ccac

SHA512
4bbf3462cba699252eef939e2857c208cf828195063b7612017b5fb8b7209dd499b2e2bbed0d386bc9a17ff1a6596730c74b58c6c131fef5834d31f86d0f28c8

Download Submit
memory/2336-118-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-119-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-120-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-121-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-122-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-123-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-124-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download
memory/2336-125-0x00007FFEF57F0000-0x00007FFEF5800000-memory.dmp

Filesize
64KB

Download