e7ffcc5ab285fed3905a98b3af9fd30b1782f2a4560755cd8ac35a39908d3c10

Analysis

max time kernel
109s
max time network
227s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2022 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

text/part0000_split_083.xml
Size

9KB
MD5

c2c1aa7028ef2c6fd3d804473ad98eb9
SHA1

31c2ee335ed1ac294a72d44221124411b4575a06
SHA256

ad55da1b71045d9046d440c3cec5b5568735e75da5b69d2801d1021d10594b12
SHA512

4dd9121781ee131c309d30cf8d03378e5b843145b708f12337edbf4637e785dc9b5282ea70611534d6ff215aa773b75e50666255c6c27819d6eacc13594173f8
SSDEEP

192:bba1Ygzf7WUtWZVFzcTfU44XlWHKXPwGGZ9:bW1Ygzf7WUtWZVFzcTfJnqXA/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd8011000000000200000000001066000000010000200000002cce199ef7aeaef58dec2f9b30b5ed946c5c8e6b64cf25595832772987ce16df000000000e80000000020000200000000cd4ffe995c4bbe6a5f86babbbfac14743e7cee382a0335d1cb56ac645819dd820000000f423f491ffb07bf16ae25e46b78fbe9e8439107f579a8a1e21318d06d97f3b7f40000000aeeb89406f7bf8dc008d222f5e43fe35ad758db80f94d5049bbc36a5f138c377c7143c389331bb2d25837acde3f4184dabb25ddac431a247dbb7dee1995623e4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375021159"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375672852"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3262445289"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997518"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375640868"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E41DE065-6801-11ED-9424-F2ECB67C8E21} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd801100000000020000000000106600000001000020000000e156c4d83d69f023a47d60aa44f15ac879a825c46694850f4f6d933e66a56b82000000000e80000000020000200000009038f6fae720522df61cff71ee0cdde1ba2f3d437632dfc185a3c7c36ef1a59b20000000cfe6d49a9632d4040c5883bd380be68ae3a721ee6d9a28a122a919c99e7c0f174000000050917a9292ca4bc28b94e71a44dea6f6107e5a4d0beea0494e7be084cf96e71ada3921dd2bf771dccdc3eba3705840926d3e509df7f3eb4d0577444c35314aea	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3262445289"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e0c6b90efcd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0fec1b90efcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997518"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4740 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4740 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4740 iexplore.exe
4740 iexplore.exe
4352 IEXPLORE.EXE
4352 IEXPLORE.EXE
4352 IEXPLORE.EXE
4352 IEXPLORE.EXE

pid	process
4740	iexplore.exe

pid	process
4740	iexplore.exe

pid	process
4740	iexplore.exe
4740	iexplore.exe
4352	IEXPLORE.EXE
4352	IEXPLORE.EXE
4352	IEXPLORE.EXE
4352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 4888 wrote to memory of 4740	4888	MSOXMLED.EXE	iexplore.exe
PID 4888 wrote to memory of 4740	4888	MSOXMLED.EXE	iexplore.exe
PID 4740 wrote to memory of 4352	4740	iexplore.exe	IEXPLORE.EXE
PID 4740 wrote to memory of 4352	4740	iexplore.exe	IEXPLORE.EXE
PID 4740 wrote to memory of 4352	4740	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_083.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_083.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4740 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IPR1739V.cookie

Filesize
615B

MD5
7632dbca87808c00abf20fdc2cf72dd7

SHA1
5d20e4a5ef2ed9d9926ccf89b0cf0c254e99801e

SHA256
bc0023fefdf7f0a875039e5344ece4fed8b8cae3401338df8b3c628014066f89

SHA512
bd6ffe817a31b285faa9d820b7ab47a407218b49d4418927856b46fc627a04fb6b40438118849d34a0d3dba31fd48576e7246dfc10d86ff87ab76579ec8ce230

Download Submit
memory/4888-117-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-118-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-119-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-120-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-121-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-122-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-123-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download
memory/4888-124-0x00007FFF5CC70000-0x00007FFF5CC80000-memory.dmp

Filesize
64KB

Download