hxxps://schuleneringerfeld-my[.]sharepoint[.]com/[:]o[:]/g/personal/a_kroecker_fv-eringerfeld_de/EgNcpnzxPVlMveCimbTahBQB9CteuHEtQGSWAgthGr0Ucg?e=LIPXiD

Analysis

max time kernel
123s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://schuleneringerfeld-my.sharepoint.com/:o:/g/personal/a_kroecker_fv-eringerfeld_de/EgNcpnzxPVlMveCimbTahBQB9CteuHEtQGSWAgthGr0Ucg?e=LIPXiD

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377002296"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005274a68d3176fb4ea70724aecad7b01b00000000020000000000106600000001000020000000eb4dd5ceb4f06814936f27e3411fcda3377c76b58a95e26487f5972c9fd93763000000000e8000000002000020000000e1966cda7c5835e9f59b3d2d1c247b3cf27efbd2c7641fa0819343f6f27f8c9a90000000ef5c083286c97f1092ed0466ed76eaafc159a2feb75a1f379ed935722f666c4263c8e57e5e5a2717762f623894f98167253179efceea66f0af0c439c4c3f65d36ae9e43ffcc5af77e8ec92fa82fccfbf2509771f957437104ba6f2f4964b59213ce0fe7b5224f1f0c2ef407bb09afe21f7841d0a5d3beb51f3f764f91b19c38a69ff7554113d18d85f49b0dc368587dc400000009ee5147b07b6667e3c8ed429d94e986babcae98030666ec7f3b0bd8d3f06ae6b636218ca85c8c5599fa0a4f277495b4b232fedbb2bfdb847b867cb850c986c13	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05b1f449708d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5ECEAFD1-748A-11ED-8B83-6A6CB2F85B9F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005274a68d3176fb4ea70724aecad7b01b00000000020000000000106600000001000020000000d20cf27b7bad413cb271c0ac4318fa37f0f04d75b2f3b58b421698eb92370add000000000e800000000200002000000055603042ae4f41ada83600ae6d9948f04661216f23a58a59c990eec96b13d7072000000081780e086a718ba1e9d1f613993bc249f697fc27718526fba5f998ba29fe9844400000009ca101e07b1ccdbf30b03855d057d2b60afb342d1b3ca3d1000b3ace467fccdc32d86bf2cd6b5a95310109a2068521adddff3a389e0e64cff903b34d5ce47bb1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
836	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1612	iexplore.exe
1612	iexplore.exe
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
836	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 836	1612	iexplore.exe	27
PID 1612 wrote to memory of 836	1612	iexplore.exe	27
PID 1612 wrote to memory of 836	1612	iexplore.exe	27
PID 1612 wrote to memory of 836	1612	iexplore.exe	27
PID 1612 wrote to memory of 1980	1612	iexplore.exe	29
PID 1612 wrote to memory of 1980	1612	iexplore.exe	29
PID 1612 wrote to memory of 1980	1612	iexplore.exe	29
PID 1612 wrote to memory of 1980	1612	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://schuleneringerfeld-my.sharepoint.com/:o:/g/personal/a_kroecker_fv-eringerfeld_de/EgNcpnzxPVlMveCimbTahBQB9CteuHEtQGSWAgthGr0Ucg?e=LIPXiD
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275462 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
f3e8f90ae2a5d95998a9c89b1874854c

SHA1
dd51456215b439e8054744c8739529730178dd0a

SHA256
d775819d6fb3e4f5c98701f579a767fd92a12c3511c4fa24c4880de458e69f1d

SHA512
aa38cec40a8765265cd9d9001f734c268cdf2e3f5ef7e79ad43f16799dea16ce1685cf01de94840bc30da699bac27f4dfe27326b879bd188fad28b2e20b1036a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d24061cff1d93e74ab1ce99e67aaba6b

SHA1
015e7fcabc62d9ea0c4bf110bb01f282083d90c8

SHA256
0e15a2c119c85d09899c3a1360cf1449953bfea7ca1d58927f4a6cdb0373b2bc

SHA512
5ac2f9d593ae3190886915f23e0fc52afbfa3f64184daa74b4e7c4a09cb26a24424868af2f4cdf17962099bd15a5560220cdeede64f1365fe92575119b5d7711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4719fde6c1bdbd50032da333bb5596da

SHA1
d81e4ff88736e7a99289fac86aea5405f37d9007

SHA256
4550acea2ae8631cc5f47620d198327ce310a68bd04e8d39a7eb95678d0ee450

SHA512
f71bc58618aec6d0383db02b2d3445585bbd652dd91557d36e9a5c993e49c2046dadcf4ef9059cae24a19a8cb42ac52416511da3789447389fc0a23d7ecf2b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
12KB

MD5
5032b6d1fab3ad345d0a3e62beda4b12

SHA1
0faf7df8f02ce9240753bbaa4ae86f9f0e60ead7

SHA256
6ea49b81760a76777c1508d405d9647367b116e1f4accdc2226c0ee552c6e4a4

SHA512
e76af1ce10a7e1f92e093e6891e2eb8393615797ea257beb5e32059e8a61b3d0f6ffe63735366f71021f37216fc25622e574b154103653568d8fbf5c41f5fa41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LH5UZFNN.txt

Filesize
606B

MD5
2514f9342dbbf46b9da8d1a0d6cbcf46

SHA1
4a1cd2347731fb0d141dca11cf9bced07adab544

SHA256
f1439f76438296a1344e6e38aff8ddc89af090c073758def665296f4693d35be

SHA512
6d6232698fcf252031a742a2e14a4844a7d6aa6c92d9c082f75e96b7fae698807ab2a001269967c087995428e3ee5903ebfc1eb929ee5cf630ef946f7be31210

Download Submit