710a21082a7c7325b6d24b9d1f8d6dee613c0850738d6d2d8e56b8cefc8f1a20

Analysis

max time kernel
116s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-12-2022 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

var/www/html/tata-pravesh/public/images/login/www.scarlet.be/customercare/_fonts/myScarlet20170504.xml
Size

14KB
MD5

0e55270998fc0c67aa140fc2cb9117e1
SHA1

be0b50a0d2d306f15fd81b97a3a22384ec15b54a
SHA256

16954b97a5218be8d0f5bf0a96db937ed436ec395ec6a28523d6cbe31850e257
SHA512

49d4b74d7603c1645566efe54dcd5084a3273229ee96389cac0ff6eb18d22d930e531505edd73b73d8d410d94baf676e67f832faad915850b86069b872d0df3c
SSDEEP

384:TWHLM3ZLBFNRFOdyN15FzfIc0AFqrORK9+fbtbnehCqXjhK7K:TmWpBFDFdFfIsUSRKYRDwpXjhK7K

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d2b65cd36901e248bccf11b6baae1b4a00000000020000000000106600000001000020000000c50d7211f56779a7468c86972acb071b3b68a4ea81365318744f6233c16d8d2c000000000e800000000200002000000070b1fb5ad19aaf0b896e90455fba3bd171ecdc15f7da3836801137736e4a1a7a200000003f0787365449037372e1a28151e7a0d67a539514315586516dbd395606963c3d400000009b1f56509d91e603665ed5faec7b11a94763ed0ee00bc95b2fbd596f7a96423cf001b6ec5d591ec9006cbd968ad73ed8ff8a324e78f1ee6ad1819f60847e8a9e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378639385"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d2b65cd36901e248bccf11b6baae1b4a000000000200000000001066000000010000200000007dccaeefbe7c942bc22048964aecbf6528b40f5147fa9e939afa4b9b49ddbee5000000000e80000000020000200000000764a01a1f56c599084a133569d42e60eb189008f58343228772b4d31074804f9000000089cab2553f3ae57a9eb79c8cedbd7636bc6391ee5edb3acf91389ca8fa7a307a42b760dd22848cfb7da2a51065203c203c6074ed00efd4311cb9a899e52c3b7bd07489109004545ac56a9b6893e9ff273201083b2e7518b3dadd3fa4157b13b012b213c2b83e6fe480c97364aaa4338ef0b7ad94bad5a7ae077fdacb8222e734789156069e6a3ace6af3ce7d404c242240000000f3399de901548df99f5da5c4ab0ff57a6ca7f4a8b4ae9dc64d17e144603c12acf902c7cadb0c264660c22810342e1514f408004dd58bd42ed8cf71ecb614a30f	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ceb1d17a17d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC622DC1-836D-11ED-A6AC-DE5CC620A9B4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2020 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2020 IEXPLORE.EXE
2020 IEXPLORE.EXE
1728 IEXPLORE.EXE
1728 IEXPLORE.EXE
1728 IEXPLORE.EXE
1728 IEXPLORE.EXE

pid	process
2020	IEXPLORE.EXE

pid	process
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1444 wrote to memory of 2008	1444	MSOXMLED.EXE	iexplore.exe
PID 1444 wrote to memory of 2008	1444	MSOXMLED.EXE	iexplore.exe
PID 1444 wrote to memory of 2008	1444	MSOXMLED.EXE	iexplore.exe
PID 1444 wrote to memory of 2008	1444	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 2020	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 2020	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 2020	2008	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 2020	2008	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1728	2020	IEXPLORE.EXE	IEXPLORE.EXE
PID 2020 wrote to memory of 1728	2020	IEXPLORE.EXE	IEXPLORE.EXE
PID 2020 wrote to memory of 1728	2020	IEXPLORE.EXE	IEXPLORE.EXE
PID 2020 wrote to memory of 1728	2020	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\var\www\html\tata-pravesh\public\images\login\www.scarlet.be\customercare\_fonts\myScarlet20170504.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UH3PJOX2.txt
Filesize
603B

MD5
de0749397f5fd58b538d4fd46e9477ac

SHA1
007ce99fc127e0a28e47eeceb91a0543d5c504f9

SHA256
c87a0de99150c4dc46d7ba9965672100b07c5ac899697d273b0e1add4e60ba37

SHA512
6d15a9e903ed37bcd5742f7b6e483273b89aa7bf8a1086c03b610423307dc551922b4bc81613d2153a83211b962f05854718cc31a6fec9fecd9b857f9088710d

Download Submit
memory/1444-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download