710a21082a7c7325b6d24b9d1f8d6dee613c0850738d6d2d8e56b8cefc8f1a20

Analysis

max time kernel
90s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2022 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

var/www/html/tata-pravesh/public/images/login/www.scarlet.be/customercare/_fonts/myScarlet20170504.xml
Size

14KB
MD5

0e55270998fc0c67aa140fc2cb9117e1
SHA1

be0b50a0d2d306f15fd81b97a3a22384ec15b54a
SHA256

16954b97a5218be8d0f5bf0a96db937ed436ec395ec6a28523d6cbe31850e257
SHA512

49d4b74d7603c1645566efe54dcd5084a3273229ee96389cac0ff6eb18d22d930e531505edd73b73d8d410d94baf676e67f832faad915850b86069b872d0df3c
SSDEEP

384:TWHLM3ZLBFNRFOdyN15FzfIc0AFqrORK9+fbtbnehCqXjhK7K:TmWpBFDFdFfIsUSRKYRDwpXjhK7K

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6011b4707217d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1870849773"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1870849773"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1879913582"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31004530"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7074aa707217d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9AFF1E47-8365-11ED-A0EE-CE8FEF2919E2} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31004530"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378635768"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051e5be3594b9a9468c9aeaf3ed86e507000000000200000000001066000000010000200000005b8c124af966e3899788ff249575cbd6368b889d007615915bd41d579698eb3f000000000e8000000002000020000000c83ac87925446330089e8a698d2eff3aa75a4c70a260adaa8f8bbb9c00bc252820000000ff7bacde0cacf457141625edce4722b49dfa86577b13b821683279ef1528770840000000277d415485044a49ff3cf0de8503fd0959412590e07d1feaf9b26d7bdc58e43adf0fb7f2fdd815fc3f416b431155ec6da0c02665d50cb8a259974d332e1d18dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31004530"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051e5be3594b9a9468c9aeaf3ed86e507000000000200000000001066000000010000200000009f90a7fbbbcda35ab06271790d6dc22465a614b2bd4487748de17a8d46e739c7000000000e80000000020000200000004d1fa35c43065d6c19f774bcd0eee3d23c6f3d8c8f647c45e290bbe6b32d0bca200000004a27ced4a3ce31bb5101477b50a558a10e2ccbc7d43de0a6fabb8c416866f99740000000debb11a4d0a35fa60a930b8b5cc7f63382e48e3159beed82758e7d5ff6658be3ca6734f55cde159f10a69c11f874f8b2d30f542478b8d26168baa153d65770dd	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1088 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1088 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1088 iexplore.exe
1088 iexplore.exe
3460 IEXPLORE.EXE
3460 IEXPLORE.EXE
3460 IEXPLORE.EXE
3460 IEXPLORE.EXE

pid	process
1088	iexplore.exe

pid	process
1088	iexplore.exe

pid	process
1088	iexplore.exe
1088	iexplore.exe
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 5012 wrote to memory of 1088	5012	MSOXMLED.EXE	iexplore.exe
PID 5012 wrote to memory of 1088	5012	MSOXMLED.EXE	iexplore.exe
PID 1088 wrote to memory of 3460	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 3460	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 3460	1088	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\var\www\html\tata-pravesh\public\images\login\www.scarlet.be\customercare\_fonts\myScarlet20170504.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\var\www\html\tata-pravesh\public\images\login\www.scarlet.be\customercare\_fonts\myScarlet20170504.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
35b6b5a1266ffd7f45cb92dc368b2f1f

SHA1
8c6a245e00c2f517086b7db9a2c24e876cc79f85

SHA256
94904b4d34cd577e29be5042bb21d65e685047f3591f3051c2c9850681d53ccc

SHA512
bce75bc358fb0bcfba3c071e86634dfefbfbcd9c3cb1057d4e4693b0b19318ca0ec837e8a2d7ec9308042a71f49650cec395bc6a054d12e7da7564af2fccbbae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
45fb6f1bfb3578edf5e57338ccff218d

SHA1
db75cb18daa78292df06a15521bb58196d7880cc

SHA256
1f845d4a2e4dc72c895e0281cbaed3728cf5c56ec2a6fa7a0f887edb94928252

SHA512
e7eac110d85299cdf2029ee09c00319bd90cde0d45176a35b1fa57e5bcce0e196e242b3284b9d3b3cdfb25873780c5a831a5054fb98562821443ff57622cb099

Download Submit
memory/5012-132-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-134-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-136-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-135-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-133-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-138-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-137-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-139-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/5012-140-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download