2a6ecde72991f3e1dba3d49106e26237bd95a505cd97d0b5caea59723e6fb28e

Resubmissions

21-02-2023 11:28

230221-nk4hrsge2v 10

18-02-2023 02:18

230218-cq92ysaa6x 8

Analysis

max time kernel
156s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x86/Acrobat/Adobe.Acrobat.Dependencies.xml
Size

298B
MD5

7bae8b27f113f2c1bdc4181b99117fe9
SHA1

541f5fa5fa52885e0068a6b891537f254e334609
SHA256

dae02d5688314c66f9001728eeff6010e8af413867dfe4982b6b2c66625d9bb1
SHA512

803342e6b91c444128e3fec7e8f64757ec3531e4e4efb5e00a7ae4d7b1fc1cf1d4a42d20b1d986c1a4090567abee79be657983253bd9e8cfdd121a5cbdfc0849

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600e1d45f045d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a00000000020000000000106600000001000020000000b18bbd79932d49db697b7aeb670005d39b3a2103a94481ba2095274949492560000000000e800000000200002000000089e657fbc551de5c615eb08a7a83b9734a8f11d39c96011d9440e61f6edf3c37200000004537bc748ef6a118ac845c85a6636910e704565912f2ad16d6ca7b50e1afd4d140000000eac5a4cc46d0fd93505bf85450430903f791baa9e3b1a3a3624e02df3a972bf9b4c30ac081ad888b3cfbbd048230c768d10a939c801f6e861f40febf781e8626	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383747562"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a00000000020000000000106600000001000020000000642bde76f08862cdf26fb8768356567461290abd60cb1a9158d0d34f7eed7fc1000000000e80000000020000200000001cfaf8a4cb99fa45553e2510205cc4b7017b5cab8d09b78f1c62b79cdd93e69990000000e77bdb345c5332a58efa2c7107744e209456f60e63e6b89723afe8c8ba1f48301f46846ed073fe62a01dd912f16b0cb64beeb48fe4616b77b6f1cdd602c9890ffc8a680df5a8f308659ec0cba24b15612e1e8249639dd14d57e38ea9415ef7a733b1a596f2c9f4ff7e7328422c19173ab5057a6642390d075162aec98039c367b29f10c6dd9ea9d00a1a5169a2b7648440000000df8857702f1322906e2f09c5b34e37a754ee6ce83e66e5b449e08816e55fa434f050287fd6cdbad3141448893cd6e322db787e046336e042695c1d2f68ce6ff7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6DB2EAC1-B1E3-11ED-AB11-7621D5A708C1} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1108 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1108 IEXPLORE.EXE
1108 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE

pid	process
1108	IEXPLORE.EXE

pid	process
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1524 wrote to memory of 384	1524	MSOXMLED.EXE	iexplore.exe
PID 1524 wrote to memory of 384	1524	MSOXMLED.EXE	iexplore.exe
PID 1524 wrote to memory of 384	1524	MSOXMLED.EXE	iexplore.exe
PID 1524 wrote to memory of 384	1524	MSOXMLED.EXE	iexplore.exe
PID 384 wrote to memory of 1108	384	iexplore.exe	IEXPLORE.EXE
PID 384 wrote to memory of 1108	384	iexplore.exe	IEXPLORE.EXE
PID 384 wrote to memory of 1108	384	iexplore.exe	IEXPLORE.EXE
PID 384 wrote to memory of 1108	384	iexplore.exe	IEXPLORE.EXE
PID 1108 wrote to memory of 588	1108	IEXPLORE.EXE	IEXPLORE.EXE
PID 1108 wrote to memory of 588	1108	IEXPLORE.EXE	IEXPLORE.EXE
PID 1108 wrote to memory of 588	1108	IEXPLORE.EXE	IEXPLORE.EXE
PID 1108 wrote to memory of 588	1108	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\x86\Acrobat\Adobe.Acrobat.Dependencies.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1108 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fcdcdc30d4536eac835ee5632dd7d840

SHA1
72fa0c84577530e567989cca35fe4017fa026ddd

SHA256
5e15ac6b7f03295db5cd72d79c15879a3b449dd20b319a7a85cfdb7c7fbe8875

SHA512
53892f5dc710f90be6a692d6c0ca0a003287066ebf6ffe7bdbc1a6a4859b42d572fdf3ec663ee01ac606b3387974ecb873e780e496e3553d66923c6dc6f3cfd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a3e6655a981c94d7dbd2dcf399a15974

SHA1
099b955f69d96ccea298b65385cc8f79bcd3e045

SHA256
19d54cefb2ce3563be36e8dd606a0fc818d774e1873ada83dec4ea89b143edb6

SHA512
86df54eb53dd07b5f4c158cd45923080b1cdbae908dbb226c96a7096642499a9a88ebdeea8c43821591db52ac0217632ba0a2c4f479bc4192a2810006619eb94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a9586e380bd342b0702bbe543db593fc

SHA1
3e8ea3c77891a8f90efce7016085bcc6356867f0

SHA256
d2f218a7cafb4abcd9170b2237f6a75be5416e061b4a453862321ca6d9f93e44

SHA512
3f4393991393d250fea513b36f80955f143ec74776b4362159464d6b4796c3d8302237dcdbaa24998bc31d4ce53d07649cefbe9e0761e6a3114afaaee768e9ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
05751ea805fe6e733d5674abb6a6556d

SHA1
c182b4642435412d981567ae3b615e17f25e928e

SHA256
523ebe828f46e02e369b4737c00016a3e3a2ba4747a8efa75754b6d4bd165c3d

SHA512
bc695311b27ba0d78702a54579aca304a2545ec42412511864374ddb10829664eb35c250fc0b0abbbade9905ac1baf1aff563ff32d095dae0c417c4844063ca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d39ad246456f2cdb10b2013f5e1b28d0

SHA1
dd73507946d5f5a54aca7a9aab7934abc7a44e99

SHA256
bab1c934e8b852da4bb2539c9330c8755e18adec79e12c6111a0ad94d01ef034

SHA512
f71debe8ac38e716ab27d654f9d495fbb75835551923eca3485e6a095851c4535ae8f367885f888b902dfdf31284ed80879a585f2c2e9befc6916e7a31542147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
82d2e4bb9b350a238ed7c217ec3035ca

SHA1
0b0f70a4ce7417b4858ed0520dffb10ac1d3e943

SHA256
0f6ef5a73d4cc85dc2f50b95627c4ea2460efbb95c440abb43e21bad0f38cfa7

SHA512
b1cccad21b71cbd0fcf2fffd9064a57af0dad6b69534f7a54c0e0668b2718d40d2777a5742943baddfb1c1c2d830f334082ea2291790f20daa3c4d4ae8fcd5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5fabff9f16b8301a86d0fe99a5a1f497

SHA1
abbae44b4071f55b6fdd3aaebad0d2abf9d68bb3

SHA256
3b67d64dde7ffa3193b0e021d07b6263cb5e9bec808aae2157dec53a5a03a8e3

SHA512
e27808e05c2467e3f0bf23abebb48f6415d04a4e6fcbccf4af6040e11132a36a4eb14a29f0b06312503b61998e257ce45eef4744e8e82f7b7ce12fb22dc64b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6144236ab2fa6836bcb9dc3f383e8a01

SHA1
14252878edf1c85159e70eaf92dc2723538ffab5

SHA256
f118450c3160ea5c8ebd61cbeabc4582bc2806e639c1e2a845a960de5caaf577

SHA512
07a09788d6f1f81e93457bfbc76a3065f66719963a943c8f95614dfa2896cb22539ab331a2e3d33621b7c6e58936cef1c49854c1ebec5c13a5582aa9b0e92ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3a558bcabdf71b411f1dae17b14ae81d

SHA1
5cc2deaabf2ea04586e2bc31b192d0a03d7417b2

SHA256
da5a2ede47bad624be497eb0f06730e210d3e2127f70d062ea1f06c735791622

SHA512
0768539254c2a144f76c475e96f1b327cbaa07174c69f757077e7ad7a2e7293aa86794ae9f4b0c48be5244bcd6893f46a162875341cfb18e5176b33e3f03701c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9012.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar917D.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3WNS1E9M.txt
Filesize
600B

MD5
d4e780d2f45d07bd6b76e17a7eb2ffbd

SHA1
8f051b42a537eca30a3ac92d3e85cc4777c63115

SHA256
a040197c74882809c6aa0c0677eb75fc071da8468c3b3e01d185dac04c2bed65

SHA512
8b46612f7315b06957d9eba6fbc12cae8aac58f23846e9dc0f215fe1bbb21f91e43b5cf4a2d0f4bdf9a59869c0556c7adab78d420ffab5ec93b186a718fe4579

Download Submit
memory/588-55-0x0000000002990000-0x0000000002992000-memory.dmp

Filesize
8KB

Download
memory/1108-54-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download