37527c641bc91bae5fdba37aa6fb8c3152c5935ceffdca4299071775dae589ce

Analysis

max time kernel
26s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Canva Pro/Data/Packaged/Utils.xml
Size

1KB
MD5

73e051427246dd4ca45935b1a4bd7e2d
SHA1

7216f05041252f1c3a9d84aacdf84ef62f1a1045
SHA256

b7b8b412ab1e4f32da8a7cd42aeaa6e7d8d340cf14977d3e87f7d8f5eb689b0f
SHA512

3fc10dea91962244389214d189c141466f5630e99b01af5761738ce884df14050cd08a43802dc45bbe9117290c34143b85a75694b6301954b51972180dca1e36

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A98A34B-B26E-11ED-9EF6-DAE3AE61CC88} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1988 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1988 iexplore.exe
1988 iexplore.exe
4680 IEXPLORE.EXE
4680 IEXPLORE.EXE
4680 IEXPLORE.EXE
4680 IEXPLORE.EXE

pid	process
1988	iexplore.exe

pid	process
1988	iexplore.exe
1988	iexplore.exe
4680	IEXPLORE.EXE
4680	IEXPLORE.EXE
4680	IEXPLORE.EXE
4680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 3564 wrote to memory of 1988	3564	MSOXMLED.EXE	iexplore.exe
PID 3564 wrote to memory of 1988	3564	MSOXMLED.EXE	iexplore.exe
PID 1988 wrote to memory of 4680	1988	iexplore.exe	IEXPLORE.EXE
PID 1988 wrote to memory of 4680	1988	iexplore.exe	IEXPLORE.EXE
PID 1988 wrote to memory of 4680	1988	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Canva Pro\Data\Packaged\Utils.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Canva Pro\Data\Packaged\Utils.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3564-133-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-135-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-134-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-136-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-137-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-138-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-139-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-141-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download
memory/3564-140-0x00007FFEFB830000-0x00007FFEFB840000-memory.dmp

Filesize
64KB

Download