40415b1bc53572d6d1f47d64f6b14e27a12b3f016f24f3fa3fe3244bbfdfe5cb

Analysis

max time kernel
108s
max time network
158s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-03-2023 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/share/icons/Adwaita/scalable/devices/phone-old-symbolic.xml
Size

3KB
MD5

c590272a42d82da3ba71308e7797f858
SHA1

c26a5aefb08445bce6dae45f1ed08616ef4e3288
SHA256

9c6eb1e6a94abdeccb4aa3573e11676bcb58b0e9eb63e6862b4fed9d1b375300
SHA512

569061e43ac1ab1df720d6a5e50d016735bb203622188673f036359215de5fc0980aa62c3ba1888db443841c103f4c0a55a99294d57a4900b95f6111d9647288

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000fcd732557bf3c0a25322919993911e1108e240848f936846c683d75a58e4fb9a000000000e8000000002000020000000929e979957edbdfd1f3027db8b8b4582dbc9e14d110b53f80efd6976f55a6e1e90000000dfc0bbfae316ea134419be83737ccd1f1a348558c4dd29e120b576179e4c0af6b21010557f551ab898868e808c647738ef4db7e866eeba869994baee6314443156ac8f8b228abfbb4c8a735b92fe4d33e9b862477f452566d3152947f7ee6dd13b2610b60235d8c85600ab7ca935e2e1ff3578105169f7a24b544779ca5aca60f81e7a28cb26e0a48569573d9aab259d400000007302e4a30ed70d13a041758e71ad345e5270f241d5135431f1510d1779502b71ef85efbe7779c220230c691a894934cb94d2cee4eb1af27c4531339e3fa4b013	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0EEC94D1-B960-11ED-A6B7-D6914D53598A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f5cde46c4dd901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384570749"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000564c0849fca5596b3f37b5374349c0e07c349f9aa7f1ec7705f9f855b9703722000000000e8000000002000020000000cb221fc8254ef6009bd39a065d1ec4f44d33db2c77872a7851ce21a34917484a2000000001ad34589a936218c75bfb5642f551bc85706d1866145c44dfb2dae12312ee0f400000003766021992b863220693128eba314785b7e77ea1f640984122ebb46176b959aed0b3d66f57dec1c79c6fe04c753c98e860c19e2747d66e956436628149c2affc	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1756 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1756 IEXPLORE.EXE
1756 IEXPLORE.EXE
992 IEXPLORE.EXE
992 IEXPLORE.EXE
992 IEXPLORE.EXE
992 IEXPLORE.EXE

pid	process
1756	IEXPLORE.EXE

pid	process
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1524 wrote to memory of 980	1524	MSOXMLED.EXE	iexplore.exe
PID 1524 wrote to memory of 980	1524	MSOXMLED.EXE	iexplore.exe
PID 1524 wrote to memory of 980	1524	MSOXMLED.EXE	iexplore.exe
PID 1524 wrote to memory of 980	1524	MSOXMLED.EXE	iexplore.exe
PID 980 wrote to memory of 1756	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1756	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1756	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1756	980	iexplore.exe	IEXPLORE.EXE
PID 1756 wrote to memory of 992	1756	IEXPLORE.EXE	IEXPLORE.EXE
PID 1756 wrote to memory of 992	1756	IEXPLORE.EXE	IEXPLORE.EXE
PID 1756 wrote to memory of 992	1756	IEXPLORE.EXE	IEXPLORE.EXE
PID 1756 wrote to memory of 992	1756	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\devices\phone-old-symbolic.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
917e751688755432b381c49665c24c8f

SHA1
8043654f7f8f771d4c28d96b2b254535b3ccda9f

SHA256
1219461f3df99e7af61754a6fc6ddeb8240718fe2fb627d4ede471f509a5f0d4

SHA512
f84a5b8f230b7baec804e85e10645aeaa97c37f8c2eb28dae920e3d10d5cfc8d409a2a71d14c13827c1e050fe8bbe488411402e7a7a17a8ea3360d82f3f2a66a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a23312136fdd594232a809fdb4dcf0a7

SHA1
87116c498c92fd37a642e4bd69d5c0cf39bff880

SHA256
0ff8af6707be4d91b5e75d45b17e2011d1142edf19d7ec0f785dadadd7a756e1

SHA512
e4e70f2690d8b9644a9a40c0e52cef60e6ce7f671ccdaa7ecb4009976e332cf9006dea6ca7ae44a78012e18878216da386ab2131d52f6079331bf3eff60b638f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cf3266388bb53e6873ad4cd214234f7e

SHA1
a47e7f40373e59da51661acf0b69c26c59d80c8b

SHA256
3db42d70c43db6824656dd1981706d8f5a73c238d12e43cac66338460560bf3e

SHA512
292984bb281c1cc73a8e508bde99f7a05b230b0a71b817b0417571c098a6bb67f4d3d4c6cba7f9c35d52ca82dad24dbb787eb17e69cace87e3adcab03265aab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
94a52ae07a63e41ad296182143a5b702

SHA1
5bbeba0edeb1f9ec6e115060bb23b13547809e7c

SHA256
a2c12a10b09555e07e4087c84009c40d53e4362d7914309cacd23e9b8bee5241

SHA512
e6288b5d23841a95d6cc2309032ff88974baeb21494917dad9a6abce42b3194fbde26fd8c594bd462a62477266d550b5eb7b780450fe5f3fd469f5983ac56ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d9534c2c3be0b87b22ada74b86fc5fce

SHA1
9ecb3c3812db19756301132b5a517f98de11f7e3

SHA256
e57fc7e908f025c99b2955f23a8a361a52ca6a726b36a8a901043cf0eca23424

SHA512
9b3b70982d72bd79398a2a3493f545c198981ba315965726b6ac6f3416276bffaaea5881db32871550a642e884b86f4cf158497a9048abcefceece9d0b26e74e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4bd0284d7b7efb48acf1e853f2ec84b1

SHA1
01ab10840b75fd027de0f80c394bd6e34a76ff31

SHA256
4e1f15933fc5c82293b994c087f48dfc23da7e23a0c0b183d7a23a2821f1a4db

SHA512
0f7973ffed882c62490e25c24673e30e801efa73637e27bf525fa6111abd943859daf85196e87cde7a9df5e26d4bd2dc62b0025a43dac322f5b625cf0c81db8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7033c1ebae4f0458f228bdd95dfdcd8e

SHA1
2809f5f5c012f0f13cd28abff59143e2abbfe5b4

SHA256
fe83cc94c895556d5179931f254fc64e1a72e95d06d20cc739606a763c229e4d

SHA512
329b5f3d022810b9d01df71e07fae3b48598d947163b471bd1bddc6beb08d80644b85bb2284244fc312fed5a8d517e03f6fb95f2fed5eee3a7d953a60acb0bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8240bd3e036acbd9217c9ae996f3ca72

SHA1
0817b2d9f4db8c2907ad7cda31858eb410eba534

SHA256
f28c398d5cf632058522dc183b57a3634a2fdbfcd6802a1fc1c78b7e71d13356

SHA512
18a06c2233bb10e773b0b8ecac30f0db97e4ca7bfc0ecbd221ff8eb042496f5fa322585a6ce6b5aab5ec64590b2fb2597d5916cc3a6e89fb91140628f0f34901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7F8F.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar80BF.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GXENE3FJ.txt
Filesize
605B

MD5
e1b8b8568d1a915edea61e4d83bebf6f

SHA1
ae77005af375db6b8d93838d48d37f6cbb13b74e

SHA256
6783aa6781b9839530ca5f1117a049b27bf342d0212985ee61203672d1e84fda

SHA512
69340758adba6df8f59ad82979abab20ae86317aca06745867ce51ff04597bf72b56b10f8d7b62e4355714a4701a7905eabf628716c7943d705ccaaf2fa34da6

Download Submit
memory/992-55-0x0000000002760000-0x0000000002762000-memory.dmp

Filesize
8KB

Download
memory/1756-54-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download