40415b1bc53572d6d1f47d64f6b14e27a12b3f016f24f3fa3fe3244bbfdfe5cb

Analysis

max time kernel
147s
max time network
157s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-03-2023 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/share/icons/Adwaita/scalable/mimetypes/inode-directory-symbolic.xml
Size

3KB
MD5

1a9526bce4500770dc9da3fac276de77
SHA1

8e3be08d46567e15b0d7beb9c749ff361d61aedc
SHA256

4698902117a08b3a216ec9187382b94d85d23ba1230497b823bc4f0398301b3d
SHA512

2860804f3b03574b29679fc070f167cb7c4c5b69f7cd0352bc68f74c665e5075dcb543441bd424dac29b04205456f6d26ccab021b1bc879fd41a5819598e824d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c000000000200000000001066000000010000200000002cf90b3fca31cac22dd8265c0b8cedf1647c02493bf2ab33aea36d7b56c49213000000000e8000000002000020000000f9fac14882b3b7a1b2b59e831dade76526abe7ee712ffbfd1146340d7b3a7dd89000000042daa72f7fd0f63d40b5164056dbea532c727742b6dffcfd1d775a6312e83965eee2e54b6975ee54474b6dc4df5dbe7322f71efbfaa338ad5d9fabf71d6236a23429e801578ed635a0e00e36f6fe1ea0f0a7e16a712141cf7f7e472a2f4ecbbb834a7667253b64b907b1b4e12a3db64e7e6aa97c5b73a9c797a0b3c8c7f5671d38e56eef6ab1918ccb34e8c63681546c40000000dcf2e4fccbe3c3269ceceb8052aa80ffcd9c61b7090ebab71bcdac3962327eeb804fa6ba75f33bbee2da6b179fbf41c316eee7f55d794911f95673bfb25a3c59	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384567151"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AEA37A61-B957-11ED-B07A-DE010D53120A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c0000000002000000000010660000000100002000000031358b9d67f728b94af77599ca237092b90d3fbac83e1a47f37081aee3cca87e000000000e8000000002000020000000ec291046654769d60596df1927aa8aaf430f7479a42bd77589e6d67fe0c4e4b62000000022e39556e0048047ad43a946c799e3601d659a41fd4ce22b10dfa53ca8f6d1ec4000000066b7c942062f4d1aa911aedb9d277622dd1d25e9a52a711d0d1756987b88f1cb032bf21fd4d048a611b428430e58fc86ab8fc7103d3a6ad738e9bde63935f127	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8052ad84644dd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

876 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

876 IEXPLORE.EXE
876 IEXPLORE.EXE
108 IEXPLORE.EXE
108 IEXPLORE.EXE
108 IEXPLORE.EXE
108 IEXPLORE.EXE

pid	process
876	IEXPLORE.EXE

pid	process
876	IEXPLORE.EXE
876	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 324 wrote to memory of 432	324	MSOXMLED.EXE	iexplore.exe
PID 324 wrote to memory of 432	324	MSOXMLED.EXE	iexplore.exe
PID 324 wrote to memory of 432	324	MSOXMLED.EXE	iexplore.exe
PID 324 wrote to memory of 432	324	MSOXMLED.EXE	iexplore.exe
PID 432 wrote to memory of 876	432	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 876	432	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 876	432	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 876	432	iexplore.exe	IEXPLORE.EXE
PID 876 wrote to memory of 108	876	IEXPLORE.EXE	IEXPLORE.EXE
PID 876 wrote to memory of 108	876	IEXPLORE.EXE	IEXPLORE.EXE
PID 876 wrote to memory of 108	876	IEXPLORE.EXE	IEXPLORE.EXE
PID 876 wrote to memory of 108	876	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\mimetypes\inode-directory-symbolic.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
baf08f44110dd6084aa4ec34586f4813

SHA1
da71a8485fb00f6f334b9e155997e0f2bd4daf88

SHA256
504d44cb1e9d02138d2956f14800faf439356086bff1702a649f2c5d926159cb

SHA512
cb0b52332ab127a461d65d32915cbd774b01c26ee7aefbf1465e17e0dd743c80f045829757f95875f6a410e7655751e95c5b25e4aa476db9e522a6388c545e8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a406c157d5224536adab513691972a7

SHA1
232aecd5be4bb92798f4a1adfa75a531f94c3a1e

SHA256
d853c7c01b46310abde78948c43c0caedac05da3740f051856d4a5673cec7a5c

SHA512
ddb589930e18777aed8321282d1e3ed394ca525acd17cc1c5f869c6901f75073562531bbcefc1421585a1a709c07d14e956a97777e87cdf84cc18cc9c5b2c0e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be1204ba2a1baaacdfa6cf219c346cde

SHA1
5956bee138712eca359ec184391a483c9e5ecdb7

SHA256
8e65f568dc1c31957eed825fd15dd5e3387233d172310eb36c1819b0477edaa1

SHA512
764bfa9038ed7f2ee55b8d6b6aaea6018666c4cfe1a9151d0214f4398e783421d8ed683dde57241435736e9010e0cfc7a62af67b1cfcabe4a80e9c837ace232e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
833a0ba43fa834ddf92e665aa57621ea

SHA1
b112acf15b4efc5676ddfe9e4016de753e0d9f85

SHA256
28ec80f1681bc10f12bc2c42a8f91c768c590babc2a88c50331a09653a0f181c

SHA512
73c50a7405b3b2472dca9509e3746a96bf64c7f341823eef344bc7002aec72e1fef1bbf2321114255db8b4f3cfbdde37504caeeec500f6dbbc305e68e93a4615

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f01057327ef0608faa34969f8fb40510

SHA1
dc2acaa39f035892a97ef9d94521b203dd19d206

SHA256
c1beb1ac26ae36ccd59497a27fda91ea9abb5946b4185e83db079b3b7251416f

SHA512
f48e35cf9985aefae3dd64f6cbc130a7639fe63935bb8a7c5e09b0e182d6929eaa81813f7c98cb9d20b25db309132b21102789a1fba725637b04e17444c1d876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7c63ca5c40bcfac2f7b8636fe1f4d5

SHA1
2c19b25a953be87bb8fc003edda562fe4bda6c4a

SHA256
2044aa5aa3334b2958dcb25bb477e59e1badff42b891f4a52d369f228e7a78bf

SHA512
aea59a182cf874f9224822f414148184306b9bc4bcae52068d9f8df2959bc9ac431d685a02838976854c1c0c312c51b5b0c3c933ded5d9873064ce8072ce49fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a39e22aa47f99f77c8519806d012e73

SHA1
7fcb2e9a4afb3a9d9eaec2ee46dbdb2f319bf5ca

SHA256
6c6528b07ebec0fa6b6775191b60dc1e45f98c6293d3c7d3b62de450f8fb785e

SHA512
1ceca6bf9e828e3e5f70601bc67ceb0614e0c824633471fcfec624dafc09fcf34da37f0f45e5f1a91a3d431344a0d8b79a270259066d517deafcb9def1b6ff9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f120d487ae5ccdadf30f522b643393dc

SHA1
f2f34c55bfbf5e1c8814cb0e4467774b414adec3

SHA256
fe8b1f1bd1f1f78d87dd5cb2946b31eaef35a391b274b8d56e901455ec74d6eb

SHA512
c54f829314e9d72a22700d698d7f402b9f7dc0d0ab1cc27dab035e2e5a33034a5e2a1b136ea7f99cead71d19333108b89ab963e5a8c238bf565b4f1b2a0bf7b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70ebda5047921dd424e784083c792ab9

SHA1
7f404f152427116f05fa439cab1650aa6a330b84

SHA256
45f8834871456a028e05829863fd4f30393bb2345a9cb561eafc55440369e037

SHA512
ce1cde94ae149d5bebb406f45a573261446a0d517e8938e057a7eb191d271d73acc9f292e98da004486459bba4187d70508876d16b954075fb21b182b7b41e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbdbdb00f06011a635811b0a141276f3

SHA1
b661c88160f0f67d902fd2e7edead8e1a066b5fa

SHA256
57a56d59cdd7df54bec858dd2ae238c6bdf6d4b1d3cd744bee10c3f2ff67f370

SHA512
335c696bf8783501c655c91de288528a950f14632dbb800b39699c25f78b2371ab2687c59af72c04170fe3e5b829a485c3a7b0e83bcdd894b7ce593d117c4ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD19.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDEC6.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CV0TFX27.txt

Filesize
607B

MD5
0a1095fd0abb528137ffe6ba92d49ba4

SHA1
5fe1939853eb69eb98ef51ef6d0caf5680f12557

SHA256
a26b8056187f8fb6fac53972a7155d6fefa4cb68f43806edd1e5da1ca58f8227

SHA512
518d5152932a639d4df224b881bdd377f676156c11d39fae506dcc7e27742bde85d26c86dbaeef8e042ceaaea48e0b80052b99eb5e763788568d16597f10dc95

Download Submit
memory/108-55-0x0000000003000000-0x0000000003002000-memory.dmp

Filesize
8KB

Download
memory/876-54-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download