40415b1bc53572d6d1f47d64f6b14e27a12b3f016f24f3fa3fe3244bbfdfe5cb

Analysis

max time kernel
130s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-03-2023 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
Size

6KB
MD5

e27ddf9ac9d222009698c91755e91f37
SHA1

df622a2877b04d698ad39b89f1e2591635c2db1b
SHA256

c602b20c7b60b3b5aa554237bfa371ea484acf7b8a7ba64da23dbaafe5733e5f
SHA512

5cc9cdfc2d20f9c850299cdb121e4986422e835a25350df09ae1a9cdd7b9b02f11f549e61c57a4a697f357f9523216c745a21ea347d1ea5370da9cffa445a01a
SSDEEP

192:BkY3alv39nhwtVN6fF6Knqi3Ec+5ddWcQaVG2WWfIUjFaK:aYGtnitXKJUcC0xaV9V

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384570770"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E9B6F61-B960-11ED-9640-D2C9D0B8F522} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408381e46c4dd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000307f9c861e51add5d3a1815aa18778a5eb4e203ffbe52d7d25badcfc946f820d000000000e8000000002000020000000d3feefb1551d0e30eaa92cc992e6fd95fbc0f6e25786ed6045320b9a8bbfd497900000000c7c5db2d033d27a9cba8303a53039ecea0410ff56ac73e7cf6bb0e9ffd10c178516ce0afeeaba7fa893a86dbcba301ab740780896e100067bf8e5a77244354c23370997b028c09dac5a3153d3ffbe7abd833becef97dbd4eaa08782fb4b14be71bc80cdf7550f03442e0f8255b8f39481592f9a56ad75b8f93a9916613abbf88ab74a94f54b2cb4a4eba35d8ca4221240000000480ee1f6a580c324edadada7b36cc17f0fa4e7cd26581966f9f185e35c65d17a5a46f6af6bc2596615f23490c47f761abc6e8107e64a1858a3e3087b198276fe	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000ce33dd7206730eb2999777241db87f81b985e516d780971cd6fd89433a109fd3000000000e8000000002000020000000149aa40c12a099879a79b3445533084dfdd4dce69ccecb5f6ddd0df452d8ead2200000002c60be03d3921eabf8826b4ded3f55142f827c190b4e39f41d5ab0c4a12ad5ca40000000f2f164622de733802a8fcf4e380549632517dd1fc03d5ab41af546c68e8d1a51e4c54012041273867990b6c7190ae6e43cc7eb1fe6b38ffa38f52edf4514ee0c	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1184	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1392	1096	MSOXMLED.EXE	29
PID 1096 wrote to memory of 1392	1096	MSOXMLED.EXE	29
PID 1096 wrote to memory of 1392	1096	MSOXMLED.EXE	29
PID 1096 wrote to memory of 1392	1096	MSOXMLED.EXE	29
PID 1392 wrote to memory of 1184	1392	iexplore.exe	30
PID 1392 wrote to memory of 1184	1392	iexplore.exe	30
PID 1392 wrote to memory of 1184	1392	iexplore.exe	30
PID 1392 wrote to memory of 1184	1392	iexplore.exe	30
PID 1184 wrote to memory of 1716	1184	IEXPLORE.EXE	31
PID 1184 wrote to memory of 1716	1184	IEXPLORE.EXE	31
PID 1184 wrote to memory of 1716	1184	IEXPLORE.EXE	31
PID 1184 wrote to memory of 1716	1184	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\status\non-starred-symbolic.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6e1305d1eb6d24ed5a1dbc1c57698f7

SHA1
9853177de4fe235be6885c3c8ee02f832b9cf06a

SHA256
edb6e18cbfcc3f644048ff2d85fed1377a03413cc69cb6f6baa2d5e2b57c28ed

SHA512
9b0674acedf448b5fe019f186d220a450c9fd4486a91aeeaaa8107751da203e167abd195ba99d5265b32c6b042e1bf2083051f05bf819bf0690788dda56506d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38002fac2919321bb0a2955a69581481

SHA1
08a73d243d157d3b3d32ec8a08a1983452747100

SHA256
e65e90e74c28d7c5921b546f42e5523093234c0a64bdfce79382fda76747478a

SHA512
4d325e0b2acf6dd89c301c3182d8a209a308b1bf13a59b5bf2e2b877caec10e822e37f8cf66f3b9a0160e7ec4c562ca86eed9a51f2854d6df5031381148279da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c41ad649b9f3080c65afd74f51e0d235

SHA1
d9c2fbfe41dea96e3be5ec1a68b42e03b641cc11

SHA256
fedbf20a8d7fc594233a3c8c56a48f10e228702bf3e38a66bf8874e9c0fe82f6

SHA512
a7034e3dc428e41d6d708e1af4ee2f3b74a30a376090a91cb7f78de2a9afd7eb9ccf0b1e3fcabcecd7f3d6c8b24f07c1f2ed5b5d2807aa0eb10341827318f28d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94190fcae15fd7300cb443ddef12a6f6

SHA1
17af3207d8224fb4a48ad0c44a1bc42a87e37384

SHA256
676d2c139325fcf6739f18f80d949618c53b72e7185c9e1322b184377c5902af

SHA512
e4fde6f55cfee4c094a940dc36e45d2378b750e8230b967912b7a9c15372c148442385920f969a331ae4bee529fecee987ecea3d1b04f4fa4489b348ba0a1da1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da3b31d2a9a54ef0a7a4bf8018739aa7

SHA1
01532bbd603c840cbf35b5b5cb1e509b4efe438c

SHA256
f7c196c0e624e7d52e8704de83bcee7987c50b48223bd0cf8ac6a533326aeac5

SHA512
1cf45811b895d06d8974421afcfc76a6228dbc69f196b657a6d39644e195558696760ff994ccc568d0d7cd14b3ced59e447ce46c3cea4d9e9bbd1a7881217b7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77366683b075c7ba87a5cb70d8b5ca9f

SHA1
debe9912fb9efd0fbf03ca9e705efd56de25ce44

SHA256
a139880c2af5afbd9a3f68295e74af720a97a70d7232efcd155ea223aeb22908

SHA512
4348abbfa95c29d97f874910368b456c54eb7a17b6673bfb9641fffb4f4afb453ac70d6d460dc5d72de9b0f213ac01ee4ce0e229e8d030847c300d44b719502e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb0dfcdd1e644be0ed1d30f0a848c8da

SHA1
d2e64fa03c17b83a1a6a219cd4db31da42dd67b2

SHA256
473977f9f8e917606fa6e47105ee0bbae178fed66c698f58833a4b17951fd138

SHA512
5f0d0afb0623190865794ffc266b21b2c14cdf91996c979776d19ea8c2278fa4b4d83ed007c498f32ec701163bcfa742285b4164b13db5ca718a7c1b0b29bdbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb0dfcdd1e644be0ed1d30f0a848c8da

SHA1
d2e64fa03c17b83a1a6a219cd4db31da42dd67b2

SHA256
473977f9f8e917606fa6e47105ee0bbae178fed66c698f58833a4b17951fd138

SHA512
5f0d0afb0623190865794ffc266b21b2c14cdf91996c979776d19ea8c2278fa4b4d83ed007c498f32ec701163bcfa742285b4164b13db5ca718a7c1b0b29bdbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4208d9bab3b24819f4830b1451931522

SHA1
347886a901077652ed87701c790373cfcafeb450

SHA256
bc67b34a96aadb4dd4013a03a36a789b86f5405b099837e89e49f016fde2ab5e

SHA512
cc0d0e0d95d4ced6cb2430086d9f24f2fd0fe8b063d7439d81eed708a59d51ee38950f5346bf0d3f01927ee6b72b1e40bd9b4dfa40b1a017fcf65ca3fdf609dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54e9adae2aad685d7b866b7bc795cac4

SHA1
91caefe2c45028635a49fe526cf3fffd4ffddbe3

SHA256
545c09b81c6c840a9713665e8b84f65d854b5542a43271880faeefca894fc17c

SHA512
c557963c44140fa7a34566465a8dba8a0a03133436713bbbd89719c659d2ce1d3ee34d6a38016a126fb00f34ec3c567fda178302fbc1c0a0cee1a1589f9be193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8D55.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91CF.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EXQ8OWOU.txt

Filesize
596B

MD5
0865db7dccdf273b49344e7bc3aed64c

SHA1
ab78af478c7fd292d3651a6e6f0f1b7e4bbc3511

SHA256
66f387a9a9006eb85f2e0258228550381d440b939dcaed6a5b6954f1e5b7c7c4

SHA512
794f0bb4a36d7bcf186cb6e6954d5b667b28c8404c861450b716e8dc1ff513c26dae2f3b565c9b932f209f33b4e3a0b8e00b16b5d82fb3cf0dc3af962a0bf56b

Download Submit
memory/1184-54-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1716-55-0x0000000002950000-0x0000000002952000-memory.dmp

Filesize
8KB

Download