86bfeefce2acee5d39d7bb93461eb5f93a81658579ceb4c8346bb77977f15ef2

Analysis

max time kernel
105s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-03-2023 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/share/icons/Adwaita/scalable/devices/phone-old-symbolic.xml
Size

3KB
MD5

c590272a42d82da3ba71308e7797f858
SHA1

c26a5aefb08445bce6dae45f1ed08616ef4e3288
SHA256

9c6eb1e6a94abdeccb4aa3573e11676bcb58b0e9eb63e6862b4fed9d1b375300
SHA512

569061e43ac1ab1df720d6a5e50d016735bb203622188673f036359215de5fc0980aa62c3ba1888db443841c103f4c0a55a99294d57a4900b95f6111d9647288

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000a3399b0ace6e106678e68eb7987b4c72b7e92f197af37dac054abc4a04c87c6a000000000e800000000200002000000008343f03a59e520039e769dda31195a651bf5281d73993f309c310bd2b04b6df900000006c155d49ee80fbbf348b8e1dd4219484ad37d7c2f421df659cd53fc1a4ebf27fb348c82f176db7b8809095a15da66608285fb435ae90dbf6e5a549b6c6282988c6f7f0fadc6a6834281397118afddd173ac5ed10bee9fbf93ae1ccd633ae03c44dbf7af144800e3d4ff8e5c955f97ee9ca70d83b60cc792375d3cd6e427fb8fcae416a0a0c9adbbe09339fadd12c233a4000000002f10b81721c9115979202438c33c7fdaec269b33a97bb89250c5bf667529ed7072d361a4a9ac9f3a272ef5232c12239805b0978c077913ec7644d36c1544673	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD4ACEA1-BBB0-11ED-88B7-F221FC82CB7E} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7071e393bd4fd901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384825303"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e20000000002000000000010660000000100002000000064133997e8b5d2284a979985827aa791b23a3c043686254a2ce013499f3b0332000000000e8000000002000020000000dad39b892e84197044a673ee8d28a0f3961d59f2813155cca55b67c28e75864920000000ed3f975c0bf3ba5291f70af214266bd6c565199ad8626aad5df2658458e0e67c400000008fe071c4d43e4aae57bdfb86184d7d56fdfed3e911a38e8d739705c6438b12d77765be110ea1f9cefd7554c530097c894754ddb5ccc7e9f76ea4ce08f7e924e3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1236 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1236 IEXPLORE.EXE
1236 IEXPLORE.EXE
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE

pid	process
1236	IEXPLORE.EXE

pid	process
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1744 wrote to memory of 1232	1744	MSOXMLED.EXE	iexplore.exe
PID 1744 wrote to memory of 1232	1744	MSOXMLED.EXE	iexplore.exe
PID 1744 wrote to memory of 1232	1744	MSOXMLED.EXE	iexplore.exe
PID 1744 wrote to memory of 1232	1744	MSOXMLED.EXE	iexplore.exe
PID 1232 wrote to memory of 1236	1232	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 1236	1232	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 1236	1232	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 1236	1232	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1704	1236	IEXPLORE.EXE	IEXPLORE.EXE
PID 1236 wrote to memory of 1704	1236	IEXPLORE.EXE	IEXPLORE.EXE
PID 1236 wrote to memory of 1704	1236	IEXPLORE.EXE	IEXPLORE.EXE
PID 1236 wrote to memory of 1704	1236	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\devices\phone-old-symbolic.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2f58988b990dd1970689a6ac048dc1f7

SHA1
8952bbe7513e9846cdff022c4b0bcac0172db87d

SHA256
9f3016692092a4d3607f815248f856d8e898ebe4c642e40c51243077b1b682e0

SHA512
75e64fcba1d6e60858c9cbd4027c17e0218b6d8e9f451a1409207ca19d9729290b088f78f2bb1d3d6f0c44ca4ed98b6f83f9e011e197bad66229298bc29c5fc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
399626456f334e9e35389fa521f53c20

SHA1
8c29600cc05f96de5b582bb9b6937fbb55f33f56

SHA256
81c6d6092241ec9110c4e530594adc8afc337d9ad04aed633d8ebc607eda7263

SHA512
c98d770a099638175ec737f8419f8724d68e8e2eead075ae137a19d2f59a7c015fb1f6b2205403b98772cf88df38430f8d5c34ea4e7960be67972ff26feecf24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
467a5b73cc5eed6c0430a21daff4cb62

SHA1
152560490d48fbbf2039f3a39f3cf1d32642abed

SHA256
a57135074896d4aab1464fbfbbfeb7dc0b055b691b9386f7855d158c94261b73

SHA512
1d070799061abff2bcc17bca275deeaa649faa06157c3acafdf6bf2647b2077da2f5ce090050987a90cee8e5ab67d96dea42c4dfaae91ed75232f698432d601f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8764a1a6b03460e2d1de484f1ca12a74

SHA1
3b85bae6c2ebc93fc0e13ab408b7020e024dbb66

SHA256
40a7f36205c34ea0fb12cac8bf85d0d52f44f9736d5ea7c3922efc7606251d89

SHA512
83155dc5c6668d4b8572bec562bc58142a20ef5d1a5c315c8dc58087a9361e93ee7d21e458479dfc18eff60e35353f9f84b9b2197a5909295f62cb2bd22f1117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8408757eafaff4be070fd7deca98fc8f

SHA1
d691e028050ee45d21800b6f095a91dcff302e23

SHA256
95ada078b928507372dca3f9f3ed1fccef28153391d6b6bbe3213b610eac9c00

SHA512
5f7774fadf76ee6ced0e943e1accf9e0c3f4876ac062d20061da417852791fe1df631193d405d1bfb0750ac0e176ae051e55f991520ae4a0d7600b4b8d54aea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bcb949b8149ee835b206aecbd7ae3a0d

SHA1
188a0b577c1870ec17d5ce74f6713fe506719e22

SHA256
c104534bd354f07ce88c5065f29396a0d3a2ad06ba2b0cc2f928694f6bb9d625

SHA512
64c568d7cfebdaee16a54d6663c44bd8d78d564ac885d1b8391ae918d91d5068345df26ae129a964a3aa2ad47afbb2bda00d0428c1754176ccd39c9d0b0f8627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4e85afd59be84d0bb9e98f006dd8906b

SHA1
74184d66fe6fa7ed8e5dea30b081eb5a65497145

SHA256
90a74b5ddc01b553ebb1c07a05e6645738dcde1d2a3d2fe69f0dcc2460447675

SHA512
93598d221bc7bcc25ec1dffb2613b1000491bdaea249637faf4bff12827bda648d2e305c50b2be260a667df84246fb65233c2376f65d4ac6625724bfe21cff1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5090f751ae55e82fc3b1fa003bab1b38

SHA1
71a65e7322e228d5ad540a94fa93463924d678ad

SHA256
91114f68eb944be6cff9907050bedf1cce31940e8e5bc40f400a7f2cdd825c70

SHA512
0a5ba8b31867d4baa9209a7fcd39cf0554690adee34137f0f0a40147ce8036a0fa42b4151f5881da6d88f20327abf18edd7a82855e17c758b45600b84c19ba6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0f57b27ed1c58f8dd8974583093a1efe

SHA1
954099944ca6725035017d6b58ee01706bb7fd57

SHA256
273fe37c959c6e2540859ab74e09409f78dd635ee9bc698ff782a85be1e12aa1

SHA512
ac65e8d2124d091bdc28219b0989d4cceccb8eba84ad6e21f257ec3496e596593bb8e43dbc0bdd6932cd86cb245ff86cb22a386f5ea07805c14fe2619d9ad570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89FA.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C24.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KJ6WO7S1.txt
Filesize
606B

MD5
710b62e72f307f6cf761efc88dd850f7

SHA1
992aa0ac9ecb9684626e3c3074a888b8c420ef24

SHA256
84fa176ef355d001294ab3906ce584e0f5fb4cd3c225a839ddf25438af155749

SHA512
51f3956fe93d24c9010a50859417ebcef2c6e0574a3933d5cfecab2827288a13b3cec124c94b2972a04aff7b308e2abb2e4d82c553b08f5ceeb349488833519e

Download Submit
memory/1236-54-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1704-55-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download