86bfeefce2acee5d39d7bb93461eb5f93a81658579ceb4c8346bb77977f15ef2

Analysis

max time kernel
161s
max time network
174s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-03-2023 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
Size

6KB
MD5

e27ddf9ac9d222009698c91755e91f37
SHA1

df622a2877b04d698ad39b89f1e2591635c2db1b
SHA256

c602b20c7b60b3b5aa554237bfa371ea484acf7b8a7ba64da23dbaafe5733e5f
SHA512

5cc9cdfc2d20f9c850299cdb121e4986422e835a25350df09ae1a9cdd7b9b02f11f549e61c57a4a697f357f9523216c745a21ea347d1ea5370da9cffa445a01a
SSDEEP

192:BkY3alv39nhwtVN6fF6Knqi3Ec+5ddWcQaVG2WWfIUjFaK:aYGtnitXKJUcC0xaV9V

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000724ea549e128e7664a7e3e9ed144a930d6b88674c0fec4ee048e91b08ab3cab2000000000e8000000002000020000000918a2003e3c968163365bbe1abcd922eb35a4484779acee98b54b74463b7b0e890000000edbfd351c1c31b2b5383dd53436183a48e9d5d8056e09f443a87ea96723e60be23f14f650218c076d62dd75dc620c086408348af2f8daab443129e1435c195947a77a579d6db43ae7c47b5f9eac4ae573aaa7aad00b283c8cf56c2f20480761092bf241190be1fce11a11e0a9d4e70b9595acaa1c3fa4985e460e0f4dbcfa2319531cf7f367d8d917d393063ecb1ebff400000009a26856ab0f1402bd14137e77b8be382e3c6f035bcada0bbe9c73fece65e6d0fc47ffe79f08bdb5d57143719e58ea5e654d5a83ec148eaffd680d15741731fc7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000053e6178a997ed95d53316718b37ef8c56b358bfd85ba07fab6605614df2124fb000000000e8000000002000020000000209b7808bc29a8b954c48987c60b2d164369a3ffd6af597fed15ee047a429c5b20000000fc924a37d0e5c7578a20c6c8887a30633fd9c658c003e9c5099125f99c0f3a1c4000000065903340a0944973ba54e81a0ed129e74f218defdeeae8b189c2ede1f5313321e5192dce6c51c8aa6816fca27dcc80fc23cbd04b26debb2e71f4ec2d66111b71	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C1C2CA01-BBB0-11ED-A9BE-F2E58DC6BB35} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384825322"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07f8299bd4fd901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

684 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

684 IEXPLORE.EXE
684 IEXPLORE.EXE
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE

pid	process
684	IEXPLORE.EXE

pid	process
684	IEXPLORE.EXE
684	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1992 wrote to memory of 572	1992	MSOXMLED.EXE	iexplore.exe
PID 1992 wrote to memory of 572	1992	MSOXMLED.EXE	iexplore.exe
PID 1992 wrote to memory of 572	1992	MSOXMLED.EXE	iexplore.exe
PID 1992 wrote to memory of 572	1992	MSOXMLED.EXE	iexplore.exe
PID 572 wrote to memory of 684	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 684	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 684	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 684	572	iexplore.exe	IEXPLORE.EXE
PID 684 wrote to memory of 1760	684	IEXPLORE.EXE	IEXPLORE.EXE
PID 684 wrote to memory of 1760	684	IEXPLORE.EXE	IEXPLORE.EXE
PID 684 wrote to memory of 1760	684	IEXPLORE.EXE	IEXPLORE.EXE
PID 684 wrote to memory of 1760	684	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\status\non-starred-symbolic.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1c8aed70629360d0896d98ca42b7c7dd

SHA1
eb3d46c36941813046af463b17d87ec790e2234d

SHA256
45fd5fb0e4376f757986c15ae49053d325b59583c3f948cedd1c065d7c17b8ef

SHA512
691cd6da68df949e022fd11b72ca453c8b0ff8cb7c29ddac73261e2a5832abfde74d6491a697d8a8b3f8f7a09d30ad153e1c96185938d6f93e6b9a0cbd4df38e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0c9735e5ec664611bc9b32361d16f5a6

SHA1
736691997d641a3f97a1731a9ad1b789fc7c06ad

SHA256
72b3a7b080ad105217803f844718b83eba8b3862dfdcc8e7d8825e0024a0c0ce

SHA512
4bf9ffdaa66176c7a2f3407a52686f4b884985e617e497789c0bf3a715762b2f4630cca1b0f08d31aaf20c38a213c331da417b8bfccccb3902359f7e8ba36ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
226d72c26b64b816216637b1e94da68d

SHA1
a590a6aaf70244043ed4d4f69a558ffe2bb63932

SHA256
97322c1d9c2137e89dfcb978a32f5ad4155f3c2d3d5ee4e06fb07900705ee256

SHA512
bbe915dfc046b02ab4af62cb3e51cc118b82e9b8f23896dd480108703b3f21db60606c04a8b1ccd747310ff51d762ba2554d0cfc1ebd4be99fc6d1ba38cd9da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5885ecac1ce1fb197f3e10f34e231770

SHA1
65d189e1c4d1092596fcc81bc27318e2fc67286c

SHA256
2782b4628ce88b8e972ce54a6c6ef343e09707ddd54571ca261a3d1f12e672c7

SHA512
8f6cd0d97eb7d94bcce2bfa9c8d20256e6c80a10417e17fd2bb568a841889e6df15411d4f836b98bd06f60a6ee75d63202d70e3b73ae673c667d8e06cf69a01c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0e9cd63fe2334d7d7ba384505b76ba97

SHA1
150dd8d619265ec38acc569886190f512f2d2288

SHA256
99d3b61e075cf5a3fb785c7ab3612c773a2d50010dba9e7972015e08ac46da55

SHA512
500821e5b8c06f6b043211d1e419876b463fef427a3d0543c33caaa861753033519ba15d18da257805eb76a57ec743d3f79bc0f0c2b81071cf8f365775979529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1af6f80bda30102d88619fa65d5cd5b4

SHA1
b11cd7256647b108a684e83b72b0f0e0a9aac9a9

SHA256
22dad4f22464f95aac71ea0e454c6b8816a6727f6301f99d81d933c13af34a12

SHA512
3e6d8ba4301cc5412f2c035a95f566558790e89be96508e8645622bc18a048fb35ebf778da9c1cbdcb5b034bb3352915ff4865603163e738fcdb62ef9f3d6b63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
47491bc044d75b24f77934e2c46ae18f

SHA1
b9ce79ee4cb873cd1412b24bd67c00439ce866e2

SHA256
a4b89bcec953616389917846921619d685f68f6af577aed3285c77d3155fcbfa

SHA512
de761df8aaa47260362c7968527a2f536fc6bb2c24332d7805dc8caf4c2b8bfffd15669343d3aa3f867565ea636f4ef10a2a17d1874d9fae567c6d1134fff1da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE90.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC000.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I2MJ5R4N.txt
Filesize
608B

MD5
9f95febc0639cd4f28b438adf453d79d

SHA1
2b32b783bcbf019bedeedba4b702cf4fc6bd991a

SHA256
32abc2f5f5b1bb2c2a4ba4169b67f04a304b775bf2120abbaa4a9568d40b2798

SHA512
359625fa2a55c28ba90190b4df62acebb2b4e81ba3fbcd3d13df3bf30029ce91c423548c49c2e07fea285ccb6973d992618de1bd149c4f087eaa809295ae7d0c

Download Submit
memory/684-54-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/1760-55-0x0000000002190000-0x0000000002192000-memory.dmp

Filesize
8KB

Download