hxxps://github[.]com/SonarServices/Imag[.][.][.]

Analysis

max time kernel
32s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/SonarServices/Imag...

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "64"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\News Feed First Run Experience = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024692"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "46"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4073047460"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024692"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "23"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2071"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4073087331"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "23"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05158f13466d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "43"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "46"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "43"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "46"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2071"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "2071"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d00000000020000000000106600000001000020000000ab68bd22fb15488f1369901e7d1a705cfbdd591ef19a5e89734e1271ca3981b2000000000e800000000200002000000034a2b5e9c06ba80bfe65bc98c83d3fe300742fd7e835078fdf2a3a37ac29069e20000000ec68c9aa5f026d1d724b12a3730e123006c39147072e6892aa01d3dc0957b1a940000000707fbeb2a9080088972c3dede9f1dba96a2ab03c359c45bbd061418c29aaae99c2b3d326b413e3c9749c635cbd3c4e90a85dc152c230f5e88a36b0b525a9436f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1DC2E88E-D228-11ED-B7D7-EA1737350EF8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4544	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4544	iexplore.exe
4544	iexplore.exe
4892	IEXPLORE.EXE
4892	IEXPLORE.EXE
4892	IEXPLORE.EXE
4892	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
4544	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4892	4544	iexplore.exe	84
PID 4544 wrote to memory of 4892	4544	iexplore.exe	84
PID 4544 wrote to memory of 4892	4544	iexplore.exe	84
PID 4544 wrote to memory of 2440	4544	iexplore.exe	91
PID 4544 wrote to memory of 2440	4544	iexplore.exe	91
PID 4544 wrote to memory of 2440	4544	iexplore.exe	91

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/SonarServices/Imag...
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4544 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4544 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
8b82e64a7691fb70aec48c12c37eb312

SHA1
96084b73e24ced2adea93695f71a62092771ce79

SHA256
5e1b36f0cccb94221d862d2fe35c892d699d397a87f74f18a668a57ba7ef8d5e

SHA512
36802e6043f76d717a376d762f84e89be4bf5b6675bcc662f9f768dfe6487582654333ede1f871cadaa5b5120ad5147ca81bd79b5092623d38f1fbf4037237f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
b361be2c15ff7fe631bb78da68d03614

SHA1
2a3d9586cfc668118f62b1548db36d0c1d494113

SHA256
29e6de16bc16d88218ee1617fdb4eca2e9924e905408992c4f7d48233051b44c

SHA512
d7357d0bc5c8ee32c08d88917c3df10b831453344ec04a8167f3357c9cf4b4c24ad16e54d26c3d51ad5eee70ec9026c1ea63d8febff07d7376cf9342615ca99f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
115398e70f2f9acdbfa008a1e36c228f

SHA1
d96857fe7fa210305b2f0bf5ca9d78f9e7ba90c9

SHA256
2edc53fd1240c26fc733465ea3eb8464cfdac485f2cb68a5037d52154be3dc2c

SHA512
c8423658102cac6b25ba418063098daf35c867c407313c13774f999a117d0e2b5cf5657b935075dc986f9b9ffab3dcdec4682b28d650cd8f886e5a5b84647e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
8629765a46970d1203d86e1cf49adf30

SHA1
5a18badcf94eac983d55bcde8dbc90d86242034d

SHA256
ad1998637f40619b270ea0351dcde70d0dd1c3c5a6a77a08e1e62b7fe0b6904c

SHA512
5a27eeedf01195ac5f58737574aac6ded4773ae1102863ad5ea2f0c7d61c6c6db2ea910af7df86f8d56d05a1db5572ba46067f53f42c77536e25f795ed31207d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\HFJ8GEAK\www.msn[1].xml

Filesize
361B

MD5
899e6a3dee2e41791494845a0fe7e377

SHA1
b78fe94fcce48a974f878563b905983fcb4fd9dd

SHA256
ee8441ed369d13213a919154413323a26acf7bdca6f79bb40c5d2b56c3bc9846

SHA512
e6bc7a095130e4543bf62868c7fb6d3d81c0e7ce5f01649036e42424b523c8c28a146262e629d92425cd8567f4522673f6cbfec8c68ba8e676a905fa72fc90b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\HFJ8GEAK\www.msn[1].xml

Filesize
3KB

MD5
ffcf9d60f4b2c8128b1f113c6567ba2b

SHA1
bd6a0d05a6b0e612d0a05ff189de084287b3beeb

SHA256
8a4a6da786787db8dc01f6e0338ccabc444446ba6e9783c7bb6d09b75c44f726

SHA512
f290448094e00b5e1eb57e45b620e119a913da2ca143c4630afd024b74b205382079ddb16488b59c6a90d03487728a279077edfe511c0a3e73de7a9d72f4d748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat

Filesize
34KB

MD5
3f8e80184f268d5c9e0f82eb1c25cc7c

SHA1
7621ae95ab0c5daecebd6068edec2499374dc665

SHA256
c44fa0d4707f48708bc321909ac34b2e67add64933af9171339cc581e74844fb

SHA512
2ba1325a302f605b6345c3aab7552a491adb55e972b63acf257db590a7c45d3880745906ce9fb297e5ab5550307c88298929fdfe853649c3af6f682cfb7a6700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat

Filesize
34KB

MD5
3f8e80184f268d5c9e0f82eb1c25cc7c

SHA1
7621ae95ab0c5daecebd6068edec2499374dc665

SHA256
c44fa0d4707f48708bc321909ac34b2e67add64933af9171339cc581e74844fb

SHA512
2ba1325a302f605b6345c3aab7552a491adb55e972b63acf257db590a7c45d3880745906ce9fb297e5ab5550307c88298929fdfe853649c3af6f682cfb7a6700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\kernel-a9509dac[1].css

Filesize
100KB

MD5
1f9ce2a5856043b3a3910f5fa7366aa1

SHA1
9d86db46ddbc7440d5c81d6bac746ff2afdf266f

SHA256
6c4a421bd4a8251bb6ca8d9591d44a40619375568ff2b3eda48c5e6ffeca0c0b

SHA512
1b9d5e4ce34b821e1c05335449ed00b6f91868ea3d59b63eab52d425c0c0b70ef90d1dc36b75389ad2e648f6a6eec86f7e9e339b760aa8c33cba9b09f556af29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\jquery-2.1.1.min[1].js

Filesize
82KB

MD5
9a094379d98c6458d480ad5a51c4aa27

SHA1
3fe9d8acaaec99fc8a3f0e90ed66d5057da2de4e

SHA256
b2ce8462d173fc92b60f98701f45443710e423af1b11525a762008ff2c1a0204

SHA512
4bbb1ccb1c9712ace14220d79a16cad01b56a4175a0dd837a90ca4d6ec262ebf0fc20e6fa1e19db593f3d593ddd90cfdffe492ef17a356a1756f27f90376b650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\Favicon_EdgeStart[1].ico

Filesize
33KB

MD5
7fb4a1f2d92cec689e785fd076ae7281

SHA1
f3477f75f8d14dd3bcf5f50176f8cdfdcd3944f5

SHA256
8ffb08e22d8848b0dc64e13ef43a5db913a3b4c112f67b0346f1508f2811aeb1

SHA512
bfc68283080028dd1b93bf28600f2abd8cb3c375c6433649972485e027b6d72e81535221ff2c89c2e5b255dc24ef3a1db28129a95eb872f236ca624f1ca9d02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\kernel-e08e67f3[1].js

Filesize
283KB

MD5
463d2e66710fcff44d3915c12caf5335

SHA1
e80a0fa3e359ceafa2a80f5c84451d951c6b8947

SHA256
824531c3073f6d80180df9e58f1574f2609ffca984faf66a596ce39bf39fc72f

SHA512
277d83693093525f07cf9aef0754e31138f518624c84ae634fa8eef40f7e789fe90f08c010c100d40bf9e0bee60e29aab429cf98370b102801df9f35f311c4a4

Download Submit