41616f083f7346a0e16414ef24a9fc511e5018b325df0c438c723909b376ea55

Analysis

max time kernel
141s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13-04-2023 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlockMap.xml
Size

27KB
MD5

a95364b67a2282599dc18637a1342ab0
SHA1

a31ecf6bb5f51f39ba7cf4cae1955f89725d7b84
SHA256

59a695c87157ebadbf54e31bf96bd56ef183578e62c76b0e08d7e602a29db4fb
SHA512

5961c7763e2e4f1c104d4b55ed204c6fb7c7c76d8577cc8139c4fb1f1470dfe1366574026a633acca296e52e7910e86b84b75d610944f34fcf4c51d660e7b58b
SSDEEP

384:z41Bl63JfXTnaUNE6MpjR2KT6XKsyc9VAoVWZsRytMdD20EVe0DfzsVRzLc4yDmx:8jSfe2LM9/syCSoVWSQKfkUVR0K93

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a702c863227b745aefca3d2bb9571e800000000020000000000106600000001000020000000253819f1542a8ee00ae00e49baf8ed46778c4b5d1981fdc87acea16bbc6dc10c000000000e8000000002000020000000dbb91479140e5608ed93b11afebae67a1823f6dbecd587cae4363a2c9b8e079b2000000019509cbdd37564a288117f06cd080cdb62d7666c0ce811f5cfa105e27a74f3eb400000003a794a78a00ea882f7ddfb570c4ac743404a7b6d08d427bd961ab81566f99ff4415e57dc3dbf3025c2cb43e6a02dae04775bc52fa8afda238ad1381d3394da28	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026772"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026772"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901c58d5546ed901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388188809"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEEE1C52-DA47-11ED-8E3B-42B3D159A75D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3555581261"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3547768250"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707466d5546ed901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "388237395"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3547768250"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a702c863227b745aefca3d2bb9571e80000000002000000000010660000000100002000000029bc06c2e00fdbe5530118d6f9c725b1730abda787764aea8157233f336fb777000000000e80000000020000200000009026456d279d77b277d52039575254c87f74dd33104d083cffc67141f61fcd1a20000000e12ea41978bcb13a1777254c8c6615391f358cd61fbb6a3f9e4d80b746bade0140000000ee62528c82c50be1611115c833f6beaf36240d00812f932b5a166eeafac8d11802aa00673a5434e3cfb073f6ffc34ff40b81b453679f07f42c23074632d5af6e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026772"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "388205404"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4164	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4164	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4164	iexplore.exe
4164	iexplore.exe
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4164	3664	MSOXMLED.EXE	66
PID 3664 wrote to memory of 4164	3664	MSOXMLED.EXE	66
PID 4164 wrote to memory of 4412	4164	iexplore.exe	68
PID 4164 wrote to memory of 4412	4164	iexplore.exe	68
PID 4164 wrote to memory of 4412	4164	iexplore.exe	68

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlockMap.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\BlockMap.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4164 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
dd25eece262055fa2e7c798da8245627

SHA1
7f8dff5bf53fc2a6775d657cf30e43c712333a5e

SHA256
67d71d2d39ee7819764bef14658bb14d434a0969010f4a63936a478e55441637

SHA512
268aba5ef911eb1dec777fd52bbe230adceefae7b6c145e41d1ab4531b6e3f2858141325d4da67422078181fdf7641df475bb68384cecb334a3c24bee62676d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
91dcbe05dc6687fbca2b9b0ee3175788

SHA1
d856a00adc93caa8411c95b6bc413b770be30c6e

SHA256
5eb93f41d877635b23f310e14ef319208406c6e85f63c1499f996a4ef3c6fbbe

SHA512
0087b6e0f8f8d89e31b0f927e06d0e823b445f75cea77b6cf79ac23771942ccc6b40915c033d62f68b3e443083036dd3c23dbd6f89829e94fefdd79f4ef80a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B1FTPK9F\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KYJR4Y7S.cookie

Filesize
615B

MD5
3732c580b9239799debffa2424b19cfc

SHA1
586f21a73f5b5d502577a03fb04975a7dfe182f6

SHA256
268444ff5a5066a5a1d65dbad74a744bf94d45b4873c0ffef60ec409b1cf16e4

SHA512
c10f97e2581e22763856665982250d268931d1d096101a2e6b30be4df5671c59a0d4dd98652fb332f092d07a33af1857ceaa54e0e77300166cf7de32db12f28e

Download Submit
memory/3664-119-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-120-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-121-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-122-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-123-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-124-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-125-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download
memory/3664-126-0x00007FFEACF40000-0x00007FFEACF50000-memory.dmp

Filesize
64KB

Download