db17bed97f88ab81ffe9c630d97c2c8e0d43e5f64e88db9907c964d3d8dc22ac

Resubmissions

17/04/2023, 13:01

230417-p9mrzsfh6y 1

17/04/2023, 13:00

230417-p8p6qaec52 1

Analysis

max time kernel
61s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2023, 13:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Paratlan.hu.xml
Size

192KB
MD5

976d679b1e7fa82a7c7f4891593e0cfa
SHA1

16953643538ba58f29248eb8cfe24b2b51528e9a
SHA256

db17bed97f88ab81ffe9c630d97c2c8e0d43e5f64e88db9907c964d3d8dc22ac
SHA512

bf16e1d0f7783dfa7c6454bd20c903307ca9ef22d5c7513170c02e42d5e07c9ac9e4fb857850537a15b54a13721e0e74fc5ace034ff70f7ac19b6d07a9da8859
SSDEEP

1536:1IJBLduvtUgPZLxDjoTg1xkmjur1duPXa3yTkcx7G/jIM4rvihBjEaIEbLpn45uA:+LdTH+C/sM4rvw8EqWLCid06OOvk

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iexplore.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DiagnosticsHub.StandardCollector.Service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DiagnosticsHub.StandardCollector.Service.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{93496820-DD30-11ED-8227-D22EDD327857} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1750125038"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1750125038"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000043ab0815aa05d92c059ecf5abd5eac52ef9037aec7f58b78f81d6c2be13eab0000000000e80000000020000200000009b85403e4ca4ca92d2a29a7a54118e11b60b21a496ed1a75c65d2a26557c46a1200000005176980de0eaaa75ee66fa12f8e5d03e1c8e6fd5a1559036c3f6d31e1247d6624000000048b596ae2eaaa1e2903307384a9334d096f3955f71e73460210504228251874fac7a04ed21564cc10cf84ab370e096edfebc569a87c7b7b799981d0066fa1216	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1968734622"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31027517"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ff88693d71d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SuppressScriptDebuggerDialog = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009acbbc286be63c4682a409f320de94d7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027517"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40839e693d71d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000ae3c250681cf341483c18f04b8334d44ede2c4765f56b147171a8039f25494a2000000000e80000000020000200000001f03b5a01225b43294db67fc9627af5299fa8edcfe28aa7a70bdca16fb1ae506200000005698164807517948fc8221f9c170b7724e65e0c0ca3bed1836b31249b343becc40000000311581652ceacc1557817ab0e24d6cc0f76a37976de3bccb8294272d4ce9923a4f2b8f71ae822f905a698b6f5d19637cd347e5bb882ebf938eb61919628a0c12	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027517"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4576	DiagnosticsHub.StandardCollector.Service.exe
4576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	4576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1392	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1392	iexplore.exe
1392	iexplore.exe
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1392	2472	MSOXMLED.EXE	82
PID 2472 wrote to memory of 1392	2472	MSOXMLED.EXE	82
PID 1392 wrote to memory of 1984	1392	iexplore.exe	84
PID 1392 wrote to memory of 1984	1392	iexplore.exe	84
PID 1392 wrote to memory of 1984	1392	iexplore.exe	84
PID 1392 wrote to memory of 2104	1392	iexplore.exe	92
PID 1392 wrote to memory of 2104	1392	iexplore.exe	92

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Paratlan.hu.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Paratlan.hu.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1984
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1392 CREDAT:82952 /prefetch:2
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    PID:2104

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
c5eac463d1d45a752223572efb1ed5b1

SHA1
649fd8bcc3705d81012acfa09c56b92280220168

SHA256
93ec76a088937fb866ca3347ae719da9cf3d6a12d47711d6f548c7be9d827150

SHA512
88dbbad2ae7d60f1166dbc26fd7ea7cd958e30744b6fe0f2ee158bf28025dc753544b28c06b2e1e492d9ef725ad8926fee0c37569b0e902d549864496e1d843a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
bebe4ae1cfa1c80b92fff3ba3f1d114a

SHA1
22d168779bdf6d3d66ccc0c922f24bc512477f37

SHA256
10f8ceb2963926f2712232ae7ec2eb98cc4bb3c99f8e29db46f110b12cffe665

SHA512
900d2327ab3665e268a06e9e2dc21eb23ffa562f5f4052aeb4198e70ba777c45e1a974e299b9a7723d218741e17a78b455ad2db94a61d33ac554aaff496e4ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\F12\network\settings.json

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE65D.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\isDebugBuild[1]

Filesize
87B

MD5
70f25a5edce5e20d870ff1c98a5ec5f5

SHA1
5fe33de0c8cb6d65f794c4dff0bfd5bdb15a7073

SHA256
ae2cfc14f884e61f693b00ad0945f372face67b1fc49c6479502cefba3b82e9e

SHA512
e4db4b122bc436edaa2dc810dbe1b0d61a5115e01a05b8e4f0874e639781b517b70ba5a80e1df7176aa612917c05ea10c06fc8114a8caeb00b38b7b01f8dc34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\plugin.f12[1]

Filesize
160KB

MD5
fdf4a73ffdab93e3a0422b9d2e252ca9

SHA1
c969911ecf2414e17fc16c1a15512bab79842d23

SHA256
26c3f906421451fb7a86d275288c9ea0bd6810959812edb6564e0c23f76702e0

SHA512
569c53094876dd65556a824416bfd0016764205ebf6e61c87529445d4c619860a086895a92f735089da501b96e5fb3361279f9731f5d46c56695133bf8318b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\CommonMerged[1]

Filesize
572KB

MD5
9ef197a076681c3d4c5e7a1e07cf15f5

SHA1
350d4ad02899f3838e4ce3bca3a13deb496c5509

SHA256
a24521823149886e4ebb47b4c8bdb7859985683ec302aaf941872b8d2852bebb

SHA512
6ca063a22f226421c8c901e659a38180f5198a12af7a8d380d74de1e2fcfb5bfb892cda88770729a2367f2b23e5a1bfc34cede0fade20c4dc13e0391fbd41cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\controls[2]

Filesize
22KB

MD5
cf6ae18a4a5a48e497570557391d7920

SHA1
ad9ce2ad74fd0bcd5fa998cff895168ada13a1cc

SHA256
993700d10307ac3485ea71e01c49dd2abae6360a5f1406e03e91c7a6532fc591

SHA512
43e9e37f8de63d2131e3159471a8a7765a08a4efbbd1505a1fb1dce4a85ca2e7e1391a241b2e01509f69b5ffb183ab488d20341a5baace00cfd8d753d3955e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\plugin[1]

Filesize
411B

MD5
6f65b6608be4e65166d660fdc450fa60

SHA1
91862bd34ab08e3511b7b7f1e71baefd57c33016

SHA256
7c56cbab79bd396e31a1f2a0891e23aa7d49e7a87c3bfd6d7ca445a095d73b9d

SHA512
38fcbb1e3f5ac1fc959d7509b6b1930d6ee5e3284815ca13c2976501ca8f00fa0b5661d9ebb76e5800ca126b3d0564626015e45e7beb401ba42c99f4d6230e2e

Download Submit
memory/2472-137-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-141-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-140-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-139-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-138-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-133-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-136-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-135-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/2472-134-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download