832654398d6aaecf7213b9b15c7c527054dd8d2a4ff14d368a657a5a1c53b2c3

Analysis

max time kernel
60s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gui/resource/dashboard/pd.xml
Size

409B
MD5

1aa4cc65f2dca0e7c30898f95be8ae9d
SHA1

ab14de28e2f72660b5c564635d21506e540166da
SHA256

d15006a463520f79ac41358e4ad8af9b7e71e5f32db7eaff47149940d129056c
SHA512

8093aaf540bd55682de1cbaf1c0cd666931f8ecd1aa1d9db4d78d7b7b395e4932a4fb9a2014b37c946aac8d695e12efa52e0a95f22c1bac3ca398ad6d5d1dda0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31028808"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028808"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2691480005"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CB84D3EE-E23B-11ED-B7D7-62EB0CDC8974} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2703357300"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028808"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0eb66a14876d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d000000000200000000001066000000010000200000001ef9ef17b196126c8be0ca6f886831a205990e5705b0906ea944e33563d3c89d000000000e800000000200002000000075798d202c6b6cdd48ee575a41f28a86d49b0e47d1ee064132f8e5176706acee2000000039bd632d45ebf726bfea558d7e95c740bea342ff6ef446f8cfee0d58c17b4ddb40000000975dc81792648aa30e52d1bb66a97b371a87555bd168d9bbf9f8293e0256201817d42e0d893e3fabebaeedc4f3e74942548f88b8d3a9d9caf76a18f40a5432e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c884d0db6b01394f84d012a5eedc1d2d00000000020000000000106600000001000020000000fd9fe496d91f6126c7154b729f48ab988cca8abb7c293bf7f1e87ddb0ee7ceda000000000e800000000200002000000020b6814948ced8c7963e4ff7222e89303af25c5d86adce91b1c1ed8a4302c30320000000866ece28a2bea685977ceed3d2b8d89fa849a87333ff4cc4361ae4ff9d1b140c400000008eb5c5be3c1316afa469abdc9d0836dfe007532c0aeef83504420d0a21390e7d27e5918bc5955d6da6ec94db73d4b326bb5e9959161f62a35498526d935af6ec	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2691480005"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 104a56a14876d901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1172	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1172	iexplore.exe
1172	iexplore.exe
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 1172	4280	MSOXMLED.EXE	82
PID 4280 wrote to memory of 1172	4280	MSOXMLED.EXE	82
PID 1172 wrote to memory of 1236	1172	iexplore.exe	84
PID 1172 wrote to memory of 1236	1172	iexplore.exe	84
PID 1172 wrote to memory of 1236	1172	iexplore.exe	84

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\gui\resource\dashboard\pd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\gui\resource\dashboard\pd.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
173a79e136330a70b71832e4563d1b42

SHA1
28b14a7bbe8a20fb082b36a9d2651e13fd1d14fe

SHA256
b3a892deb1113445e59cd3ef9ac10f02a8792652c30a2effe4cdc060bd71a03e

SHA512
b50efc28fb0d1731a9e337b531660c20c0d4046f2ed81e8085f5a9ca1c44b9960577fa558d729b48c8d3328f2599d1e27a19c4e59ed97125deee6a638fa2e880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
997f8cafbc9ad3f68fc3511312938bfe

SHA1
88217cd0591bb8a38952367f59a5f70d136da88c

SHA256
d367ac709eaaa3e3d3fe2436711a003fac8b985a14acbce7c81b4f55f9a2174a

SHA512
26b61c4eb0118fc5316de44a164d8505a5f1093680d18bb47b8e542e3b43257841976a1321fcae47bbba3fb796fe3cb3ce21b695c9d648960cd3c3c8c9a68a58

Download Submit
memory/4280-133-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-135-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-134-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-136-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-137-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-138-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-139-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-140-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download
memory/4280-141-0x00007FFA94570000-0x00007FFA94580000-memory.dmp

Filesize
64KB

Download