0f0eefc7cea45d05d3a7b9f05c4e902bd4508b286e460c046af3df417c32d841

Analysis

max time kernel
134s
max time network
227s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
08/05/2023, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZModeler.2.2.6/ZModeler2_profile.xml
Size

99KB
MD5

cb8bd8f398b11602a2ba4653f6c0d44a
SHA1

975b2d57cd935a2dd88eb5ebe4728ec3397d82b0
SHA256

ac33897893441d59a0ac999a134f2dd64df3ebdd28953fbe9caf7ecd03240041
SHA512

3eabe32c704a39c420b9f6ce22d622f3facd2fd33f93847bdd667913701d5ed4f541eed7cc864b43ab2a67d8bd66916cb8099fd94c857e856bd898e12972ad70
SSDEEP

768:Mv9v8xEW71fkWXm2tj04/oZXzGJgNoZXzGqArNoZXzGN6iNoZXzGnxNoZXzGFjuX:MyxEW7O2tHoKB9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390335776"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "390384361"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2738165623"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31031771"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31031771"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31031771"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc000000000200000000001066000000010000200000006b78f2c9f24f88fb112855a6c377302ecbeff61f5972f3588cd1ae2bbc776513000000000e80000000020000200000004b57614b0dbf46c51e85fcf8c50b9e089963277a732113c586cfb91ed9a61c5720000000e5cf2d33bdd9c5623c9bea47b17cbd37874d56a260859d01c59bfb3b66caa5f5400000001508e5c859f2950c1b0f5ec11fdca2a00e0c69773cb2c7902a1a22dd202bd9e8deba6e54c0aeeaa0f892cd843785944468736f0023a619984a836c8974ae36c7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2755979479"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704b1fa6db81d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "390352369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2738165623"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc000000000200000000001066000000010000200000001e46fc21a375c409184a4df21673ff7e963cb66024c9b28a76d924a6d23da782000000000e8000000002000020000000ebeccbfa2a487d2daa9ac77b0e47b92ac0ba825cc5579f3f5e14a8727e1ae0b220000000d116ab815f556825b971f21266416faf88160c1b4eb0844940fb15daf3127fd040000000e740c98c461bdd1236117034a15d99d182a1658b59143d5624df3fd97bfade0acbdc156cc5c7af9acf55c40f2296875a41dc0437a977df573ff9ab68b7ae72d0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00c05a6db81d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE51F407-EDCE-11ED-9347-EE854B86F7F9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1436	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1436	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1436	iexplore.exe
1436	iexplore.exe
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1436	1104	MSOXMLED.EXE	66
PID 1104 wrote to memory of 1436	1104	MSOXMLED.EXE	66
PID 1436 wrote to memory of 2080	1436	iexplore.exe	68
PID 1436 wrote to memory of 2080	1436	iexplore.exe	68
PID 1436 wrote to memory of 2080	1436	iexplore.exe	68

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ZModeler.2.2.6\ZModeler2_profile.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ZModeler.2.2.6\ZModeler2_profile.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
14c5e436db29ac7db9301c7374ade89b

SHA1
1edbc68541a9f7fcee30b0128b50e8ff551a4a04

SHA256
3aa77b97fbf0ad97b71967f6324c99f34217026515d4d6583af5705c514e89d5

SHA512
16214d49c04a0bef7165ba36f98262d78b1600bb4afdf82f004d04f302692f28c3bfe457be36da5fc62c7a27a8b3d94073d2d8069a3aa506cd40f85574e4724a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
40980804d4cff442a746314e69e7e2a5

SHA1
71c68021c86753ab3a05bb450a8348c867bae96a

SHA256
9e2846d966b82a9862e538dc6e2502333a331d34342af2d949b0189ac5dc9060

SHA512
98b9c6af9905776ec3635bfabd31ae0f1a88019067d72919ba42683e329540e40dc0383c1d0deacd4be5744ea14f866632e176603b8328c1e8c1b6d0582a6319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTLFUYWG\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\53YPE1ZD.cookie

Filesize
613B

MD5
389f91bd4cabcc57d933fd955c5c24a9

SHA1
c53d0902c7dd53b5e11bc81a685130eaba8a1e84

SHA256
53b88807253df2096a8af97b30a80e3fcff1512fdd22c8205dd86eaf0c69b6fe

SHA512
c5cd46d8b09c959d9c5e57b16cbe90fe0200d5849ff6c909ce64b51ce1abbac64a5d4f33703d1b3bfcd79a886f18ad62d498317e1b227680d5d2751cc4a1ce3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\L7I5WDLE.cookie

Filesize
613B

MD5
412b552b50ea5452b79b05cb769d148b

SHA1
f5e6478f875572b56bbb5c2907e499c941f33d5c

SHA256
83e172e490a32b0dbe78e0ea53a92af5bfdf5394d4572eeaa27e59fb546a2c4b

SHA512
53e07140726b25a6af2cfdc1de812c78bc604eea11867c9c72d785e25382397bb54e430fe518c43706ef07f7df3a9533c2c9c8ace0b518a564eeec030489485c

Download Submit
memory/1104-124-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-126-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-128-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-127-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-125-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-121-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-123-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download
memory/1104-122-0x00007FFD5C4A0000-0x00007FFD5C4B0000-memory.dmp

Filesize
64KB

Download