1ef4aa23897477fad4e57aeec8370f5fbdce756efc26be3deae5123efdc86b9a

Analysis

max time kernel
145s
max time network
172s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
13-05-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gd/Resources/WorldSheet-uhd.xml
Size

4KB
MD5

c74c1e852172c86a28adea23add021c2
SHA1

53fc5072c865f22ecbc0365f732d5880d3e05dda
SHA256

4fff531675cd2fab608841853b3d31cbfbeb0788bb33c5f99456d8c421136a5f
SHA512

a8713a6a31fb70a25b59521c598dba3e1af0bf7a05d696c65fc4204a2772de30ad327a47a54196f164a954a478c44e8001c69a41e3e8142c150d41f573045b43
SSDEEP

96:/y+SYkKO4LmYkh1Xke6Yk/NPPSYYkMAOm2YkMsM0DYkRRNsaYkTJJkhrLXZtZo6Q:aFPp

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0cb47aabf85d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CCAA02C1-F1B2-11ED-9CD2-7A574369CBCF} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000813260379353aced1cb608f8879138f79cd039a253b497af5eaafc874385cf35000000000e800000000200002000000009177f3ac6678ddc13c04df834923c17fe29c17bfba9848a40005e35c0ec1472900000001e7b1a526316f1c89e2cc67221eb5549e05be450c05d96e1a79a099aba88309c1b5ed51d49cd65613492ec12f838cf4017f295212d1f151e1fa41fea1654a209bf38a59ee99a8297475ea2c39ae45b5fd3f3b3b7f08877f46f46e45d9ebc0178e6b0b182bec98062f47eb9457ca6cc469d054b4349046f98440b88129fb403d07133733371badcb769cb6907e24a9ce540000000a0fa621acb99126a128f818ce4a586ab28d6db97ee9df1ec9c556b5308adde08fd6d15d5b0e67a7d99b8955b5e6218ddda31728735b127a4c260347a7f05c4b2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000061859f5959ceec96eb2554660eb1a84f920157c4d969be59a98f990c4946428f000000000e8000000002000020000000cca51fbcfcc51cee24ab49ca25a2ad302b17306e823af6e4c51c3c74deddda1d2000000014d210dace4e7bddf11d424b525c47655875700f1cfdf65039fc7d0c33a331e9400000008a2c6598af71f5708551b4f40d1bc431142331076048387d4f55f22fcd7d3fcc80d1e1950f2348e5d5cdf8020c3e062ccfb42c2a7faae03645cf20fa2305f9fb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390763573"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

556 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

556 IEXPLORE.EXE
556 IEXPLORE.EXE
1556 IEXPLORE.EXE
1556 IEXPLORE.EXE
1556 IEXPLORE.EXE
1556 IEXPLORE.EXE

pid	process
556	IEXPLORE.EXE

pid	process
556	IEXPLORE.EXE
556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1300 wrote to memory of 1100	1300	MSOXMLED.EXE	iexplore.exe
PID 1300 wrote to memory of 1100	1300	MSOXMLED.EXE	iexplore.exe
PID 1300 wrote to memory of 1100	1300	MSOXMLED.EXE	iexplore.exe
PID 1300 wrote to memory of 1100	1300	MSOXMLED.EXE	iexplore.exe
PID 1100 wrote to memory of 556	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 556	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 556	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 556	1100	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1556	556	IEXPLORE.EXE	IEXPLORE.EXE
PID 556 wrote to memory of 1556	556	IEXPLORE.EXE	IEXPLORE.EXE
PID 556 wrote to memory of 1556	556	IEXPLORE.EXE	IEXPLORE.EXE
PID 556 wrote to memory of 1556	556	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\gd\Resources\WorldSheet-uhd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b9da81bfa6b8ff22e2f8111b23b95d2

SHA1
a01b5c35b75a0f5c3004e52b3a520ea8c7aab5a7

SHA256
668e540996f0a4273d07ab95e721cd7c79749849e3ee5b278a2cfcf72456f901

SHA512
b1fd74d8087024e492976da3dc37637522db51edc2b7794c7cf252a6ce8228bcf78d1bbc1cd69e7a9c6edf1167cbd313041c0966c5e6bfcf99f1983f0c50f686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac2b83665d12526985345bf97534b429

SHA1
7846e6f80ee2c382c3515accc14a19b0bd49ffb6

SHA256
9e42c84d7e1a26f4cf9f9a9b8598992b4431d38e0f6fabae6d359d1e86c6189d

SHA512
951941b22cbe9a519382640df617671ef3b00a28df7504f31539ad5cd00434e39279ef35651ddea17d4524ef2086fc17d2a93a6d6eb1135a302a955732f12547

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c1b0f9d3f539974831e7f3d240ac08f

SHA1
5993e22178405d5cc4c099d24696de20bd58a225

SHA256
2681c6f9bb261e9920752799e7d0ec84ce905e313e3108709e10742e3b5c16eb

SHA512
bb6d8917cc955803b3c557a9484e1264d58654b217fac1dcf3ffdc44e76baed4b140636bd2857151c67922b69825cdeda94bcc719ea454f73b757ca50fb18757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b829e7c5c692c4318e32dafd6d4315bc

SHA1
aa2687c61ff9fd2ecc2780b0bbf919f74663e9ed

SHA256
fe70003b53c134fd2a2ddd1f77034a15e47ace5914daeadc6fc11733a7b3c5d8

SHA512
36dd444aacda4dd9a8de432346217bccddf350fe381f27f8b1c83dabd0b0e4401529531c32f7259d34d40a3602ceb95a9d55f5eeb781b615618545edcdfcd56d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ea8598c35b32e5679eeeec9774f13e6

SHA1
4181599d18c4804fa05e0a14416842418aafe74d

SHA256
da823d55599ee678b6a7d971593d39e33144f49a93b8a175e2761c7d2141d895

SHA512
60472a91c3fb4770a17ee581771ae9a7b085d2c696565409a40a7f4d1942065b317a6f89c559cde894b7c99e0f0ab322a651beda10ec8467085caf14022e887b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7a62e0ea7fdb669d464a1d1908d172f

SHA1
d7064b661752a87a2229b4e0aa71370f7d1cd827

SHA256
30d5fe963ca76486f229d55e8832dacd292cb694688f8e9f672e133baf8c4d3e

SHA512
25ef99df1f49461fa7633cec1941bdf2f2890af5037e0e1577093c88b207eb11e04e97fef9ea48e0d5d85943ac89912875dcd42a375031d21abf209d570bbf66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
213dba0f8eb7e07246fde01a4e607886

SHA1
09c7c49c29ba7a675c5997218acca930746bf589

SHA256
a16de13ce0dd3bf66835b7d0da43ed27d9564464e08f84514759963dacb52095

SHA512
37da33133ae9f4dd3dbb38f76e5cf606afa05f58060da508e5fb08d969f823ac51ea3a801940b40f24c52e90ffe7ae80a8a91a5cdead6be177d9a770ef445b7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
274835ddb63e72dc60c8afb1560c4708

SHA1
38242e49b26e50ad25d7b50c06fc51600401e2b1

SHA256
281d2d9608f4db01e5a6aa15a8c7e59e8488518393e9cd07929feef176765979

SHA512
74e45080244cabee04537ace811efb2e64e7aec233409ee114303bfe2b1dfa6f7dccbb40a0a375044e11e3460494e060b21b341fe6dcd31b8f017f642d4354b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9873151e838d0a11ea539cd59782157

SHA1
6119a218df347ca69ccc7add5c55ac5a215f878b

SHA256
bca595f94f4bc742d7deac83fc4daf8358f245b28d99fd1f2aca0b5dcf448d0f

SHA512
0013f6f66b88cfda1f8b285c2fb58acb904c4072cfb11aedfef968d086b736957b8faacd0dd623e91b797d7021d8c7b9d682064fd670be0ea8b742b311c9b817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f065fe0f399d73338c11bfda3cd67fc7

SHA1
bc535915b64a9b9a29b598219d556eb77823c876

SHA256
ea63166fd3f39e23672685d1ddb7e8a5d648584921be848b0ef3a8d10c142cb5

SHA512
094cc46e14d73e12848f1195924aa4e9087f5de3025c5434e07e45ebf15d54cb6e7004068e6ddd26101020e60f6ffb5c8d0cb8a1650f170d1def98839f4cd277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA594.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA634.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA6A6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XADZTUA3.txt

Filesize
604B

MD5
4f51318da6b1a0b1b35dcbfd5555ff21

SHA1
2abbe1c088927135325a00aea43cdab534c085b5

SHA256
dc7d832cb1d05960f67bfc3cf4e1b562c935c5e2269e4f464af469f3454d2457

SHA512
b846bd8487eefd2a962720129c8949148bf7a26e3fa6a26876cb857926d8a3491677555017082e79b70a3080c8050b62c62af93e0946014b1e21192d763cacb6

Download Submit