1ef4aa23897477fad4e57aeec8370f5fbdce756efc26be3deae5123efdc86b9a

Analysis

max time kernel
104s
max time network
139s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
13-05-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gd/Resources/CCControlColourPickerSpriteSheet.xml
Size

5KB
MD5

fcb5d49e60350b4e061376d079c78c04
SHA1

86e6da84404f79ed9105b8ed1a84c54f5a8cde2e
SHA256

32ec9e42908a44d99fdcecde2f71f7ca23989c1351f0276275564bdaaf6791af
SHA512

2b28d248db07cbda87ce36c6dc55d73c7fb5e84ea9d725ff0bc6a6bdbdff908eabbef74d20abd402f64406cc173cd251a45670aeb72ce1dc481a3665f888f3d9
SSDEEP

96:/y+VH5/QOhxH+/QOdhHA/QOdpHr/QOdOHN/QOqyHS/QO9LHo/QOqqHO/QOfUHH9l:aQdZM

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f35fd4ec1ca1494aa57fdd0dc6b810a4000000000200000000001066000000010000200000009193e4a51936a165ed3213e9add58eb8c646358b087533b5c068e6d6243b3b48000000000e8000000002000020000000298367ae17e53256feb5f226ebc20e5814c2df478576ea4678f93f1291ef9c5c20000000bca66bc204e5983651208d700958ddd3cc996d0a84812f91cbb56b654965545840000000ee29a45a869dd95aad524f51d3ef5b13919fd4bc4c1d271c6fb3957cd737398f734a9d9aa3a0b4e39cbce1f8abb772145ce93f1fd06ba376a62d91226539d1aa	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b8d2a8bf85d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f35fd4ec1ca1494aa57fdd0dc6b810a4000000000200000000001066000000010000200000001e01f43b8ae50d588b3bc70564aa58fdbdcd6487c58de91d038ab0069391279a000000000e8000000002000020000000866325365124c0a45bfd41302764f660a161197e45ee1571a3aa68616320ec5790000000cdc1418eaba33fcecbbd2d25420740a1bf76b67e924b75debd74ba31daf882149bff9596342af83042c58d8574b0b8e5d64b86bcc0c0d6d5831f8e3baf3c25fb9e6a55f7b03ee24aad69d928926af5408fe6f06478e4a6a250c511ccdb3d560919e0534933aae5ba3e40572020e01b6a6e4efb30841e4c1add4d1eada4e2c08bca262513548c6843a5f3af07fe2065c040000000c525ecd263ad1fb5741eec7331891f8151c1bd2f36984d93303cc2aa801a4a6befdbeb5031018151efe83de1349521167899f2abe92595d59dd51449ff0289ed	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390160472"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D01DBD21-F1B2-11ED-B288-EA414CA8A2BA} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1700 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1012 IEXPLORE.EXE
1012 IEXPLORE.EXE
1012 IEXPLORE.EXE
1012 IEXPLORE.EXE

pid	process
1700	IEXPLORE.EXE

pid	process
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2008 wrote to memory of 1416	2008	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 1416	2008	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 1416	2008	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 1416	2008	MSOXMLED.EXE	iexplore.exe
PID 1416 wrote to memory of 1700	1416	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 1700	1416	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 1700	1416	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 1700	1416	iexplore.exe	IEXPLORE.EXE
PID 1700 wrote to memory of 1012	1700	IEXPLORE.EXE	IEXPLORE.EXE
PID 1700 wrote to memory of 1012	1700	IEXPLORE.EXE	IEXPLORE.EXE
PID 1700 wrote to memory of 1012	1700	IEXPLORE.EXE	IEXPLORE.EXE
PID 1700 wrote to memory of 1012	1700	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\gd\Resources\CCControlColourPickerSpriteSheet.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
12873c0f0848d73a21130375e1eb84df

SHA1
76fc86b009218267336cf55d50c3e5dff6dafd30

SHA256
95857f580434e9cc43210ae197e16f1e7f7c10b5c83d3e3da8ed0b51f0467d01

SHA512
851cc32921fe8604dd39ae5095408180b05b0f550fd8fa6c5a31b50b893efa6f641f32a3aea762d1130713ea08b71723167c4297fca02f64769338d6569dfa65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
faa50bb6a13c2c4035d7921be8c7e578

SHA1
79eada17587705390ff95536a16036e693d1ac06

SHA256
5710a8161aa94a386fcd30cfb3c409e6e81098715facd140c0d51b57b88709a7

SHA512
cbb89fc4bf5cad2fe84a8d1432a0431ac12978d689f7e5fc5a9bc2f420cb47ec37896c6c13b52ae9025f3da50f25e5ee8da847c770a6c1cfe00adc741f94b203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
04376e3525c7a226eec5fbe111d89357

SHA1
10dc88566ab5a99238cefcade39637c13ff23060

SHA256
5bfd1cca26f33feebe4a8518182d44b2a4713ea0cfd431f5d4c4ddd2f4d4cbdd

SHA512
b27a9178bd94bf679e94a9871797516eef3d4d2c046abfb3da8c9d4bd0a2e412ca7c1e30997f6cd24007914e13abc6bef84dff310c7f68228c1118ad9fa6222c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b04681778af546591d7c8c0b1d5dafa6

SHA1
1dae2752ac4ce8446bbd7a8a3bcc7d92dfe1a447

SHA256
95b177fd3949ec974ba910249835641a77d25a41ed11572ff5437c0078a9c15c

SHA512
6522aaafbe159a33fba1c6b7e7c7d4a3e2ce1003c93772ab8b993e73b4d63f877b23304ac6c97b22858d3fb1242a2ac94c99fc475d25edcafb4b61e4b9230182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa9e505c4639a0fe942cc9627b549294

SHA1
e7ad714d62fdec5fbf3dc80ec80d651b517133d3

SHA256
802daf776edf6900881f9f6ebffef6537b782ef200a067570cdc15dc936451de

SHA512
ebc87ac012d16a5b76481a7612f186a28650484bcaa0f058fb9d059a90256db56535e94c2b5b87b96244a783b5c0cde4f2cea59b37f3021cb0b475f1256a56b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2ab76ae59c6fae83497732e515eb4a97

SHA1
4f0d6be48888403ba6509f04202d7a430afc4977

SHA256
ba664c666086c00922093a5ada331189755951158b8b14883c6585a4fd85a442

SHA512
f63d9ba44d4f80c2c2bac37d5a7bfede8c3db05e44ae2ac26011ccf28238aa1d6a4f0c089b13a17a39abebfb9c835b295e2f03b56fbf13977315337e5adfdd4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b353f230ccb8e56466a23bce6d87f369

SHA1
e86d6355baf61875be18236834bae5ce31fda3ed

SHA256
f1a39cdd8435bf6f36b93d6b3e89dec185cde79ce5471eb1a7fb5d8d88cab5ed

SHA512
7e0f5dc5be1f6b63319333cc057d149fdb21ff5b45166dea43d0f3d20b2cee154efca663d14665427611b260c6af33d352b46b10f0439fddc6f73d11d7213274

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6CAA.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6E87.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit