1ef4aa23897477fad4e57aeec8370f5fbdce756efc26be3deae5123efdc86b9a

Analysis

max time kernel
138s
max time network
197s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
13-05-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gd/Resources/dashEffect.xml
Size

2KB
MD5

7a0f4665c95dc11f6e043b9d3b5c8b9f
SHA1

45f37d6aeb2051349c415ddaf80429275390ad08
SHA256

0820f8e641679f7a91bc6f41f2a25632fde54674f2667979797ebb5e66afa152
SHA512

85e152af3699feb7e79accbbcdbaf0f645abae0aa92f5e1099d2d62bd78cd1e1f4bec03672365c5a9ecf05dbf7599d3bdf0f84fc1ed3d4fa9d87b5be539ba0e0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804ca3b0bf85d901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D734A651-F1B2-11ED-A21F-F6B2F3A01775} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000c96a9ca237f6141af2fbe260dcd5384f4ef4efd5982f97b5e8218edaa3a34f61000000000e800000000200002000000058616bbc3f7f5badec8a0726a171455113d67d319d35a7f3e41d330d27515ab320000000a9fa76193d8e9803122896ddd30f8d1064ba156e9e0970425d22633d7c1a1f9b400000007904fb8f7137aef8f1237fc15c1ca8033cb25a49169c308c61e2d1ba042e3956ca784fd4f245114458665447d71238aa8c61505c6f3e1c055c63f19f249e9846	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390763568"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000034c89b2bab06b2654b68e487c226ce3d13aab64737b8e0292d594548212da4f1000000000e800000000200002000000049c3d462817ea0d6becfb2489299d501b76b6bc0f37372b5e7806621250dfffe900000006e62212066b4a3d0f5232bc4d39eedfe00dfb4b5b25924d58db5ab7c3f85ac4c2b8dfc9912af1b3d6a5c65615291d2b6a9140f1e6f6de3958e97930b7c458e4726f334b4b9c78ffedf7610b62c2fcccf1b20f11c96452a6370af95a21d30f7c3003f462af68c3e7e06e5f3a01a2e4c0740c3a1fe5fbf1eadd59817065d64132a2f90a1483d5e4e7097b5378822b2584240000000ce2d07b715b822b707ba1a8cfdc55dc25d1968efb926274dc279274b8447018ed0c24fe9e381dc27eb8462fee17173c68fbcf9dabf7444a92006f8e60dd01190	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1352 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1352 IEXPLORE.EXE
1352 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE

pid	process
1352	IEXPLORE.EXE

pid	process
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1608 wrote to memory of 1204	1608	MSOXMLED.EXE	iexplore.exe
PID 1608 wrote to memory of 1204	1608	MSOXMLED.EXE	iexplore.exe
PID 1608 wrote to memory of 1204	1608	MSOXMLED.EXE	iexplore.exe
PID 1608 wrote to memory of 1204	1608	MSOXMLED.EXE	iexplore.exe
PID 1204 wrote to memory of 1352	1204	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1352	1204	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1352	1204	iexplore.exe	IEXPLORE.EXE
PID 1204 wrote to memory of 1352	1204	iexplore.exe	IEXPLORE.EXE
PID 1352 wrote to memory of 1812	1352	IEXPLORE.EXE	IEXPLORE.EXE
PID 1352 wrote to memory of 1812	1352	IEXPLORE.EXE	IEXPLORE.EXE
PID 1352 wrote to memory of 1812	1352	IEXPLORE.EXE	IEXPLORE.EXE
PID 1352 wrote to memory of 1812	1352	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\gd\Resources\dashEffect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cb7f6300708fd8395c9fd66cdd9a096

SHA1
67780e40a51d9764210e6bbdeaa57497e2c3e15b

SHA256
2626980eb3d5d96189b98d0c3705256e34450d7ab947b3a3ff928b18468f2d47

SHA512
b7cb4ffc49b7b9442acf70cc8253264ab4cea92609c4bc519fd1657597c2c752d4c54cba6a003a624229c554e735fd20b1c8dca9842c5c0fef045d341bf269b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd69bacc89f8b0383ff5b31c40715b94

SHA1
c98e279c31d610cf9a54ee20d6bd02dc0f836cae

SHA256
c73184dba48ee31795a702227a30eea5da1849fd93d684257705a9b62629e330

SHA512
4a131954bc231db8ca8815e0e17bf428dd2df75c41a3472bd4b27f0c22f335f75449e7933d55678b17f464dca4f8e75143edb50228e112fad810e4c815fbcad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97a113ccedea89d613bde73071792af4

SHA1
52f120ed0ac64741255df423eef4f657f39a1e59

SHA256
be4884d071aa972670e61f8198e1d03e81a3be05151da21410f4d35953669a6d

SHA512
6d30a094f6917d1910e77eb2b31551df97d16a548bb7f1ccaa0cbcf9bc9ec823d3c7e27b960d265fdf511aa75f2af24b5c87d6ed42aeab2b95b5723a013581ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27e30224787ee0c951f9db9a60e4492a

SHA1
1893370a9adb42ed7cb93bac7a60edcf51d96e9e

SHA256
8eef589cfdeb4bd23440bf6e532c5f8f119477ee5bcc70a2a34353ee4ef29700

SHA512
0b0237d0d26af5a734f5a6cb2f79821f56b6275a27ed77df5b62b9f26ae8a064c6d9c14f14af7ec774214d5e3888b95f16f819c5b856dbd45aba9f4fd9541d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC268.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC52E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BDI33GLJ.txt

Filesize
604B

MD5
6ad4d7904ffa8b8fdf599f8ea14f4cb1

SHA1
3e0d1a32371d17e89117be71af4f0d47a8a5c7be

SHA256
c489b65257b2771db65cc8eec376064131e6152e6885fb98120f9b1fa9809cf0

SHA512
4566c34a8fea4bda697573644915a75f0469ce18b4b73cd0541b30beced7dfa30a81c77a9cb89e967a6bcf1436171e28b13c1a635167e932bbc585bb16525787

Download Submit