1ef4aa23897477fad4e57aeec8370f5fbdce756efc26be3deae5123efdc86b9a

Analysis

max time kernel
101s
max time network
161s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
13-05-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gd/Resources/SecretSheet-hd.xml
Size

8KB
MD5

fd1b8ad2c4307a1ff6a6bcf696b327cf
SHA1

491072085cd021ca280485d92e22b5e5bf750251
SHA256

e8ab94b4318da1b011e95cd06700fff9adf1a2bd7e20ab72dde7a2496a581035
SHA512

57460ebec83aa4ccf75dc3b22cc88a469715a995db1b84d8672b1659f6ac7690fa2365cd9a55f6058fa2c23e679768dc026cebe0363b41d31e6b0597fa82faf7
SSDEEP

96:/y+sYkuDXoSYkRvn0cBkYke58JZcYkxd+WpKJYk/NBBQX7Yk/NnHe3Yk8aMK02YM:a80g06LGak+XQ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390763532"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C12E9691-F1B2-11ED-8B45-4E1956A5016B} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000bcbe179e7e945e31527634b83d42c8f6696c5c752175cc6cb80a9913a47f7b8d000000000e80000000020000200000006a157121187ade2e4d15252843c452f5b045c1f441f28e11f849036bb2c6e57990000000485bb0bf9348dec69b2cd74db433574bba2e6588daf5af418058ffee69af3d3a081a03cbdf0c13f3c2c3392a0a2759a44f9c611bf1106e517e51dc4584c560a549e17c14378453f08c383f03370fe4c2db1f227b5ca0b91c7975fde5e7cf88b8d2d97575c87dfcef9a87e156478698d3727a2db482d461a13e80694fcce1533add0e8d14230a61b4f0fae4c450533e7c400000008d41c2cbe1da5e47578c1d26c70a6f5a7c9789ea07bb270ef3fb8258af21d657b3843da771bffef6917701c1855730ec436f060838577631000a18e1fa0ff425	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70433498bf85d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000f492153d98175c7d10361ac218cafa9d4f3f74833324bdd8f0ce17e59ab5b244000000000e8000000002000020000000992b883e704f15e062ce3d2b35adc0b9e603889c285a9ee297f414803b1de532200000005c1962be6b346a0b2ae1dafa0a597209bca16762932dfb206636cb2b254d733c4000000089510b01cf3b4cdfe681aa374a2837bab6d4072cf9526143cb2b2aff88d38f5a17ebadf1874e8d9125f5d06c51145922ea52b7e4b5887c4ed9d8c27d2ef28c0d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1092 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1092 IEXPLORE.EXE
1092 IEXPLORE.EXE
1452 IEXPLORE.EXE
1452 IEXPLORE.EXE
1452 IEXPLORE.EXE
1452 IEXPLORE.EXE

pid	process
1092	IEXPLORE.EXE

pid	process
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1520 wrote to memory of 536	1520	MSOXMLED.EXE	iexplore.exe
PID 1520 wrote to memory of 536	1520	MSOXMLED.EXE	iexplore.exe
PID 1520 wrote to memory of 536	1520	MSOXMLED.EXE	iexplore.exe
PID 1520 wrote to memory of 536	1520	MSOXMLED.EXE	iexplore.exe
PID 536 wrote to memory of 1092	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1092	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1092	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1092	536	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1452	1092	IEXPLORE.EXE	IEXPLORE.EXE
PID 1092 wrote to memory of 1452	1092	IEXPLORE.EXE	IEXPLORE.EXE
PID 1092 wrote to memory of 1452	1092	IEXPLORE.EXE	IEXPLORE.EXE
PID 1092 wrote to memory of 1452	1092	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\gd\Resources\SecretSheet-hd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb357adffa7f0baf83d01460c69c06d3

SHA1
8b140ed87ffffa3ff7cd5af5e0a5312dd96c1d03

SHA256
0d91bcd656ab1a5320683a15b8e793d0d376c39ac95d28429238dbeaa4ad7a24

SHA512
3c683a6cbaecafc99750fe00d782c29e7ed9430fc5ee22347121387f4d193c4a0ebbc6db28ff79086deef7c35d133b713e27e563815e40078483011738dd1f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd65079381a27e4f823e22cc1314fd33

SHA1
3644e7d8c839b94ac17b22912eb03759ad1c0c1c

SHA256
62b8b8214293a9cfce47a1e7bfc735aa3a204fa584fd39917cb33ec9339c83e4

SHA512
8ff8373c6185f3f8790471b5ef91d58b70d4b920452fdcf68c9213e3313be05932ddd443197b89c1f6eb1161afa3bcf8a01eac1abbca4cdc6e59f1d34372cef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
819621e4be6a394d20b4a69843d4c047

SHA1
a25c034195adf2dd15ea2fd2b69eba2cff352096

SHA256
f0a686b8c3dd2c0c1407b37b9c78a4169ffb89d2e3e1ec3d4790d1bd40163c19

SHA512
b530540c68807d601e674ebf9e44be8a2f333abbd2ac23c53bc9c4296ec5eb9c39ab4bc2d9e99bb9f1bff3674e314c6fd0b6b1efa68263eb60076815cef78f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e398d9cdb9e2953111cd34c52ef0bbc3

SHA1
f56aa4734a0c3860b3c2c5be99f0a18d84ffd1e7

SHA256
c587ee68a41d67e8deed70fcdd704d4455d254f667b2ff426b2f1402a6cb5a6c

SHA512
f52f43631fb741bc5c33bf08faa156f3af6c193f99b4af57ca73aa480a5eaca288e6e7ecd67df8a4736361552befc3d2ec2c4e0db434fda20c4c48de81cf5382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e27a22cf2796411dc53aea2f90af45a

SHA1
755ae9134b071f71a7e5951c90fe5a7cb4889f52

SHA256
6dfebd178127b49e360097d69755064cce585bf4ddc5ddbc4f2b4d961ec3ad28

SHA512
e47732da34164d1f38c13df756f81ff2fe26aa581dbaf753e9d628d1054ba907f57b458a3afc264810ab1445e4e5d604224c167b3415b8bfe1deb1604230a3e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
512174272d5e68fe3054148241fc3486

SHA1
5e680b3a5767989b8b79934dd78c2eb804e46312

SHA256
f6110930abe4f2766208f857ffd3ece24492e014f3b15b85f1fa1dd28bf77726

SHA512
493d8a5890ed253c9377e20d59b8396e00c5cb506e6bf9078c5030fc9ee988ff48a5c62deb3adf9c9240fbe676ffa3d5d8a8125f4c036873139367bd05cec76f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
744b9252c11f888e977965cd14a4cd25

SHA1
5bb4ead321e4d29847b59f25939586dee4fbe1e0

SHA256
cb9f90e79f9437092d9e44f711fe7b288103e452b9c36c49e6bfcfd19c564d04

SHA512
0961b0ceb432ae97c934063c5aeba38d0ab66b46c5109fdcd11b89e8b39176f9ca120748854859de5ecb9e77d0b734c4defed343e5c258f91858aab43afb7690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a93d196ae85539afc76ec940a545bf3

SHA1
aadc0e78c8f801afe3039adc877d6a8e5f817bcb

SHA256
32c81c424c7dbe0f9507610e9502224cd56f3bdd76e2ebe8f1fce6f55ae67889

SHA512
1ffafb3693ff828eedc855569549ab3c2860fcae2652714d5acab30954d629499c8cf95488e720d9b75010158d2082544fc74add5109608ec50eb4b78c1aa2e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dad8e0349c381e5874453fc8e941196

SHA1
bb84065683f63870700f87d003c53b71f0aec01c

SHA256
54b17b7f8489ff1acceb822b51206875f3dd250f6eda7735bf5451abac387cdb

SHA512
051f14c0cef98bb9947756986ed9a76387174617f1807f33e066128a3f059ea01f611a9360bc6a55af62138e643d8fdddea373f24d120aa4e3d37b2d883f0d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1430d25d2834308bc2086cff54e26142

SHA1
896c83d6ec4b8f0beb72101d274fd86a3b9e9ab3

SHA256
dcbb28a4be9d319baf789cd2b983c9b343884d865e1ea25a60e4feb133aa37d8

SHA512
ec0c789ddabe3524e181079b2f5cc50d336f9409164cf55b85e78ecc154347d9e486afbd192aefa0b50585b9db2cf0a09c2ada6ceb63511fb24d52e2fb7d7d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDCA.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA7.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF09.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YF29IR6V.txt

Filesize
602B

MD5
e7c58b12dc56f487326d9769ca6daedd

SHA1
decca86acf43f6bcf6bf267fda5506a96057a9c2

SHA256
869f65007cccad16e856f8c2e05586b45035f01f431ee62d1ab4d936e22b6329

SHA512
28f2ab13defce842027ed8d6ca44aff507dca28d1fbac838c1d13d6e027836a28591c0cb497ff065872010b2781a6f82017530bb07c5523076939d3ee07e212b

Download Submit