e4e84e4c05fcabc3248a398ff3b4d14794f0c7591e192b3bfdb4ab3c9c1cd9ab

Analysis

max time kernel
59s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/web/assets/Ellipse2.xml
Size

485B
MD5

0ad775b72aa74cae0db732655b9ac041
SHA1

4e6b2bf9d7c46bb81934325f37fd2e2ba5bc226a
SHA256

061b3b0ada2cabedb8deaa5fb039dd8850321b8e7ed4a76587a6b3723aa5ea31
SHA512

b0886b68476a08d87adce71eabb254584c8f3119385235ec761d19b9a2ef7cbc2030cffa6e836dbaf00b4fb78e379b992cecec4d974698b43716c858556c1e7e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0008957fb48ad901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2120792494"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a9700000000020000000000106600000001000020000000c2c2bf0f4175d9f7f89c3c26c61c6bcc87c382d22d001b3f5d782ba434900200000000000e8000000002000020000000b3c1bd443826bb3d7bf7b21b1d0cd780acf1851da46032de1eb3701b1b81977e20000000d6d10ee80b73c0a927f53083645762686626629fcf305f711da663acae3c3a6340000000590ab448d07476f2ff84e01c2f56013062e82ab66c0bdd0939137aa458036e3b944d617c6e186e8736985ce8117a7effc997c6736cb5f213b6d18875c449454c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31034036"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a02dbb7fb48ad901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2120792494"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A99B0B47-F6A7-11ED-ABF7-6A765FEA1DF2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a97000000000200000000001066000000010000200000003cc2368e1b9a8471d3815d6848cc461c60b09da6fe7e7c48a2a07171ff141870000000000e8000000002000020000000e4301d5fda7de899792f7e153e3d6ce845ae31fa9ac630e359c92da679463594200000006e05d382d6a00519333acd42d86c8661dc582942410b41796439923648accee24000000031ca1bd4291995dc6d95f2dc712679f3e31a0fea7954e563f6cf5e47592ac1a1ac28a36ba277847a0ceab77a8684eeea4100f397a03ac3b9b9e6bd82789dd662	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31034036"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3236 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3236 iexplore.exe
3236 iexplore.exe
312 IEXPLORE.EXE
312 IEXPLORE.EXE
312 IEXPLORE.EXE
312 IEXPLORE.EXE

pid	process
3236	iexplore.exe

pid	process
3236	iexplore.exe
3236	iexplore.exe
312	IEXPLORE.EXE
312	IEXPLORE.EXE
312	IEXPLORE.EXE
312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 2144 wrote to memory of 3236	2144	MSOXMLED.EXE	iexplore.exe
PID 2144 wrote to memory of 3236	2144	MSOXMLED.EXE	iexplore.exe
PID 3236 wrote to memory of 312	3236	iexplore.exe	IEXPLORE.EXE
PID 3236 wrote to memory of 312	3236	iexplore.exe	IEXPLORE.EXE
PID 3236 wrote to memory of 312	3236	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Aurora\web\assets\Ellipse2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Aurora\web\assets\Ellipse2.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-133-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-134-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-135-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-136-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-137-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-138-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-139-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-140-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download
memory/2144-141-0x00007FFC2A1F0000-0x00007FFC2A200000-memory.dmp

Filesize
64KB

Download