97ab5dd18474b81f0cfad5272eeb1142a21b566810c0b528edb28dcef810c7f4

Analysis

max time kernel
112s
max time network
243s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 21:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SESmartIDCore/lib/idengine.xcframework/Info.xml
Size

1KB
MD5

236467ee216a75174508a2b0fdc3e06b
SHA1

3fdb26e1f40eb96d409b83d857271e417149a007
SHA256

7498e5b979abad5f9d3ee7dc45aa514974dfa19b75362108d6b25a468ed146f3
SHA512

fdcd3a2e0d0504222612dd645664851b0a794d6fc9324c9b878c8078ffeb915f969d543ee526df4b5e12b4a1ad335aa96d9797be674f7b33690f7c0d5ab91c0c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc00000000020000000000106600000001000020000000cda3303534e86f857fbf8984abc3b8fb2b739446a2a72a41e92878491b5e3c5f000000000e8000000002000020000000900fb4d78690fb84ee35ec892b50715d4ad0c28e7a7929b84fac4d94afbdafba90000000ed68b97392c3ab86b536cc20614488367f3f9507a2c2138755f5df89bfb94fe9417d670e5ab5cdc25beaac31b690905e47ffe0a39bbe81688aa81d9f140c588568d279509eb13bcdbe058f0b5cbaae0f49843dca991a3062c951fe2ce9ba5756fe45becaec230d770dc7f82446746167137066d7b6b1927a8872be691497b6fd074d75c7c51fc0e1166e082f8873e3ae40000000298ce564867b594d2ed57b0e891de596377b58d6ebecd33921de4aaf968d24ceb46acb12cfa2991ffa05e7a9955c4d853733b17665a21a5cd18c03bd9f291de8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0674bf3758bd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BD906A1-F769-11ED-ADCF-DEF2FB1055A6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc0000000002000000000010660000000100002000000040accbacfb8e4887ae82bb768251a3ee5b6f21084f0f6e76703746077c4b160d000000000e8000000002000020000000305498a3d7ffd16279f064edea2a22600ad421b54c5fc8eec8077c3104d95f6b2000000070c0f6985a609b3eeb3533c958efda6f899f97973f636c02beb0b0d98dec64ec400000004729c7453951ecf8cd8c1bd38f14727e94f427d136fc4668dce7643a46486b122e1ac35e44485954e1f0a3cb11050ba46a45253556f32fff0aa6203b53204f4d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391391608"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1392	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1156	1940	MSOXMLED.EXE	29
PID 1940 wrote to memory of 1156	1940	MSOXMLED.EXE	29
PID 1940 wrote to memory of 1156	1940	MSOXMLED.EXE	29
PID 1940 wrote to memory of 1156	1940	MSOXMLED.EXE	29
PID 1156 wrote to memory of 1392	1156	iexplore.exe	30
PID 1156 wrote to memory of 1392	1156	iexplore.exe	30
PID 1156 wrote to memory of 1392	1156	iexplore.exe	30
PID 1156 wrote to memory of 1392	1156	iexplore.exe	30
PID 1392 wrote to memory of 1320	1392	IEXPLORE.EXE	31
PID 1392 wrote to memory of 1320	1392	IEXPLORE.EXE	31
PID 1392 wrote to memory of 1320	1392	IEXPLORE.EXE	31
PID 1392 wrote to memory of 1320	1392	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\SESmartIDCore\lib\idengine.xcframework\Info.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d865ba5a8e761d21599d92bd4dd4c367

SHA1
c267531c40549d90f4745c1699a7111d2a430e7e

SHA256
e7a07ce077082897d92d39c516fb4f6400f0fcd715a14297ae26db1250b1821c

SHA512
55b13659aa3a945a65eba8327fd9856e948f298f4cdf248b44d30530f4b3a23ab7033eea70a73b331ee8df720929b776be6afc3721fcb59bcd69d14f61d5b61f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45af8a4b4b3f9b85ca4da244c2a72eb5

SHA1
a52df22e99b4fb05e3386521da0338840776a284

SHA256
d4a9c5243c48cdf3440cda9d64fc5a8e7639d94b377306e06c0aef270961f0c6

SHA512
4e14bc43b3fa8ffae383bee21694829694bf0b905d526df5868acb163e1c284eb1527d2e53db9fccd608ac19bd48701f8cf7e452a42fa809937f42fd7fb5c51b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc10d1a0fcfac9d55789fae2eab5feb7

SHA1
08c13368a470a118aa1714f98ae8f8d954eab513

SHA256
b80950c2836be4657c60dd18a669b9ab2f151e3557b2d0cb6a58d10ed246106a

SHA512
cd8e8bbfeb26f716cd974d31b44c2c421faa2dad6f2e899c4671dcc8ab08fbac021c81f9c81011b80afd4b5826c8a5ff5c01f529b3abafda0eecee1c22da9212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66af64c1136efa9ea04deb1722a2f15e

SHA1
2c018f27d6e7f0c6eaa1cf6079a54d9fae11c7cd

SHA256
2065ce7b93932a791bf2669211805fea7fe54e37a6cf67d235fe9d52b1ccf26a

SHA512
3f758403e5758601aaf450239571af15b2be41f3394f44eb2e21e974b73524e1539edf5c4a1ade33cfd1cc2c2c83c08d44b5fd8869cb3fb84690b6ccea12e538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe5297d76bf6fe5d46bbb1005c72d378

SHA1
3220d59fb64abec32bf8a2cb1dabcbaefad087cd

SHA256
3a7c40ad4dcce88f5f5f5b5d1a0856fa61837d558053a83807c82a6d43fb598c

SHA512
7e2bb5cabbe5ac55f2d0a9e03955d3509a12b12fff8f476a54ba35ae94abf6dc2c3e926b8cf346d6eabd414aeda4cad7da8217726fc43b938e74a6e70e7cfefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cb6a0d053a546543d1aad20acae9903

SHA1
3489ed6b715042d1a978ba501e4b27d7e766e251

SHA256
9aac52e78e1a1cdcb717be7dafc869e7033ee7fe8b2d80a73c68af3add319333

SHA512
8330a9aea081319e1766ee75af978bef68e8d1b31be055bcf20593dfaac70cf2be5bdef9f570a0b9134ded8c2c01fee56732544b4e81cbf9608252b03466a434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db09d47240c40ee2cd5d2161aed1f74a

SHA1
e683f375c8517e477f804994a3e946813f71051e

SHA256
0ea29592cd17bb25d5ea29e82836e03ca707faba662c665be838287d6e48acd8

SHA512
8ac4d9d088f1e2d09edcccd6d3c8c385040a5b96b24951ecf2a94157f5edb44424259492ee974342b4f3782b32e285d8d31680baef3c5875570e45a7f8d07783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e268a978b0f6a81736548134a9d18ff5

SHA1
eafc582a89f2ce4c59a5622d359c4aa4504b4fee

SHA256
dec419fcd73f3201378b06975f7cc9e3b99c482e9b13c9d52efc4a3072a967fb

SHA512
1a37cbfabb1dddfa9dc14a80256a8abce1de5afd48926f6911b9224c27673807b286d0c46f148ee1ab8b2fe53c00c9789393171b284c9826626e8d8d69ab79e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4293a9d6572cf30930fbd01502bc784c

SHA1
2b18fd2fae90518fb4559e43604c9d2e8ea523a2

SHA256
ce857b374f4b5cbb0db700b0b39e60420d8c59132b802fc20adc0075a750ada2

SHA512
c9f8be6fbef4d3d44b7f091f38c4f6fb42db14f92b9ae4f2f38245dda6d177ed32892f6067f2519ea24157167282b65c71e859aaf085af067db2fc652ee80162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC64.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF082.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UX55YUR1.txt

Filesize
598B

MD5
ded9f923bbc7ce97deb35ec7e613aac7

SHA1
8efe130a9958fd0b0b5f7e2dcea18df240fbc98d

SHA256
9ce070c578dc327707a028bfbe8a8ad1035580570d89c8a8fc81ebf4485aed9a

SHA512
6eb79af4bb2ad7a777d9c59a5ae0d81f3209a38a72d9d66b1634d204c4862ad5a5766fa4ddbfb03d437fad389beb2cc10284dbf1024d3351dd1a4acd04e8c6cc

Download Submit