6c8dfbba2dfc6053ef6de63a3eb88e980c4f31fdbd249d30d854314a666fff30

Analysis

max time kernel
59s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ThemidaSDK/ExamplesSDK/Protection Macros/C/Visual C++(via ASM module)/vc_example.xml
Size

11KB
MD5

179859857a2960f22142026f075534f5
SHA1

3cb45d1e4b76fdcdeb52ec804b3802ddbb18de2e
SHA256

c76408e442991448f4c05dc3462d28db32c4fe85515431716e1a4f31473f44d0
SHA512

f203c460bd52b4b86b2be0878180a43f5c94fa9f101b97fa1b6b72bbf8dbc015f80d28aac89795bc95e18cb15c79aee0cd521ade94d3c0db807cf0d6d13ba9dc
SSDEEP

192:E7kEqgkPp4T6U53CEqpCQ7EqCkPp4T6U53CEqbfQjwZibRZnpwwi6Rwnl:vDvqCrCQ7ZvqC5fQjwZibRZnpwwi6Rwl

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2023852660"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8064c479e18ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035105"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208aea79e18ed901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c686c0d6fd519d4bbe65ff9f9421142000000000020000000000106600000001000020000000e7c20c6d2fac003d6ee62a0a03c35f2b3df7481f7fb07be21d4326fa53195f1c000000000e800000000200002000000027267d4df1565fb4d827b89f093facb3d101941195d52082daf2d506bc74288d200000006e3042b423e034714f39d1246719e02afd1f51119654f50dcb3e3b7410c0f77d40000000de9f6205506ac228d52fb3ca9c0b9ff0bbdc5e66e84a1b3c95e4f22a769961b3c7710e2963baed4e10506afb86d1db1d2137d3b3f908f4808eef66a9e0c440ee	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31035105"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c686c0d6fd519d4bbe65ff9f9421142000000000020000000000106600000001000020000000d66c984d85e653383a4cd553d85a42d8b3840929cfccfbdd668586cf00fafe69000000000e8000000002000020000000125e6668d8c07b4a316eba42cc709bc6ddffcdb2c88d66c0359e451cdea6820e200000009f46fd31e7b1a1489d4038ef831425df52a0242dfe909eb8ab71c7b83a2f1331400000002e6930b4bed238b2a09e316b0d1b85dbb997b7f857d2166b5de705626f84df5b7975cfe3b1092eb1894ab430b74d0dd8f3b1e1eab6bda42627f0bd53e5d43c68	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2002913222"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2002913222"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035105"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A23032BD-FAD4-11ED-9156-F6AC10968584} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4928	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4928	iexplore.exe
4928	iexplore.exe
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4928	2236	MSOXMLED.EXE	83
PID 2236 wrote to memory of 4928	2236	MSOXMLED.EXE	83
PID 4928 wrote to memory of 2400	4928	iexplore.exe	85
PID 4928 wrote to memory of 2400	4928	iexplore.exe	85
PID 4928 wrote to memory of 2400	4928	iexplore.exe	85

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ThemidaSDK\ExamplesSDK\Protection Macros\C\Visual C++(via ASM module)\vc_example.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4928 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3fbb8ee33354096d9f116c557a402d14

SHA1
f75756c42d45d1047eb04fa54bd7702f5560df4b

SHA256
13e2696561dd0955e1d61f7e18166c8bd7a02faf1dbfe04e738b5d68cc2ca57e

SHA512
cc21e56f9278282b3c15964b5618d42bdfda83b245d7bf01d12550aabd69a9747d1deaa5a9a9830e6d6a47465f580e21e0a7621cf992b56244ad4bee8779c338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
da1de5b2445607545542e508a703005b

SHA1
75566cfd87264298e0461db93aa6269ea59ccb1a

SHA256
fb4fe1b908d8105e67a113c40daa6ddc295bfbe7cc5c7f36d2d1bbb3263a5380

SHA512
5023d297df0447d2455e033df251e8fd6f64d95c0635cc7fc727fe40d431cfd5ef61a67e79593731b0c8743017d70cc9d595f8da9d3fd6704201a6f4ac38e362

Download Submit
memory/2236-133-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-134-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-135-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-136-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-137-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-138-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-139-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-140-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download
memory/2236-141-0x00007FF9644F0000-0x00007FF964500000-memory.dmp

Filesize
64KB

Download