5d4f1abf1c284fc157c69be9b1e78014885fdd3d9b8980ec14bbbd70b94f8e69

Analysis

max time kernel
101s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GJ_GameSheet02.xml
Size

719KB
MD5

a1f67e5c51792bd18bf12c6a8448ed2d
SHA1

3b1e72aa29e50b2eac40d8af011ac06e47bbc0a3
SHA256

bd1181e0de4aa494dc235f8f8b162684de72eea972d8f2f90c5715456fcd3a67
SHA512

8287a34f64be80b10a0b10f106e9d8cd92b67552c884210434bdec8f9ec0bdf912b000c1c73e0aa7dafe3a5df12990ed4b0b453cb66ea30a1c37e0d003a64c88
SSDEEP

3072:keLEaipDILIDTJDTzDJLD2odDT+ODTEDTbD00xDT4OaDT2kZcDH+DHftDHkDHfDY:HETDILAMLKIkZ3au

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002da451bbc8bb254ab0c58d73bc67c4bd00000000020000000000106600000001000020000000abb1a8194994ba83f097b39f751a106249d4268587a22917263b0485da2e77af000000000e80000000020000200000005bf0192266b72748071db1f86fee4edc577a6bf1be92adf6d9a9176cfab8ad339000000089c9d8b2f7f1a01ae89f61d7281f8de08cfe37988ecbf19fd919668a6c08c07a06c1f2f9ba16bd2149a1303a0b0424fcc9b3e81187af059fb19476a63529dbed97258e90f05ccac8c37377607bcbfbade4f47554b32b3ceef8e9c4faa186d9e65458732a2925502a2ebec9355850a8950231b3b7aeb960ca0eedbbce32786101800e6622f45a9bb1f9a1927e2e4f9ba84000000019918bb4b4b4d79bd4199d5837a9e6388c1e299ed6fba75ec5188655f4e2c747498afbb6460c82ca7258d49fab2f9be051302546a1d101f05fb421459c1e85ab	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002da451bbc8bb254ab0c58d73bc67c4bd000000000200000000001066000000010000200000004cb0c3ba65b9e38e23049d77db424eb2b99d2dc21f3d91177110872dfe1e493e000000000e8000000002000020000000a6c051ce0b1bae272a215186d722ebf7c3459e67ec2620eb66cebdb49aca296820000000b913518925646ae9c68a4ed029731490450c145a0676f069091ef1e9618550f640000000b7533ea9eb4b4f7197976452cdb79065ee960e423a2955f29548fbfc7d6d94b11bd84fca6d57e8e0193297776702accd34319ede5477123e069a30f3768ff487	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6128D561-07E4-11EE-9F91-E6255E64A624} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393203771"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0aa7239f19bd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2008 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2008 IEXPLORE.EXE
2008 IEXPLORE.EXE
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE

pid	process
2008	IEXPLORE.EXE

pid	process
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2028 wrote to memory of 1868	2028	MSOXMLED.EXE	iexplore.exe
PID 2028 wrote to memory of 1868	2028	MSOXMLED.EXE	iexplore.exe
PID 2028 wrote to memory of 1868	2028	MSOXMLED.EXE	iexplore.exe
PID 2028 wrote to memory of 1868	2028	MSOXMLED.EXE	iexplore.exe
PID 1868 wrote to memory of 2008	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2008	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2008	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 2008	1868	iexplore.exe	IEXPLORE.EXE
PID 2008 wrote to memory of 1724	2008	IEXPLORE.EXE	IEXPLORE.EXE
PID 2008 wrote to memory of 1724	2008	IEXPLORE.EXE	IEXPLORE.EXE
PID 2008 wrote to memory of 1724	2008	IEXPLORE.EXE	IEXPLORE.EXE
PID 2008 wrote to memory of 1724	2008	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GJ_GameSheet02.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f763b8187829180b3803ebe386719ae9

SHA1
381861bb524492b004c9b919733862955c27d53a

SHA256
434fe80c95bb6cae4cc389c1c35788438397c98ed710b75c7bf21516933c55bd

SHA512
54672869fd0ca1740c67844a5fec81dfa3884c8c145511e80d69421afbfde2c3b38ac3640c08e79c7ee217aef2fd2bf6100e61cd95911cc896610f9f92e96903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d93ca1a23739843b09709e5425b3c6f8

SHA1
eefb8ed8a9e426ed4448eec9c73592cb8145964f

SHA256
6234a1fe236f069307156fb21b1b976d3d10f85a054cc56cfb52dd7172e3ceea

SHA512
10f3580fe17ba2c446c055f5bfe4072075148d86978f2b4598417b2b6ee1224849d4ce43053de238fd002c20aaec7588a0509efc146b2031b6e12bdb498bff78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
0b2523097915203ce1b2125a639fcba1

SHA1
83b20feeb6a86fc14aa596cf457c3d14cf538647

SHA256
3162e80f122feb04b7f5ab27d4132be7c63df2e771dd29c2497c20573cae8e99

SHA512
3e2464c4f304dd04be87534292db664d2a31072c1b339640db418f2c35d3ad74ff16b6a8faec9de7502d326f9c488866cf2376a18f5ad4f0cd0ee5657716ecfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
100c0218e31a3f46697d5a3e8cf7461b

SHA1
f668869f56722a67716fd327f226302f1e81564a

SHA256
33a3ba2a63d380a30a6e33a1ac7da198b4ebbd5d392a3bbffd565cba550ec50d

SHA512
cc3984d144daf362d43350f31c115af946890516a249289a68dae25708ca9e68cd80a51a32e0f2884bdf3fe2e73aedcb86933b7e2e3620860ef418f7c859d0c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4239c759551089889ea7c918363a5963

SHA1
09cccc5e202a43f6b14107ae3d588b4f6cef32cf

SHA256
1efefe4e1b9781d0769a5d51cbdabfcbc2d1369cf93381f78d1e9c76caba9386

SHA512
dc799d1ea0689f7f6f1a945f779b3f6afecf5d5ae12fe74dd596b08016b1a69a5d4d921dcb3af2f646ab2ad5daaab00b80c3a088eee98944f3170f81918a1f9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2a4cd51b73b0ee92023695dd08d850a8

SHA1
ad5cdc740c1b72b22dcce240b5fc329bbc697815

SHA256
06106974ce2d342df09f26bd8d4f98a40851fd0f4a24cd4230fdd0569f9feef9

SHA512
7494257db03a7a1ae64bb7d62893a90794f98bba3c3c3ed736ab64a85424525889785d5a4829f94aec0426a2945ccdb8c76112dc5d1566758d38933ff2183657

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
83c1345c26b919325a2689b8963ee4ad

SHA1
93e71e17b507563d459def0a787b6903850568f4

SHA256
430b89e6330432469d45d14c601d39c6cf2fb253cc2eaf63c70357fc68d41a7c

SHA512
d257063baf8e595febd85301910c254137b093531a74ed1f042122fb21167a8e47c7fb88b82567ae5d0c40242d02a57c044531a682b7d28551b45bc7ac09d05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8960e0128cc38806d52f990ac427a4a1

SHA1
915729b610e6ae2a7c3c84e32d5c2d4ce6b9f500

SHA256
096ab53f2a6ee3ecbda32ae2dd67432503f51133d51a1011eb42209655f9a490

SHA512
59402304b8b964887d35f6d6bb15903c5ca2f0dd0bdef4b6df99dae87064f83fd2d37fdbe0c7022f2af5742b3d38409e5c98ede78d29a054b51e8b67e4433fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B88.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DC3.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6B553LD4.txt
Filesize
608B

MD5
46367082275e9648ef82de98db3c7304

SHA1
1e320ca66e4cc8deb64fb100d71ceff761c7313d

SHA256
70ea344fdd3d1f3292e12b67d2bd2f33dfe08edb72544b1ffe82c7d5e860e5f6

SHA512
d7a60716bd0d8dc467d9de720b619e7f6bcdb184852ec2218d9dae1c7bab63f0387780b8b9ae85d48d16e58f78c8b625b176c3f0dce105b7713cbc0072cec11b

Download Submit