Analysis

  • max time kernel
    140s
  • max time network
    160s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-06-2023 11:54

General

  • Target

    resource/RedistList/Columm/bangJarfuls/spurreyGladsMorae.xml

  • Size

    16KB

  • MD5

    2a8993d1fbb2f830e2403e41933a3034

  • SHA1

    edd36d6e35cddb361797a0017fbb09fee61a30f3

  • SHA256

    869662697f87bedb7b7ed85e7ad014b75342ca4001710ea42042da39753d080f

  • SHA512

    3bfefe516f6682799b766369cef0ff85697725a9736ace63f67e3caa4f289cd94159a505b28b6e7066487c3cdb9193cbbfcbcff98a86d34216e11087c8b15c58

  • SSDEEP

    384:hi765v1dA+IlrtGQOuBFNHOxSoosVS5A51cgML+:g7avcPlKSixrosVn

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\resource\RedistList\Columm\bangJarfuls\spurreyGladsMorae.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\resource\RedistList\Columm\bangJarfuls\spurreyGladsMorae.xml
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    f12c265a76a9e5a0279bad4724c67e62

    SHA1

    f64ca14b1fd0aca976ea923ba9550e0c05adab86

    SHA256

    d6f55023574bd134d2bdf74dd2bae0f0235a52bb302c7b290977dc05e13a2012

    SHA512

    240c711b1b1439e3e3a141af2a609c0bdaafd4f212b7905d451e735bb518988416b7fd3065c6599559371312079ce8a896779a88e97a72716e9228b755bee5bf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    9a8d0741533ef74134476a0b3185978a

    SHA1

    4bff9c39e46883cd17b1b9a38f169fee3ea6c835

    SHA256

    c9050ceddf48188dffbeecbb3e116a4f00062c85ec9803f7136642a92cb83c6b

    SHA512

    7f445d55c2a71d377a53edd320fa80788067e7e804cf39585a965ff21aebacefc3694e2fff7fbedc7a330110ffc1b83281eb1777e5bd4f93b6872bbb6a77f33d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B1FTPK9F\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1BXJKZNF.cookie
    Filesize

    610B

    MD5

    397880b0e2ab6e94fd4f8ba5272f6750

    SHA1

    428aec1a10e01229ff137582efd1b55c20cc30db

    SHA256

    268fe3079e3d3f6e22f33139075af6a8d32cb94a41f254f45a2189521c372976

    SHA512

    47881de6d6db6e9c32006004d083468bf63a7c1a51b57e15b526d318ea80a4b357286a0cdd53a87cc9d358c6b4180073b9ee433d06fe020d2920441fab772b67

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WI9DFXY7.cookie
    Filesize

    610B

    MD5

    3c84641da0afe7098269971d5509fdb6

    SHA1

    c331fd92b2ec266ed6800edd106ba18b27bb3384

    SHA256

    cb82ebc143b3a5ab0ff895961b1d5e00d875adea183850a1bc5b5806612b8474

    SHA512

    eb23d7eb890af8cad145bcd6c6d642d034e7e6f79cbd2a6083c81c72ca56a80a80a30089b95a632712bfebcdb96813dfd00f2db82242892e8f263c5ff1883419

  • memory/3984-119-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-122-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-123-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-121-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-120-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-116-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-118-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB

  • memory/3984-117-0x00007FF970260000-0x00007FF970270000-memory.dmp
    Filesize

    64KB