hxxp://kms[.]msguides[.]com

Analysis

max time kernel
41s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2023, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://kms.msguides.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b07e9e9743a9d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e089869743a9d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2489855353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31041859"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea00000000020000000000106600000001000020000000576c1e4182f067630f8e8112f17e2ee3c0e91e44a488cbdabe908c366d160a14000000000e8000000002000020000000b4419d3eb5b5faa39c0c7ed02ab4300c14b3acdac78bbc8716909dbe671dbc212000000085bdf60e9b064952134ee6375d151979e6d5bcd5c9a3120b04628f3a5e431184400000006b84380be00c1f014b6444d3201c94b07b1199a68a4f0e26d738c2f3c22cd5c89c21537bc0f1e819fa68f8db5b77d4f18e468991a5415ec19b75074debc76581	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea00000000020000000000106600000001000020000000b00463a2920ee457f7c9d068907de28116aecd177f3fe7afe0b0fd16abceefea000000000e80000000020000200000006a078b2e64288dcbefda1fe59f92f1ab4fe16214a99c7a3071b1e67d815153d22000000074563d3d67a06e7eb0b1c608ebbf04322c7cdb0ad3668770cb7c9dedff1fdb3a400000004a99ea0fef9b6b6a2728c508a56fbf2818ba2dc1f8a35905e572fe4d27117a81ca4ec574ffcde1b2497758098a0b0a9880fff0da2c82818eb4adfcd0fbb6616e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31041859"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BFE3AE1A-1536-11EE-9FB7-6212A2E8A083} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2489855353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4764	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4764	iexplore.exe
4764	iexplore.exe
4508	IEXPLORE.EXE
4508	IEXPLORE.EXE
4508	IEXPLORE.EXE
4508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4508	4764	iexplore.exe	79
PID 4764 wrote to memory of 4508	4764	iexplore.exe	79
PID 4764 wrote to memory of 4508	4764	iexplore.exe	79

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://kms.msguides.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4764 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5qy8zhw\imagestore.dat

Filesize
1KB

MD5
1ca370c6499019614d25b4e6b5c2280f

SHA1
47f56127316dfca0cd9f0e16afdba1e0badff12d

SHA256
a546a821546f09440b338c926c3bd8ca6936276a01328c174bedf777bdb2bc4c

SHA512
0d880f0fc9cf97fa00427e2057a13b085ce2d7e32de8b68c093de0bf020b6ec95836198f6dbd1266c86e7b60714409e74fa1b53a3a935f8b0c578d9a5f47040b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2WIZIJ09\favicon[1].ico

Filesize
1KB

MD5
9ec64893ef2ee0b935fb9674331355b9

SHA1
6deb017a0e4fa4512f55ccaa0b2748bb8b26a68a

SHA256
2ef9bf34ed980b19961965ede344433be025ee383721d90921a17350080d1629

SHA512
94152c8c8916219a9e37374f5c734fbcd5f9b2d2b3571df408461c5d7e0d1469503d14bcc4958b128ebc19f8acf7cfb4225b7b1ccab7aa64e51456a036eacb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF5A3C5707AEA8B545.TMP

Filesize
16KB

MD5
744b8a2f9a19da2f0072e1ababf91728

SHA1
58bea4e317e26921ffcc22c26c522d356954f3f9

SHA256
90515f707d2948c33f7a3aaf01418e612760a07392c4b306668268f9a994cf9d

SHA512
91bbd5baf40389559c869ff7cfc24414dd6bbed9258cf3c8af00d409ed797f17b612b0519c71bf0c41c3abba85b520e534edb5870cc1a53a94c34319b6dd2898

Download Submit