Analysis

  • max time kernel
    103s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    02/07/2023, 01:17

General

  • Target

    Kirsty/lib/Bunifu.UI.WinForms.BunifuSeparator.xml

  • Size

    6KB

  • MD5

    db694790168f48647a559de34f6fde34

  • SHA1

    ecfdc2886beb9b0cbb53d0799274ad0541aa8ff4

  • SHA256

    47dd33c9a48d4abdeae2678b64ac0332e029250b3cd254eab002e5fd47096f87

  • SHA512

    0ada9f273524732f893ad4f06589eb7b6bc6b9f4fbcfce412b4f952ca772fa4c5eef3e3ba78b23a6e393497502ed193b78ef12f28f841f4c4cc3e9a2574dbaac

  • SSDEEP

    48:L53YlOgLGf2QLBl2uaK2Mc8QJtJSoaOYTolXdgLGIO3RQKEdEZSu:L5yM2GBl2G2H8y7HXYOXWniRQ5Wf

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Kirsty\lib\Bunifu.UI.WinForms.BunifuSeparator.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1008

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          1ce8bb97b5b2fe2d81ac732dc8a97516

          SHA1

          181358dd71149e8e0563c19129fcc6bcfededdf9

          SHA256

          c4f7d2c5d4cc47c6b929fd631d0183590f94d3e0c046f02082d4f723d35d2147

          SHA512

          28d049d88579007b4d3269ee25ee425c37b077021217d8084ebabf8170c7b5b128cefdaf3c6b31e14b3134e8efe3cc98931755fb959bb427ffdaecc5cb66664d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7SBST7U\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Temp\CabE86E.tmp

          Filesize

          62KB

          MD5

          3ac860860707baaf32469fa7cc7c0192

          SHA1

          c33c2acdaba0e6fa41fd2f00f186804722477639

          SHA256

          d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

          SHA512

          d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

        • C:\Users\Admin\AppData\Local\Temp\TarE95C.tmp

          Filesize

          164KB

          MD5

          4ff65ad929cd9a367680e0e5b1c08166

          SHA1

          c0af0d4396bd1f15c45f39d3b849ba444233b3a2

          SHA256

          c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

          SHA512

          f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QL7RA66A.txt

          Filesize

          608B

          MD5

          937d0eb951d68abca2acab79db7c1426

          SHA1

          d41cdcc2cf60f10e9f65143f497d0f8b307d33d7

          SHA256

          00631817994379ed3640546722cf943423ff6713f785a2a29753cc4a492551b9

          SHA512

          526b57e04c4465dbade47a342fdebb1d59a892895a45381fda3cb9c16ee2e0984a2a5c919dc6ddce87bc6abdf7abb55ec2b114b7dd2af07328ccae1e37c14a57