b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
100s
max time network
140s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ic_content_sticker_location_emerald.xml
Size

1KB
MD5

aadfe32db3ccc31c96197f0591e0fa18
SHA1

59ce2e9a22fff2e9a1b68578c429f5d710463d0e
SHA256

71d43fecf9f2ef6e37022c8446194d74f11b7c05816ce321f6a84279c870b4fc
SHA512

914f19b03527d440752bc284fa46af19ae7cf9f4d2c11cb7bb2753fd50526181e6ca5abed68c695236227b5d8e39db1b5f9359c2d0470a4eaa147c244cc91ddd

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f4000000000020000000000106600000001000020000000ab41f2c17e82965af3c7e50d436bcf855eab94411ad08e50edfd3451f833f1b7000000000e800000000200002000000050d807ed9f9b65bb20ba3c4209262e6773e26f3bf9dbfd98862f9ac3fa0e8f0e200000005e581c3f96a31829aff398d76b4e70c5fb9a9833cfaae8c23b7e2deb7d14a60540000000c2c0a20cc20fcb0ec822e8680d6f41d88f5d5a0481cce0478123f7777b070c7ed28bcbf4f08d72ab1d05fa3e017a895ba91445684836b1006b47979492525f77	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC468901-1B12-11EE-B0D6-76CA95553E89} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395312779"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d802a31fafd901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f4000000000020000000000106600000001000020000000afe3c9fa32d54dbeef3b262cf6db732744c5d02e199312b78d97bacdd66a7da8000000000e8000000002000020000000b913f5cd420293d4d5b3dd5ac429ada1ad8f106d229a81459a92a625b3f7edb790000000bb6e6655617b111298113e380bf92dcdf642a9127e36a37406d203ec589d2e76805a6afcfe22f01934beaca10b941ddf9dece9776e7f08ba51cb6ae1efd83f118464c97fff461eb108722227012ff89a2ad9661f8bac937a9c15286d7ebb4a8d2a5c7acad918a1030c511eb5c1d1c28bf8f40eed33ba30fd5cb5755485a41a7ecd9aeab805570ae8a2cdb1d159280fbd400000000057f931c3e4f057a4cf497d927afd10206ed648c905b3bf97c355df23d979e62493e6ed3e7f884a9ff2fe5a6b9ae408cdf2cb8f2eb0abb414a2e008383d8d1d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2960	2320	MSOXMLED.EXE	28
PID 2320 wrote to memory of 2960	2320	MSOXMLED.EXE	28
PID 2320 wrote to memory of 2960	2320	MSOXMLED.EXE	28
PID 2320 wrote to memory of 2960	2320	MSOXMLED.EXE	28
PID 2960 wrote to memory of 2968	2960	iexplore.exe	29
PID 2960 wrote to memory of 2968	2960	iexplore.exe	29
PID 2960 wrote to memory of 2968	2960	iexplore.exe	29
PID 2960 wrote to memory of 2968	2960	iexplore.exe	29
PID 2968 wrote to memory of 2136	2968	IEXPLORE.EXE	30
PID 2968 wrote to memory of 2136	2968	IEXPLORE.EXE	30
PID 2968 wrote to memory of 2136	2968	IEXPLORE.EXE	30
PID 2968 wrote to memory of 2136	2968	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ic_content_sticker_location_emerald.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77c29b0c63373c53922f6b4a4c0a9d5f

SHA1
d8e2b21ef8fa1b7d5e633d123958e4c6c0415b9f

SHA256
be44d1a7440c5149f962b577b5ef97e106fba5f84a26e4543d877d52bd49a145

SHA512
17dd0cade5e37bf1e6ef61882082f6304bb5fe450529980b2d52e141b481387caeb0536450d1a23d18c7e9866011a48207e79ea7695af1e829235c0759a433b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d571a362c7298e002875fb994d9270c8

SHA1
4209b464269ee5b48d22fff3d2bbf734d0b51b2c

SHA256
2a7e79739f357d539c7138e4ac600092e6df7fa483794f20280c632884f6c166

SHA512
487c077b6bc975886aeee72d4c7df6ee53a2f5fde453d6e6daec67a5a1fe3472c4ebfb9774ddc22c35f9a3c79566c80fc57e52da863f7c614fd684efb49a5a16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d36247618baddefff220c60bb420cc9

SHA1
069dab690d8d474dd73f9bdfb35d8321b1619f58

SHA256
800692e46a05cfd4fd5a8ef5ee14ed255451fe361adee5919a6a5c889383dba4

SHA512
43cd132137dd12654268506ea1d5cb641b4b495f22df72730ba13f58667676bd5c18fe3280a977324d4c61974ba056a99fa174155704d8558285050478680f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
062b41d3a01d5c92423cbcad29526bef

SHA1
d7f9e70c1cbfa63abe77d92e0e715ea37bbd29fc

SHA256
1dd7dd74321d091f8791728ef98d2863ffaafcdd4d46caf4c48a328eac0521a7

SHA512
2cdaf2c39aefc452e412a6ea22ec2a0c864d408cfb17f15678d4bd752702f0dc9e73e77c09700a74aa61ffb7c6a1e26a686fbe22129f2eee8ac85e0edb7690c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4100448ca1ff8e2eae93842478f381f9

SHA1
bada7b65711c6e2e3e2c22874eb6da4bd383de62

SHA256
9369b081fdad0867458a4ca766f7be733255d60a37ede95493d2339b6720d614

SHA512
db5e2a3c534ea700bb55b54bc17a5ed4d6f54a6e598e54a68c37b208ae558fc4c05bf3d5b58ad88fd58dcd29abb6a99f651d4e3170ece9d995b486a61932c821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecfcdffaaa789a3c916ee818c4109518

SHA1
a31f4c3ac81f8e7f8f179ff37438e835048f893e

SHA256
19f813f9fd5acb243b36469accdd90157f2fbbc58641744d67bb2eab44076ac0

SHA512
44be3e24cf5f25f74a854f9ae93f6aa67ad6a8cc3a398c3656a292c880407fd157dbaab899704f7b66e8832dbc6da16f037ba5b66805860deb450c8a72845ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
baf61b40f53f2fa0d25a61f7ed2fbf52

SHA1
b3352e8011c33d2e2ed1a532199fdc2cc5277744

SHA256
2d6a2c3e6a1f6dbf3cd015729c54160aa5c5af1fb7f565b90757ee13596f448b

SHA512
e267315a1c5ce2f6c164fce2129a292e3f041b578a0ed19272088ff45cff79adabf676d2e47b872aaf8f57960ec1ada48bf1bfed6672457b05d043963d1d7608

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c14b3afe3f39290820c41a11a8ab9128

SHA1
6fe64c4532377fbdddae359ae3ceafa9374fdd84

SHA256
c1c4250cd6211cf0cbcfec985bad129015046d4c6bf075af401d2d63fc80afa6

SHA512
0b86b8ebaff50dd636c419470f677593631f8abe51e0bd837806ee1804690b10c21c53d4349745edbc08e0691da345acf727c4a9474824561d29ebdd1f32d342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4286517925f5b525eb9a43fa3cd4e0d5

SHA1
23f018677053bad75c8c8c8effe4e3b439695976

SHA256
bde7d20ce2294367c52f3c391e757636d7db3f0bf31736fe4e41dfc1d6156da2

SHA512
dbc07014f3ee43a31ed8d8e38dc6c196297cc886071723b3b937c734cd7dc03f2fe06b41599813f7787209282796e6a1665658b6bd1b6596906f6e2f513363f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM3TD3CI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7EB5.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7FA2.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4G9VI188.txt

Filesize
608B

MD5
ca5f4b89306cc78bda12cca50b9d997a

SHA1
3783643020bc4ee4502437eb5c8bb41a90c949c4

SHA256
fb91762d41ff4e9d1b4f626c1be85898de83104e39769a61f9c1746cf89f4bea

SHA512
4fe2387ba18fa5820e8482ce6cf154cbcee8b1e06adf815ba76fd2c8297569ceb532c660cec35c7add54dd6a76333c458cb1ab9aa959f999a697528ea1f0074d

Download Submit

Resubmissions

Analysis