1360b29d035673ba3c7513a9ae0078e05bc179e51880beb6648996d9f2bcfc64

Analysis

max time kernel
100s
max time network
133s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShareSDK.xml
Size

5KB
MD5

9473cb9f9598f194f6cc90ba35b3228a
SHA1

92e9e2c577c66bb6bc9f806f9a50ff507c3747bd
SHA256

ad326658da76bde096bad76b4921f3b566fb0b31328cb317d248d2706c0a108f
SHA512

89f3eec02d1f68d5efa557724bda22680fc70449289695364d0bb88be4f7ed93a4aa1e03283aade83944c50bcf6a4d784c36259a41035b65915d191b151f0ea8
SSDEEP

96:AE6acIJF6PNlqe+Kj5KHgSiX/79rvHVergb8LT:AE6alX6P7d5oQ79rMT

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c29dc726ce5b94c89351546d5dd24d400000000020000000000106600000001000020000000d75aa322bc6cb5ffea52c145beaceb3b401afe0223112303936e239d0a8527bf000000000e800000000200002000000014ea774c1d1b482ab63f59f8fff9797fd450f6961144a7a72be8b9183c0bb1f690000000ee186fd535bdfdd0b60b9d7a00ec8f8db3213f09d1059a1669ef9da85fceb8b33d37b466aa75ac76eb91576db35798c4381eb34f22aaca6b196d98f9c7c4aaca31bacd6d51f3cc23f1c1582dc10b67022ccc98cf2519127e66e7873f7a62760917a4ef3ef282f3ce2691faaa1e727f03513e19fbfbd33ab4ddbe79623e06811eabc759bdea84985938c0666126b97acf40000000e21560dc7840d911d10541c40dff59189717566c20d1e3fd999a35ec44756f4aa5ff70b9c9d137151d29f4dcef7cf51364ba2069dac08b3c4f0715ab62cd9ef3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f4773daeb0d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395483979"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67BF1B11-1CA1-11EE-A282-76CA95553E89} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c29dc726ce5b94c89351546d5dd24d4000000000200000000001066000000010000200000002f6c47da0fb60c96f55264a64659558c96b409efbc4f1d03b99966e6ff052191000000000e80000000020000200000000210077e5e2314d8c3294d75006cf89aacd16009d4a884660512e63ccc8a14c1200000009d56af0c3f58ca90335e9cb0cc4e8c224208a73c9c2ae9076df6f0fb5936ecfb4000000038baafb01361782e8e824d350e9bf0623f3036d3f03b357dc81d2c8134bf694ef97bb231ece8837012d7c3bb476d16a24be31757b32d2a50ad49dc0372e7ba23	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1740 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1740 IEXPLORE.EXE
1740 IEXPLORE.EXE
1636 IEXPLORE.EXE
1636 IEXPLORE.EXE
1636 IEXPLORE.EXE
1636 IEXPLORE.EXE

pid	process
1740	IEXPLORE.EXE

pid	process
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2364 wrote to memory of 628	2364	MSOXMLED.EXE	iexplore.exe
PID 2364 wrote to memory of 628	2364	MSOXMLED.EXE	iexplore.exe
PID 2364 wrote to memory of 628	2364	MSOXMLED.EXE	iexplore.exe
PID 2364 wrote to memory of 628	2364	MSOXMLED.EXE	iexplore.exe
PID 628 wrote to memory of 1740	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 1740	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 1740	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 1740	628	iexplore.exe	IEXPLORE.EXE
PID 1740 wrote to memory of 1636	1740	IEXPLORE.EXE	IEXPLORE.EXE
PID 1740 wrote to memory of 1636	1740	IEXPLORE.EXE	IEXPLORE.EXE
PID 1740 wrote to memory of 1636	1740	IEXPLORE.EXE	IEXPLORE.EXE
PID 1740 wrote to memory of 1636	1740	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ShareSDK.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7ff04dbe3ef80aac291129fe01a4ab98

SHA1
16380833824b0e7294e41c7f0fb1f057b04d3c0c

SHA256
1c25a45615bbb42d0d2441a893c69026f7b02ab185664e7d1ad41475a63f350e

SHA512
3199ce2b05bb526c6d870a7d58af073d17e382e47c3f33cb75a8a0e201fe644ebfc3f327c36c7c84d1ee97d066c71a0b4a5c9ed7a553f6bbbf1adf3ce434950e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d97cd270408f8ed5e7247cfc3ce3e6a1

SHA1
e2e8d243dd773be2b745a18e87e12784d590f66f

SHA256
d120cfae2b522a4621fdd728d2d6268c66c65558214b6cde4bea701b35b351be

SHA512
5ca8ef6f959eb491d1ce6a26346af03f0be695be27f86f14ebd928dd64abd3676cab4197b5287306915943c46f4b1d516f51fc43d86fed5a1153cfcb40d26c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
15ec0eb4c27a445629723b0dbd350aa6

SHA1
a34ed282b840085124540179f59d2f6933d1f509

SHA256
26b5087aa62e9ce1694ce09cfdcf77ddbdd3a88284ea7281ab477c9999039d1d

SHA512
d416cb3d6616b542e25a1fcfe3ddc8891a702e88e7add1c6e489be989c0de38942813c085afb987a0c6b7af461fceb5161690d4c55d1c915c5c5bb23a7a187a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16bf4071472995346009e740c40943d4

SHA1
018eb5e17c1bba618c332c08740dcd0d60dfe8b4

SHA256
fd99e9c170313a2ac84c921bcee594c45cd54d946af9e80276028c0ffb417232

SHA512
ea94bc9c9387ceef238e4eb20402ed7487e8b8006e8e3e5f278e88f0d7941a87388baaec05408594a51e8773d58319ec1e9d4401aab053423abba588c2ff3011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4f4d5d14a5501ef206dd8d0f87529a63

SHA1
00b22ac1d2a74bc1fe0ca7f36ff3b41ed82c23f3

SHA256
f20a13d9dfe9953d16f63db4a7b0e1a1c3d95814a0860a71fae14ab5f7899d0d

SHA512
8a3984eb4de182f590aded027eb2043953eea9b094f59286452e93b4eb3db6d3955d60d9cce3a6fcc813e45a622d9431b10d73ede742d0ae87d1320e87c2b391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
76a6fe75b1c2409c020b19f1b95ca525

SHA1
d7b6bac7564ac838c48c5e33503ca6a74cd5e002

SHA256
7c7d1b52e61720f408420db987940309de066a2cceb5b9d9f18b816e9ee29c12

SHA512
f4901184679e01a03532724b5b307671e8701213d8cdedf789d5286adc39c52f73878d19eba37ac4b3f9067e05aa33b5143d92ed79d1d5c7af0f6583d9fcdacf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cfd896177834d9e70f5b67c15f2e04e8

SHA1
9a06860359eabe9950318ccf1d0480497871d5e0

SHA256
09685fe2e3611bb9384c6d9e9f4275fbc80162699fb9ae76f0fcc1cbf35878ff

SHA512
6d82da8b412e453bd191445cae824345ca0bd07b06c921adbc74555fae2e44691f8019d797e3a9b63e6ffa245bc6a1459ea6673fb73cedea02994e8ab37f358f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c468a3795b769be28fa93abb292365a5

SHA1
da19e7044a802537eb6e9f9861975f4db3e9cecf

SHA256
94a66bb5f07becb2b3c902a001220fa8207cb426b49290e30cf82cafb022df63

SHA512
a97b5129d034555da2c7da809a9e7995cc869db58f91d3c3631f72e36657a832913d721c34f5363fe09db5f8ab6c5630648a56b3274a7b47626b8efdc6315bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d8cfa700320765ecdf4d3e221f1764ee

SHA1
29761c0d646eb3e3977f7bd31b50a1a0d5fac18b

SHA256
e76e35b4026d7b14d810d47f5cba9726a2816020946892702aa17887f77442da

SHA512
249c3815fb13930fb7cdd93ec7a36160454ea4b88c3d991953a762e927d6e1fb0a7daaad4a67f86132561d31caf58b83aae2dd894d4e18bbaf215a15dcdf6301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1HIK2FF\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E34.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F5F.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MMYPSVON.txt
Filesize
606B

MD5
b5bd2db60968f0f97081733602bc4fdc

SHA1
5d82ef0b9c4816624c86d324232a8790236edad8

SHA256
e816705406567d48b7ce7cac642d0785ef118a4a1a11df7c1fbea6a893c4f1e1

SHA512
34fe45696378575a78f12a59c1ce91daaa429b4c325d28e4221be590f20dc79c6ca77c1ce022588c0534ca44e556cd8c6454ef367890ac3abf87a13913348126

Download Submit