01d8d1413d047ac172186cb62241ce311d22096fc373475d000e66b46909eb0e

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luxury Shield 12.8.9/FontsInstaller.xml
Size

43KB
MD5

531f8be30cbbce50349de56644c66e34
SHA1

cf2ffb0c7f60596db3060c3ad0cef9c73de96943
SHA256

089c9b63cfed530c5bd6d492954d602f7fb94e34b8faa72db8a9e442b428fec9
SHA512

949b00317bb41f4351ee744fe4cbfbd3df9e1d172b752645bb9790e0856136dfedb866e2bd289a52d36dc46c91f3dd2b0bebdc2a420216b9d6c4fc2dd5a2c2c8
SSDEEP

384:nLFclSEsb/h0jvmKTNfjoMHYNdAPkSZBPVgGvmeMN+eBDP8oUEt4QBN6:Ls6/PSP8P8oUEtV8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000af7cca738f011bde29fd5d27c999cd3c7bc7d03a16605353bdd8052890ac7638000000000e80000000020000200000007de26e700ce963f54214bfe9b995f5538a6d58d4ed99b7345afc22d04179092d90000000979037b5dfe7893a54634b761b997db15a531846ee050ff8c20036c1f0ba5b842d1a6bf8ccfba2ec5dcc033a17d36d45256152f68b0c7ed7e145745c0ab53511d136b1c733eae0e0a62bdc0f7b5e345f6084b956c55d1d32fe174e518c231a0a996c5533fbf4b76811a96859406f07e6ef412e50fcaff8ffedca6925d56947bc74d71f3007acbac17afac1da7bb4e474400000009c81d0b2952175dc32cb2a7cd5ba06ae73b83dc901c6b8b7769d63e6f3003654dbb1c46b19f9a99b622590f5c325186f5121b835f9b2c8176909845fe34fc6e6	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396206363"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae000000000200000000001066000000010000200000003acd26f3e3301d8e80aedc170c79e03f87099df160b8fa51bf33f41ca679076c000000000e8000000002000020000000c5c53190fa7dbad21d3f08aacd71edacdb0baf27f7c7f36abf1b9a52466f07be20000000d50e1acf29ecc155bb503d0c30ad30291500e0d522887ff9fff4ae50201182f24000000080bf218cccbc8eababb28aad81e72a429085de2d90ce7c658f413c2a2240c30e1125a20a1767ea4a92f361df37b27f5dbe98e54e1e476b68c60983500d4f4279	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f065c52a40b7d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55E53121-2333-11EE-A5F9-C20AF10CBE7D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2576	1952	MSOXMLED.EXE	28
PID 1952 wrote to memory of 2576	1952	MSOXMLED.EXE	28
PID 1952 wrote to memory of 2576	1952	MSOXMLED.EXE	28
PID 1952 wrote to memory of 2576	1952	MSOXMLED.EXE	28
PID 2576 wrote to memory of 2672	2576	iexplore.exe	29
PID 2576 wrote to memory of 2672	2576	iexplore.exe	29
PID 2576 wrote to memory of 2672	2576	iexplore.exe	29
PID 2576 wrote to memory of 2672	2576	iexplore.exe	29
PID 2672 wrote to memory of 2228	2672	IEXPLORE.EXE	30
PID 2672 wrote to memory of 2228	2672	IEXPLORE.EXE	30
PID 2672 wrote to memory of 2228	2672	IEXPLORE.EXE	30
PID 2672 wrote to memory of 2228	2672	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Luxury Shield 12.8.9\FontsInstaller.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2f0b20ec593c15bb0069654a853c790

SHA1
bdf492986f4cb5beb94a413c03bdadc86664184a

SHA256
abc0b688bcdd820fb37c5e1a2ea3db631618fe294c0b1d9614ac4730d1457991

SHA512
fb0ebfec8d8405775850159d56f8b3476e16268a36dbac6d2ce5ba994c48b34060157fafc51c33656e89c58a7696ff1e36d5ba3391d733e1eb279549c58eb160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb677d99631d4321e5eea7192cc380ae

SHA1
73871c65aa74e3a69407a3321de62f8574a4bcd1

SHA256
e54e42aa4b4ee63168aa39ae9e9361f53b5a73ca27b42d6f0bc08de269a1c17c

SHA512
fb1f2d47684a167433f89d8c57a20504a388e3e10fb2c7152723e24ccf1e961033a2ee7f69fd84e5ba65ac0790eb659b4fcb5bf4c396fd8fca88fe48761ee563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42719330c0266e98059c38af2483e8bb

SHA1
8be0cd4d27a26459d2f1aa192a2044cf8c9153b5

SHA256
08bec786bce46a0f3ff0b19af6d5d375db08e16ffb98e1ce03b3e55bc845087d

SHA512
158e6d7ac9e363a87b89401123d1a1e3ba92381f5121aba5217d2430e3cac71d54750a5ddba757f60701aba3ddfeb05af110b37f45e000d849896c0c660b594d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8261142e83a075205f27c7a10c80e3e

SHA1
54a972ed57a21e5270f2e4f323829b286bb7b6b2

SHA256
f8819a4d5097a900ee977a46ea5f9e0f693cbf44de6a5501111ca889081f3a11

SHA512
3ab261a0dc87ffed0b94d665daadb7bff14d669622b87de7833a9ef4111273350fb56039e7796b5bfdf619af7d35e1eb726e8d96cf6eba616338b2c66fbd0bda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
269f882f657c7983ed9e136d12eaa371

SHA1
e41331873e1a1b55a1bff621fba6c22d65ebb3c3

SHA256
024cc1b513a0024be95d444d1bf015d0df71efb64f6dd385cb9432dff47fae41

SHA512
3767b85e0edd11937b0ea6886f6f44fcd10eb7d8b3f809cc34e8200c403f5352bee71a4d1e073e097a2283ab75b19d06678379c3482332beceeb88e7325766a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
145ed6fb85d90876d1b7510cb415cbe5

SHA1
e4e6595f48b9b4387a2794c8826f426b85b32dd6

SHA256
30391fd0e84c68851d55d6b2440e68d5513819bb4d4dc6f77b46bcdf9aca577e

SHA512
dd1005ff529fb9e0d96281e277616def282a673244dc3d7c238eedcd55f1c51190f1b5205b75c9172d7187deaf3f755d9d0fcc505ce4ce8b6f04b78abd6b3976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8b13c1be04add252aea14d505a0aa6d

SHA1
f4ca60b7aa849e534fe65785f1fda259843e94a8

SHA256
6ebed737d7a89173f3f12ba6fa5356ffcfbfa90aff4252e2aab070906d9c2ee4

SHA512
004166096d39b09271cfbd3859b169d0abd82338017991f365a7e7734aaa145ad6e8ff0aede8b1af3bbb6b27bd6d295cfb8f18974135e38dd6551b247faba4a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d8815259fbab2b85547622ff4a08ba9

SHA1
6fa372baee7339b4283bbb92faed96e22181c007

SHA256
1c2f43f2122638796fc58b72b057ee85db2f3a7686d68d65e3af01756ebd7680

SHA512
d6001031dd5e55806c0eeb4ed48be693e114ac9b8720fcd0fe1182df6a7f2393a2029a5693e5fa5f13f4f7c26297634480052930f49ee2ba6fccabdd8716d184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c746593bc24f13da13209f8e466ccef

SHA1
05b9cf5e374df1adb57a0e29a1faa03526129a82

SHA256
e3836c99b25b0372fa9f9f00fb65d4d266d2e92d2c409d8c753eabe00cfab652

SHA512
758cc72830531d845a1d63824dc69c04b1c02496e967dcf72bc9187bf16065f346293f89a066e2f06ed46919d5110e92f7f98a44654d4018222bcff86858741a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
548613746bd32ec5762f42cdfb54ea37

SHA1
a50486e883461c8841a17fbf983240c519a828bf

SHA256
0c2a14c104b508641e8ceeab955e8635d4f89c263c09c3957d2c9eccdd73ea01

SHA512
5ec63d014d6cb056f881bcbb157f5f8dd7cea1488273bddef358186bd393b6b5e7587a9867024994216467d539bf612e623c95423468efbea279a8cf4d25730a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UORESFNG\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9021.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar90F0.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S2Q8HVFR.txt

Filesize
608B

MD5
19a6e999c9add25dc1349791f08efef8

SHA1
a77aeed2a3cf02fa563da13f29a4af60d70b725a

SHA256
2d2808309b213dac5f3d25249675539645d99597ff33396012936582079ed9c9

SHA512
f0488b51642e046f51d929bfd13c9ae82254e74484c3a91080af4267cea66983021d7d8ac6b9c9f400a7c4e5afce899a580e33be71e4131e2d6b57b40426052e

Download Submit