43f40c70bee3af8015d2c61cbb7b24342915db3c6b89a80624e2f296e54d06fe

Analysis

max time kernel
140s
max time network
167s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-07-2023 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GD/Resources/DungeonSheet-uhd.xml
Size

2KB
MD5

27ba105952636545dddebc4e8337c7e3
SHA1

ef45e7d19370d3c4a65bca01b60d94339ea009c0
SHA256

4f93ece615eb1f276d22cdd72d873be10a2d4bf90266743e80a1cf5d0dd67291
SHA512

e4dfd2b6ccf4fe0760027e922450d6dea7b820d457acf3bf0b04ee861a40f1169bdeb1b101e007b501ed135c8bf8179e0586e8a011ec33f0f0a37883a29c97c6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000dc3c82d0552114b8721d96020af22a386045db71e03d927cc62a984c18d87e5d000000000e80000000020000200000006898ef86324500d065749408a03920b28cb614838829679525022ea757b049749000000048fe2faf3dc4ab585ca4a83c14712163550ce610a50f09ba8237343b1e069c56ce0ee295623fe6aa0063c07256d7de8652ab07627b963105b39715941ee1cf31651189eff10c5b7be39a280d8507db551c6495b6412035919ae148f5d11ce5811bcf9628e366778cf2098f5ed76388190dcdaf78134b40820a9b9a8bb1e8ba150efda2997969d44f99e19da418791446400000001248dc908d7810a4caa8b05d114b17e8506c0b03541135bcb8a8faa8eebf6141b82ee1840b95e37fbb69341a7a082e79e995dcb52268309ad407615f23dcf4ca	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F2674F1-28D2-11EE-B6BC-66AFBA4EB959} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae000000000200000000001066000000010000200000007aa209ef134f77874956bd88d1a9a1789bb997175154743f0587a5e38cd4a060000000000e800000000200002000000049944ce7c8673f64f749f64a3f5251de9201d84f87db3673041bfd47077b8ed520000000cd715ba40dfad0dc739ec184990685262542ae28df5c692f6a31e0916dc64b9c40000000dc571a3ed90274be358836f4c4ab42221e847dac843fc427c3580a679290a59b544af6716d0d8a65a94b9d5572df4f660aab66d72705dfd9146f5f3ac8b575a0	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396824478"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c72c54dfbcd901	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2064	1352	MSOXMLED.EXE	30
PID 1352 wrote to memory of 2064	1352	MSOXMLED.EXE	30
PID 1352 wrote to memory of 2064	1352	MSOXMLED.EXE	30
PID 1352 wrote to memory of 2064	1352	MSOXMLED.EXE	30
PID 2064 wrote to memory of 2612	2064	iexplore.exe	31
PID 2064 wrote to memory of 2612	2064	iexplore.exe	31
PID 2064 wrote to memory of 2612	2064	iexplore.exe	31
PID 2064 wrote to memory of 2612	2064	iexplore.exe	31
PID 2612 wrote to memory of 2808	2612	IEXPLORE.EXE	32
PID 2612 wrote to memory of 2808	2612	IEXPLORE.EXE	32
PID 2612 wrote to memory of 2808	2612	IEXPLORE.EXE	32
PID 2612 wrote to memory of 2808	2612	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GD\Resources\DungeonSheet-uhd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7d07876123449ac8c975e41aa98ead5

SHA1
d21cb25394d4cd9c07f2c04ca62bc353f9a14689

SHA256
7f9b7bca6c5e0617f38d8d3d51585ea2f08e47b2c310555776ba4308a36608b3

SHA512
215ada04a7f8ff5452205ccf2c8297dc254573d175b76a1f25fc8ea182b443a153511cec7bc9f4840be89e57de8f4394c10748535e2013fa5d5d99a6e77f0ff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
428a066c967cb0bf404c5bab7d84ab4a

SHA1
1465f5d58c41aa707f38579be95e9913f801e73a

SHA256
adc13cc3c5d04f55597b56540eddb0dae3b1594d2440ba741883345ef47ea40e

SHA512
74c3580517960201e3cb0016e7c2257255bdde165311a36e63da4f9a8fd106156c1daf3ab09c5e67de7f2afdbf1554f7e0f5f4aa0e88dff648476adcec4e5cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
569d9186d702e078cfc85c62d4330ade

SHA1
43fa02a80b337acfe0d2377c838df5d46d0e09e3

SHA256
20290e6e386422d77f7bf62cecb74877f354f033e9712762892689856594f844

SHA512
adcd326d6dfaf9ea23a73f2c3759199e1dc0a30e4587d643e8a11db443cc06f1f4cd5ef08695c3769bba9c00244f1aec0884109f86a8811efd69fc1cc98db53c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04a1e7894c7c2a8b1931e3cf77e40bd4

SHA1
8e0ef08c8bd2270cbfd01ac202bbf52fb5cd2873

SHA256
dff18ef0762b88a283c1f43e8b1d80600d8bb812075f090f3360a391e8850c81

SHA512
133c8036dbe413c0da726997454fe772442b1b809a440bba14dfb36bd9e28c0b237b080dd73fbec34f0629cf091b84942276642da7eaa78882fc5a38fd9f0460

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99b8639e845ae286b25e4d76b67efa6d

SHA1
cd846bf67ce72876a227c890e922e9638e379b99

SHA256
39b41c34c1dc6166c40ceda6c9c9c887479a70f0af639b223d4ae81715e164c1

SHA512
8ecd1727754c884d41af3e5cf56f9f432e3d72fa8dd87027b0b6f441a64129a62f61269eef610d8f8bd5da818b6db794aec1304ab0106a7f7253a70e7b3441b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dff043b0f39a92f66b707ac3ad6b2355

SHA1
1c739dd8bd89a8d39dc0d451607e5a43e50d9aae

SHA256
4d7d418cb4e193600a2bd05831f99da9bee9a8beb9dfb86f28d89d2165c8dc0d

SHA512
50e85c5be61cd71555da74491db8a1299998178883655aacf20dca52f1246ce9ae584ba22d954b242e732d952dcf61249caf5c3698fe127a054c5c0b49bfb36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UORESFNG\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE35.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AU04IVDS.txt

Filesize
603B

MD5
4df88ddf6417746c80979bcd038f7d93

SHA1
3d6a25feb5e5adbbbad8951f76b7d02edd50e0bd

SHA256
c9c254fc9768e01bb0dee56f3cd736b1660854a0db53808cb95d89238bd16fba

SHA512
67fb92f06b6a183999cd8b0d1961ab67b318303df64e75b100ecbcbd0aa4640403ae1c8ec8a704e4a37aab653fd39d87ec2646ff64c966e4226f3c647e42aff9

Download Submit