43f40c70bee3af8015d2c61cbb7b24342915db3c6b89a80624e2f296e54d06fe

Analysis

max time kernel
135s
max time network
168s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GD/Resources/FireSheet_01-hd.xml
Size

202KB
MD5

390a1e32ffff76050744b88fa57c8247
SHA1

1649cdbca8b6f36c872889b791fd6b478038cf0d
SHA256

aa7e5d61c298018d54bf70a828e3c92245c3394fcea90f247907031435ad0301
SHA512

ad1f10790814f8304081aec308274c8e5704e6b59af8679ebb837c0c33ca6feb78db23014890837843b59129f71b2043148f01a5440f5eb12c99f9060553750e
SSDEEP

768:IE1LvaxO9XpbkROnFWJmdJOAtqQFZXVLDFsi:91LvaPAtqQFZXVXFR

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000001f00832015aa1a43acec67f9f15d0a8409c2c7b6c142ac0f0fecb50eb63820000000000e8000000002000020000000c4ff274652b6ca7d6ada440a65dff89273ada8496042ab870ffb184e82acf35190000000d4b41ddd2be9a1f2697039f8544080d6fae3dd58a61b38813e7cbe457a8ce98adf2e6f8181b58a35fd685b7910931100ac569ef322877cddcd17467f82ff860914c4a927d09e4f8e071a62107703a7750caafff661786355008ad8f97fe920b4ab643bd125133b03632360108f21ceefc81dabbda35ea6a62c2c6e48831c1e8ced9c879b394d23534167fdb73897cbca40000000a3e8b42c976d54f1886c8970fa96cc0cb2db1ab9f430a10a60bcb05225a1a3d7f2ad883309116115500ceef989a98e37ba9cb4c743a2c3b97037a3cee847c71d	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0676252dfbcd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000afd9494127c5c9577e83f5262d55c417bd6ea5a3ed566ea4cbe9cd7e97d25ff4000000000e8000000002000020000000c9b42d7c7999ba988b16229eff26e1a456e2cede83d7b9a417c81483b525565120000000ef644f31de79e0cd1b4847ca1805f816e40f1d181cea758d37b96faa889fc321400000009b7acc01a0aacf2e984a1ad3693ddc2fc50cc1691e2216a72903fb709bf4c8f4ed74d3cfd5296bf6194cff12b7a75b73c9db8cf3489294aebe1ea9e3daacc159	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396824475"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D387031-28D2-11EE-B985-7E694F6CA729} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2848	2668	MSOXMLED.EXE	30
PID 2668 wrote to memory of 2848	2668	MSOXMLED.EXE	30
PID 2668 wrote to memory of 2848	2668	MSOXMLED.EXE	30
PID 2668 wrote to memory of 2848	2668	MSOXMLED.EXE	30
PID 2848 wrote to memory of 2808	2848	iexplore.exe	31
PID 2848 wrote to memory of 2808	2848	iexplore.exe	31
PID 2848 wrote to memory of 2808	2848	iexplore.exe	31
PID 2848 wrote to memory of 2808	2848	iexplore.exe	31
PID 2808 wrote to memory of 2400	2808	IEXPLORE.EXE	32
PID 2808 wrote to memory of 2400	2808	IEXPLORE.EXE	32
PID 2808 wrote to memory of 2400	2808	IEXPLORE.EXE	32
PID 2808 wrote to memory of 2400	2808	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GD\Resources\FireSheet_01-hd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c687688fae545f39b1573d4df1de7e5a

SHA1
68f5c394a34c89f151b5b3da2941d85702c0caea

SHA256
9539051ed2c1d7ed2daa2c91a9bd6967de6be9ad97121842bbf272ce4a281e33

SHA512
984da59a4a85ff76ec585f96e7f3939aabb9884a3ee9232dac0c8d02175c691187e824c1bc5cb8b2163a864ee09b52917f3ca0d1ba71cd1ad8f8f817a8aedcd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4981e4d34375087002bbf02c4edd9af

SHA1
1e41a3e17287f8119aa0fed22d49be03a5d9c510

SHA256
41409a961d20fcc6f8e91251ec0d2437daef00a8660e0f0da75dcd0b689f2bc7

SHA512
0f9090edf98fc6d8097ee9190d8fb72a56608805366d689e2c804caf77e8f71d1d81a8560c62949ed8940ee803b7002c953b87b4daac85206422ca59697700e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8130e5d9e017ba2026dfccaef0d8af9

SHA1
9659413e0af4fa07c1d7292e2726899c3e9229b6

SHA256
651cbed75d3250e18ad8e105156eda1f2943ae367645625c8429eec008317b6e

SHA512
e753227084f8b13809beb56112a11352ef52a6dc08c9e54ec5e5fc986829fdedd0a8c8c52c2512d7dc4b4b23a3c70dc4062ff7b705ca3a559b39a092e498454c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c420e865ccfeefe19ce860a35911117

SHA1
cfa116c9d0c5315578a73291f9ec5632e308d65f

SHA256
a7fe8bd6f902f704575ca8160786575a77e0fad850e772d86afa172aea938638

SHA512
52390f144b1f497444e175197534efabc501de6c050adad417c5a58a87dd95db9eb8eb652368886b0131a65b09c4767f5c20ee571f060e33b73264e5f7bb5b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f7f8900386b88e0ce1e8c2353863fd8

SHA1
f5934c6bd4a78a20df3951b5433baa7e3cf77cb5

SHA256
d7528875a849f01618aa0c2d94e4dab6995f1ab0027ab121424e9e576aac5b65

SHA512
572afad52df9eb4f134a3bb02731170a38858337819308d5dd7a538823378240e961b81863dd9611d8b5f8e64495d8e3bf0c08e1d9cafbd33deeb8c6b33491ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7666393f4ee1ef92303e1bddb87e8612

SHA1
74762bc9fa83b3aa755c005eb1e6bd72e7d94d66

SHA256
2ee07b9fd60cfbc000039d0f4d40c89b11aaf65657bed3cad346c8fdb88b407c

SHA512
73be8ea5f45c5c91c7f522f91febcaaecc8722b315e32517071feb23774cc897c8eac05bcb94aaea1c83b2533b492690853c282bdac74087e3e44b65d631ca1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1abe75abbd1816063d2d58040355658c

SHA1
d5a66e3279ea82b763562eddb94d6a6164bd86c0

SHA256
9c193ba9fe5d9b611c400bc9843de0c6abb88f2c9ca0850bd311af0a317e51c6

SHA512
3fab650f439a27931859040265e715250a8337eee5f5ae99aa84011eccb24a890e051e8e78507f022f6cf244c535731bb8ec4bda1dee4eb697a025dbb32f9ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79c18001549226fb6359eb2f611bf8d1

SHA1
a86d88a46ba6a17df267c85a2b7cfca48c9dcd8b

SHA256
3d35cf74daffad3ae51e29aad9fe9f4b4aa1ea2d9298ec4fb1eb771ea6c1d8c4

SHA512
6c80d035e6c18780e627bab978e8cb3129522b71bc833d6ab13a804654682412da60a4f80fb0af8a86c3ce41d23b68480bddab241682c27e0f3e69c6287745f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d41ed58b24297193b4af06f6b72e858e

SHA1
9f98ba5ffc729c5947d07d79d85fa0f4d1353dcd

SHA256
7cc5b7deec369d6662828a82e373c52e80956a13852942464d3262e7fad746d9

SHA512
276a8aec34fb9dbd17ed83a718e5cc1f08c63cdf3e8b4aec1e5f5fbc2ab336e3b7e8c812b1ee390f590980a8819b57dcb9e08ecf89a78b2e02d8276c3552fdbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3994436924139f6f3a20140022e0cd33

SHA1
1095847cf010dccf8d011fbb8d0b37596bd1473b

SHA256
da9c1437d566b4e89168a6aec3e1d1672fc3c39a82a6955dd381cf681f3723e0

SHA512
91d645191752a7d09c45a571efdc1d3b63df459dfd0cf9040d65f34fbe7a49cbc1cbee211d6fbda1c81eab4cd3d85f49ea8eea1e5b998f30e4d95ea9e2afb7a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
beacd8e8c1e4fb804b3caaaceb0df2d7

SHA1
27bb7f3f9bbe69f595b5c7f0f4f1c8b0be0d0fbc

SHA256
f38d51268fb2b1b0f32e476682e011ac76b90a6f90bb3d521217eca9cd08909f

SHA512
cfca7812bf7de13a2c3f55e446acbcb68e91fbfbba371e54748056f6d3650ab2b313513b7dcc95001e0269e4f87bf6930f9eed759aaeed63a7b4d0dddff8b20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9EM1SEHQ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE7E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFEFE.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DI5NHMSB.txt

Filesize
600B

MD5
cb961877153b148489790cb6da4ee822

SHA1
88343fa4b102f7143d7ae4a8df5b3ec0708dc4aa

SHA256
c42ce753864c3d04956d4a7658be9497b20c5131d2a0393c959213075dcfa5b0

SHA512
e66e2e18403e6005f80c69f6b8cc267c5e8bfc67636757440046467ec82c5e0f020dde7f672d9ea315a64ab1ead67af29997b8bf8cec7ba688e1b4f2fb1ddc8d

Download Submit