43f40c70bee3af8015d2c61cbb7b24342915db3c6b89a80624e2f296e54d06fe

Analysis

max time kernel
245s
max time network
320s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GD/Resources/FireSheet_01-uhd.xml
Size

203KB
MD5

60f4e238767b095d28a284a533b55a6f
SHA1

723b837b3a809d771ea9e7cd981998e99b3c6002
SHA256

21deb2ca5bc607b7df8d0abd22eb55e0082e05540b7e97e468cfad6e506a57c1
SHA512

883bd310bb521cc36ad28fc3abc5f68618db10d20cd2a5a4815de27aa419087354a4bd7288baf051d66f8a8227527cd711d5472ed0c0e3b4f070062c9a560ef2
SSDEEP

1536:XdPgNUP5CKv3plKu3tRBtUckHcBLAXPt4VXj/:VgPTu9tUckHcBLAXPs

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396824628"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90260aaedfbcd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8D69201-28D2-11EE-ABD2-66AFBA4EB959} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000792afeba8d856f8cb79baa5b524ad7629f2a25ca7a57bc32d034ff784d5bd35f000000000e8000000002000020000000de7713c3ebe8e3745c64bc69fbd12c3613f74280671e65103f078486e9f6aed99000000074de03b72da195aa36a32688a4b96484b977a39d9774f219cdee180538dd5e57286fd54127efa4d8da1cae64a9c4fa76e7b8505164a3fb2122a18f9352857bd68aee499437d82f67572d63b1ce9db7d39363a3cb51cf6378f5ea2ea1208d46c1cb8cfb751888b031f0cf519c7de5dc349eeee49c138207a87aefee6a72645ae17a30d8d84ae700d48e6ec3ca204a76d1400000008cd47e24dc6c87c0faaeaf3627b6d56404044d1f1dd03dcb1d5bf85f51c845db48e7f9ab0deb949fab45991a8b3474bf9e09f51cdae3528a941ffa21f148cd7e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc63000000000200000000001066000000010000200000002c14cc6b7b667d96fb9260819e25bef7854d3252c1ed8c03edd6227ebb04e282000000000e8000000002000020000000feaf71a8c470509e95709c9cae8d8b17e4c6195cc5917ecd1073ec9db78b67052000000096dc03369d7a583ab56dd782e0434c2acc5e672eb9b46511432e084bffcdd04240000000b27cce309de9b8ddd18e03d4d934dc2cfa2d3604b99fa13de6d59c44a64f370de9c5c81afa1edbb9ed20738e0eaf03b007ab363f17b224e78a678c65cc562287	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3008	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2752	2496	MSOXMLED.EXE	29
PID 2496 wrote to memory of 2752	2496	MSOXMLED.EXE	29
PID 2496 wrote to memory of 2752	2496	MSOXMLED.EXE	29
PID 2496 wrote to memory of 2752	2496	MSOXMLED.EXE	29
PID 2752 wrote to memory of 3008	2752	iexplore.exe	30
PID 2752 wrote to memory of 3008	2752	iexplore.exe	30
PID 2752 wrote to memory of 3008	2752	iexplore.exe	30
PID 2752 wrote to memory of 3008	2752	iexplore.exe	30
PID 3008 wrote to memory of 2448	3008	IEXPLORE.EXE	31
PID 3008 wrote to memory of 2448	3008	IEXPLORE.EXE	31
PID 3008 wrote to memory of 2448	3008	IEXPLORE.EXE	31
PID 3008 wrote to memory of 2448	3008	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GD\Resources\FireSheet_01-uhd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d9b951da13f9742ec606618a7a08beb

SHA1
53b71930fe7537339429c9defe8e60420a539749

SHA256
9375f9b9bbac85d6ae3074a6b0e37265bc29f5356d1e7b5b76e7d649c9131867

SHA512
2a63fcfa25185969081cc9e84b3217d6b7c79982ff3ef322ad3e97fe4889a368f2adaef9dda7f1f9eb7537692bd4c351d5201c6c477af08909ead6b38b62c769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7eb702551fa53f468784e83f4b94efe

SHA1
6dc26bf93d0599a68f2f62392e4ac43c0337e8dc

SHA256
3e25a94b294aefcc462896451e50722c32a57b4c095829f2ad6ea78fc80bb841

SHA512
42046889cd0569634079900804a80a5b0f4c8677f2eb002e52bc4e7f40daba80f574ac88a79a373855acdb55435c964283307d268af306dae9e3978a11425826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d71f3f383f03536e9535ef9f4ba0e8e

SHA1
8ff7b05ebf831b4446496f1f3fa86fc461c0317a

SHA256
088f676c758cebc729a9f98dbc2f984b3c0ea4b5308fffb73db5ded69a18195c

SHA512
2e428aaf0f8dbb6bb1cedd8c18385e88549a5b603bfed942d4df9f9e9d586155394b1613af7817160ca2d6f55c94d4444449807c069c1b504a5ea91fa71be1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
812953f2ff00175893e52fa3b005c428

SHA1
9351d5f513bd74f87f6766228c79f88ec100eee5

SHA256
43367e3807585a44027aa239f79c35f9c114024a44c5d667baa9e0a468c8e42e

SHA512
391cb9d3566baa46242bacc1e902c4d0c2a01b3c4895b329abe65fe866c59cbd4bd30571c75ff09d1b4e3cebd6d150cf07ac8f2aa2dbbf28a17307dd8a262a28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2429de8dd91d53babe0fbc8d157959b

SHA1
b3c010ee5c5c351d9a690f65b61d372f334a7cfb

SHA256
3e4bb7ac2513334967376d9f35f742a82c4053c161757dbdc3538fbcdd4ad9f9

SHA512
cdf53d05fe7e3801827b3649548ed9d95c62c23e691180124f1fd9173051605344da10ca80a6677ffb129e5041917675c0acb03e2ae08f66e6971b9a6966e513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
723c55c7f980e48c0f781490a87ae9d6

SHA1
3e12cc4eb140c6da9e9e5e355b8ebb641f2a533f

SHA256
e65605e188fa84f3ec8a8539739a3460a7c20f498356225b5e6ab92314682b4a

SHA512
592ed1205058f2db389b30ee3db35c9328fe49be47e7e3c0afe365004652c8519382cf0a910d16d2f5c41ae5b1948a122bc662d33ca84e406a500a948652a960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83ce72cc19d8ce47ab4b7d26307fb687

SHA1
5bcae3928b266c6c7c7f31eb5ddd63727802663a

SHA256
0412a5805a038eb81ef9f591d988e96eb97222dee832e0ca4e6f01a8495f923e

SHA512
fa0570ff812c3c15e1f6645bf9848566b4657a9797ccc4de7fddcc63487bfcdbe7813b94001b6fd8fad2400f1ed232317558909064aa2ac5f08a7c085d6acd58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
661a0c41f3610088963e6d80d752f9f7

SHA1
8e4348be15586c11dba0d198fb8e7a836053992a

SHA256
5399f4e99e068f35109aeae681d436da58a9a3976ba7bcf7a7bc4a9662066504

SHA512
2990ccf96d2f10a3724c0391729a3caf9a83c0e1197e8b685f85d6cb8e22478885462317c6920fa01ea8dad4b473a97307df5c243c04a63f34e30d96174b0973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa6075b588a0fbf1f7113f42df29e3c3

SHA1
1cbd1f2ee1389bdbf62aa405566239562e48b41e

SHA256
bb5be70b75dfe592ada4a6bbb653967d4fc5b782c9712c0d59b26158eeffe318

SHA512
f68e3b8a602ba1ad05d186fbe30b398a6a212f2c030dba3b56fc88cb407742837203d15684d74a25dc71c3ad2c7ccbd90bf7ce8b296294cc5024135e231e1b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88249849a421b8b97c3caef04087f887

SHA1
cab442c154261ceef2aa140cd5124b347d148cde

SHA256
417232a9627735dc26017c865ac32b37c09b1ea66fa5e78c0be1452f58634f77

SHA512
b7d775459d36b4ad6996e0fa27351d7ee051a05881405426eee022a07ce4621b89d6a80af9f7132931a5783e17348ef353b9b8e2ccae529ee1160007bbfeee7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b647d109ec434a9b9f97107bee3835cc

SHA1
dead2585e01a51fd7573506efda986fe70c997ea

SHA256
703e2a76c09bc96093176dbd3810eb835907448f2bfb3802765f463372a10317

SHA512
9c70e70669498d471d92d1385a86a2cc38859fd7b2ffcdaa4a80f8b67844bd3216efbe1a7ec6e256d99e2d99eef3b92d75763159e076a6fa5c1f2fdcaddd4650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6314c942dc57602f08e5ec640df6ab3c

SHA1
bc7fbfef51891a61966845ac00f43c3918fb3d40

SHA256
f78a81d4c4a2459626a49c53580a504a7912431e5aea7aefb3d4991769ae4f49

SHA512
7fb57b826e2290549d0c5088ea8f077b5165301c632f0f6c6c942ac37c52a13ab86d3d63e7002d568896fa2a679a8b96797e188c6a1efb5a0ea87ff1ed260ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULULORKV\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55B2.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5612.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PQDTTQ50.txt

Filesize
606B

MD5
b2d5cc499349ffb047f07b71af351bb0

SHA1
f26b84344ef84f25bbe7d35b953e146af418aa90

SHA256
8ff6bc8ddd0bf62ad3feb40a40ab6131c513f085e5f97774621d16a3ebd083a2

SHA512
627c2be22efd65b25ea27cc16a6d60b94c19c79aa765da40f23e8f59125960d1be5fdaa05db718a3a88f0b7ca0ba928c582e5c93dad8e8de546460a681effc5e

Download Submit