43f40c70bee3af8015d2c61cbb7b24342915db3c6b89a80624e2f296e54d06fe

Analysis

max time kernel
134s
max time network
166s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-07-2023 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GD/Resources/FireSheet_01.xml
Size

202KB
MD5

67630fd426489c25e4f0152eea5667a8
SHA1

8276316ece43e3814a1b00e992bb3981d8bc9613
SHA256

7e38ba081b2c63e88656a3d6ed2c72260ff3c66483a29ad94f3e9a52cfc6a2ad
SHA512

175ee4505cccd736ca0a8b2fb451dcf9ef82b88f3df8f3238b2ba5ff66a235629f87eee577b27e69a1c22349e9bc5739e5af6983db65743238ebd67cb4258971
SSDEEP

1536:N/nPQ9RuUIn7Czlz7rELNxtD+ccHhWvAvOA/lgdjdhdFd1:y9RuUIn7Czlzt1HwvsOA0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72A0A571-28D2-11EE-9806-F2F391FB7C16} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000000f7417493b4f337581e1fcc3f31257838ef157672b30048391dabba879997840000000000e8000000002000020000000e1c0a65568099ea31d946c9d7081bd444257bb8bbc4924ae7429d320dc512f6820000000a79b1829c5a92b7dfd771a13b144df2ad6a2ba60c1c37cff754ee32a9f3459dd40000000b53cf7c445ac10c9be29d11a25aeb27e79625bb2fb612867c213834a52f16d7680e1013e8dd09633d07144e7f7c1320b94f12eb9a268846b97dc00db1398ae5a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396824457"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30247d48dfbcd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000db846f247cd3cbae9f34d56e549a2e6b5e66db4d9168b06fd9dbb4209e5d5030000000000e8000000002000020000000585f13d470da0988e079d9a58260a8ab79ae590a40d1a358c241f00baac2a40690000000068108d51980fe208f8f08b15dc4f0492eab4cb98cc343c001c218599c3f56b52ea8cd4503d9a63517406a1a8414bfc57b494058bf7388646f74af7d6e80a68cc67b9ada4ab3a56f0aea05e5c62ec8105f213b98f1ecd1d75f97ddc710bdd9edd9aad32ae2a1a74c15132718df6dbcfef7966e7b4ec885653a5f56009a12702e8a13bccd46e3205885cc0d0a4cc41bfb40000000a72146e12d871714a879b8ead009ff7f5188915406eddd11cd541a11c63e16971e8f8ae750be34c3d75015f55a8dd268c71cea0bb7145ed99fb26422a8c4ccd0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2840	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2884	2772	MSOXMLED.EXE	30
PID 2772 wrote to memory of 2884	2772	MSOXMLED.EXE	30
PID 2772 wrote to memory of 2884	2772	MSOXMLED.EXE	30
PID 2772 wrote to memory of 2884	2772	MSOXMLED.EXE	30
PID 2884 wrote to memory of 2840	2884	iexplore.exe	31
PID 2884 wrote to memory of 2840	2884	iexplore.exe	31
PID 2884 wrote to memory of 2840	2884	iexplore.exe	31
PID 2884 wrote to memory of 2840	2884	iexplore.exe	31
PID 2840 wrote to memory of 2436	2840	IEXPLORE.EXE	32
PID 2840 wrote to memory of 2436	2840	IEXPLORE.EXE	32
PID 2840 wrote to memory of 2436	2840	IEXPLORE.EXE	32
PID 2840 wrote to memory of 2436	2840	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GD\Resources\FireSheet_01.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21357aef58a5880933910d04f80a6e78

SHA1
a01b0ecef1f941455bf01555b6cdd876cc8d5c9c

SHA256
2e93e4ed3427167bacd45ac6e9f36fb53a5bececffa3f088ebec0396b52c097e

SHA512
1087b62631ff5b9eaf41b56c421632ec417a2d15ec29ecf88eb0f9cfe2ad006f04450c6353d41f8d81fc91cb7dfe7ae96d3ca1472c29b2bc84cd44a49c12331a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a4270d1d46b9d2e054f9851ef40c01f

SHA1
3b5c91c39cc443480ec90cb8cfe35055bd9e63af

SHA256
caf9690e94554380e3ca77a7c1a6c3443c54fc6860d535c785fbd6a0848c422c

SHA512
a6539b9df1d58c2f21551d8ee4b736261ec52a37c8fb840cfa884eda431345f0c74c7e2e5639a0cdba9489570198e5c443335dfa31920cdf2ec6a7a239f84719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be433f6e04ffe219aaca3c463593537b

SHA1
e9e1fd74b09690d9213ec069f6a57d178725b48e

SHA256
f7a5e2d1f9588685d7eba4966e29683a2546b26eb995ae23c244ebf98946cf9d

SHA512
6d97209eb55c14a01437514bbe358c1242932f4958bd5d7cac049654101fac111a2929725af529d9ace3fbf66893b0524654a73e2a2cb0076b08a50505e93c89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fd9fb1840f858cfdb8a6354e08a5d2a

SHA1
5989f198e341c00b8e61f0c8cec988846748d12b

SHA256
3fa21e8ec2da0e4cbd8df9a743a31abf66e8e57065e89127620ea7f7adebeeb2

SHA512
08e750383b0fe11897a8f71b9ee082f0be899c0dd78431e920d3dc244b69211783cb8a038c88d4cc728fdc853dc7e772a024db168d36750a134fb5ec48eb8e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4ddd0366318f9641a6406f05837c6bc

SHA1
f80f6df003fbea3ddcc84854f0f1d83a4961c8c6

SHA256
800be90e47f7c24d62bd8e992eecb4f4936adca10535e90b0a1f75e6e8df6aa3

SHA512
b85d16872c9aa674aef93348a9cf1e284940e5da417168bf745587a99f99e20a0e53641c7629447b4d93ef4872da4171296658776183cd2305621b01d292e9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
339a49a3350915df31eecd8281fc1e41

SHA1
4f2b36273653e0630c7128938ea9ceab01f52ee4

SHA256
47b106f3cf451efc59fb18b7b3708e5b6923e81ddec253cc8ec28ae8990af0c2

SHA512
22229816d2199f3bc45e08bbdae9d00114ce8fe86f49b533b20446fe0d66026684c229e75b0c63d33f80b77eb19d2ccf7d76d360df834e3a5952ac44bf5252b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76b8320b2a428f55e48289a7cc9ebe2c

SHA1
5df23b6b14ef4740f5296cdd0a73f06b41b2254a

SHA256
5ea5baee0bf8dd99a7e5b0e1945de3ad7dba6b5259d3c85a670951b9d92e247d

SHA512
e107c5ba1c6edcafcca16b4154a50d6842c87c8661210862961719142ef482896086bba51f07dcae7eac9a6496618320ad9045d3d8bfff23715b35cb098e7a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
535fa1f22f5a80b29d8e99508f210e3c

SHA1
99976d9a5f9db093e0159ddd6c51a2d957c36d60

SHA256
a057491fc559a0e5f6715b100c5f8eb6c83adb1769b84e55c5d7fab70ecf2548

SHA512
572395e6becc98ea827e47d08492a3923cf264bdeed9e25185135ba9037731178ab1734d91dc5dff2d5931229080ca1553ec90e87feffc24ef06499564793e1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80abfa185eac29fc53ce11c2ff845fa2

SHA1
0d501e91aa5bad3a9249517da2501c3a888f4108

SHA256
4933b45a7f80dd07e7b5d6592f657eb4df9148e3b8189786189adcd5586e28b2

SHA512
3422b93982143d1482703c40f57d0fd1c4369cbded65b03143d997dce173df8049f38b7367ddcfc48b98b66226a277e57848b121aa6e4fd0b589ae55a4484261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2UNMO2B\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2427.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar268A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E90TQ3M3.txt

Filesize
600B

MD5
e2fa7d2da46fd5ae90721b8e8235cf0e

SHA1
fb64ffb19b0f44fcdafa06d743d3a3339b71421b

SHA256
5361c3a2ae07e470c984ad69449fcaec9699628f008754b89ac5c3d15d118972

SHA512
d549242cccab8dfbb403f24f66118bd73c24f362a46aae7039bd8e15bd8a564b1a3b0c97baec0b8b7e81c697452af555137bbb667b4c58ca4471e1a38706280b

Download Submit