43f40c70bee3af8015d2c61cbb7b24342915db3c6b89a80624e2f296e54d06fe

Analysis

max time kernel
140s
max time network
164s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GD/Resources/SecretSheet-hd.xml
Size

8KB
MD5

fd1b8ad2c4307a1ff6a6bcf696b327cf
SHA1

491072085cd021ca280485d92e22b5e5bf750251
SHA256

e8ab94b4318da1b011e95cd06700fff9adf1a2bd7e20ab72dde7a2496a581035
SHA512

57460ebec83aa4ccf75dc3b22cc88a469715a995db1b84d8672b1659f6ac7690fa2365cd9a55f6058fa2c23e679768dc026cebe0363b41d31e6b0597fa82faf7
SSDEEP

96:/y+sYkuDXoSYkRvn0cBkYke58JZcYkxd+WpKJYk/NBBQX7Yk/NnHe3Yk8aMK02YM:a80g06LGak+XQ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000002a0ee49b7e10774bd98b9a5a159007989c5afb8db79725396bf2be72dade58cc000000000e800000000200002000000011138092e42e6a01b41fdbc73c4b4f713f4887dba63db3c3f44a247a937262ad20000000cf5e194c58174708b5744f8e768274403e18b97574571fe66dc7beabc2e09b1a40000000fd219db9ecc099a0005f6d2bd380c7ed33242d039aba051f44b5c9c991513bf7a3f344eb0dfe4781b243d0c1e89bc149f9cbb2720f331bdd81aa9f6a2d5cbac6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D98F721-28D2-11EE-962D-EE35A7B3029D} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396824475"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401f7252dfbcd901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000f70d318418be3317adbc63af4833d05406b12887529090324922e471800977a5000000000e8000000002000020000000515c041caafe8f688b7831e18b6c4dfddaac214bf888d31dea3d07643d7c18639000000036f9c239f50dde4c21c62e2415eadea693e731831d65275ddee38634455a7d7575a537aae92d3803568dd80ed5249b28208affb056a334fe230c04125e0138a5f912ded4e78e73cf7abd359dea1803f7cd4ba3cbb9795bd6bb03d04ce55ad1266e9c8a7ce67d910a89c1f689639aed66e04addcaa3755b5cfdf9d53b0f4100b49647e6714ca033a70310252859b1aa464000000018f5709f54d7f057c4844d5991689e5b91f778c90059f9594690e6303bc122b053e83e80f9d16ed56c586989e3e4eb47bf06cecc77756de2143a6c76e83d7d68	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1100	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1100	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2392	2172	MSOXMLED.EXE	30
PID 2172 wrote to memory of 2392	2172	MSOXMLED.EXE	30
PID 2172 wrote to memory of 2392	2172	MSOXMLED.EXE	30
PID 2172 wrote to memory of 2392	2172	MSOXMLED.EXE	30
PID 2392 wrote to memory of 1100	2392	iexplore.exe	31
PID 2392 wrote to memory of 1100	2392	iexplore.exe	31
PID 2392 wrote to memory of 1100	2392	iexplore.exe	31
PID 2392 wrote to memory of 1100	2392	iexplore.exe	31
PID 1100 wrote to memory of 2828	1100	IEXPLORE.EXE	32
PID 1100 wrote to memory of 2828	1100	IEXPLORE.EXE	32
PID 1100 wrote to memory of 2828	1100	IEXPLORE.EXE	32
PID 1100 wrote to memory of 2828	1100	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\GD\Resources\SecretSheet-hd.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b971432ff3b5a529f2774cdcac98c05

SHA1
0445e96d02943915d0b8dc7ded11f5b96561b91b

SHA256
cd01b5b512a2d80e2526e0ef428514c0d8375f8a1bfacc0690e5929a9bc943e0

SHA512
c23e0b70e7e0eb6ec22622e4b0d874eb925ad5ea14a77ed5c00e87f372d4abab13407927b5b8c5f592982b3c6536fa7e606d166f31e57e21ad7e866b7450b729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4781baa5600b93729ca4dab01d90354

SHA1
52214dca79d5c3ac911a522f24582e9da7ab45d3

SHA256
f89d08d80e76e116484f137b318210eb5953548cdeba44217af6f651a04d6fed

SHA512
c703512d42f1e4512a4895cbb2b0ef22ef11ed268d55908d99163a61768bc7e80e64320bdc36f3e8f34ca146205227448144a5a0df2f1b84816688c38c2c7e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5386d1150e80a829a0681eda362f633b

SHA1
f4ba9cb355c9dc6232435c24adb2c92478664f6b

SHA256
423a2a9b4ac16e6538870cdf60bfb9a72aff963c39e70c53407400a32bfa6dfb

SHA512
374610abc350fa2a89c05b14ac4213c41d700fe4fa48c11186075a73957ce92d70717063a59a3a86138b75e57934f89eaab60b4ad87f581c736c565bb7384840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2db40cb634c6fd3422a12331aeec3c0f

SHA1
69f5589bb2b1ba0e81425afa7f0cdee26f4905cf

SHA256
1e36f27996497a19af4826e2d493eea28e1b2397f152aa42dc800aa7885cde1c

SHA512
dd36f736cbee42858dee9d89f8aa0a064abebcc39834f3f062baf1bcc9d606c5de00270266f63a185e64aae1bfac5edde3d2b9b76bc1dac8a0c07aea120183bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3499e73ccf310d0285e5e441d6eeeb69

SHA1
8a20a4b426639a537d54f3b3869ae6e9fc71322e

SHA256
bf527ae3a4f80065030cdbf3edd005bf7dc80f053a9c3c65d158afd8a5dcd699

SHA512
94282bfda712298440a8e7c6604b812945c5ce41bad882ec5b90f61c72ec5cc33c466562f47f0cda6954f0315d32087e0309aa7c2f6b907c03c0096d1fbcbd0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f766d6b74839cf03ba380ce3309f265b

SHA1
7c2571e93b78045bf2a78d67dddc42698e20d348

SHA256
8d3598d36038e1141e6a3a9e238eb0a51ad1e9032cda30497f8359a683cf5006

SHA512
e62bc956f11faee0bbe8ad1442ac8f4b0ffc880f6045c984121bfdfe9928cbbb5883b4b80bf76f310527d775572907307aa3aab2134ccfbde03205496b5e0d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da780a3aacac5293c70b6ffb23744181

SHA1
65dd4c8c8b4451b7c03948309dc928b560114ad5

SHA256
e50c9f2e4b30b5f34116f2df2c7f7699bd882a471a387d522110c2693e577b31

SHA512
5ed16868c4b9eb68112daf7a7c2f41768f67deea685a81801edc46cf9904986cdf1bc97df0e137ec93b4cbbbd98e1a3cda95bd51ed2ba5f2242eb7d7b9140a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bbf2d299b90d9090709670ab582fc57e

SHA1
ed55d75d69551657889a01f2e6729b7289b33d4b

SHA256
e6ef29644061cefcd1c5d505608d9b35f0df7d3329a4de7f349f441fdf8dd47a

SHA512
98a888095497a4d0b40617bb20b900f0de8e09851385fc1fd20db56d4f0a6fca46a53bd13c4f60e92959c361cde15319769a464416f6a9753e86b117cfaa8c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edd2814bcf8c5f80d5d5f37bb71a451b

SHA1
7d2c119b7348df10f44998eeb41455b01ff6d70d

SHA256
057a5990ff244b31cf57cd6bcc060c9b6dcecb87e004e6ece9ac901a96d3b1da

SHA512
d0fc58253fc93c4c51e707c0a72eb20e471c680623b147937396135b134dd3b8275f05474353c446d770846f244a9fd08f2b930ef1c8ed2fbc2f5227b60e8f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9EM1SEHQ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A76.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AE6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8JICT7FE.txt

Filesize
600B

MD5
e170485fe31f87cbea5d0b802213ddd0

SHA1
f56384cc1ca6bdd5bbf354ed8883caea1a5a314a

SHA256
3c79860204840563e669ce794de557c250811fc5a08a9805e1f725483232dd90

SHA512
23503aa38ff1852803c9ee13e5f29f9008e3eb845fa607447f75e9c55b4562af0d280dc11dda971c04e45ae6d16750567a627fad04f7530225add769ed62c6de

Download Submit