8d3cbb361ad830c50f9e46fe912cd04b2c9d1ca571124e7ff4c59c30a6865aa5

Analysis

max time kernel
154s
max time network
172s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/07/2023, 14:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

launcher/images/logo/twitch.xml
Size

2KB
MD5

8e7e38e2028158047bae152b27fc89db
SHA1

e58c35d798e82fd636eb49af3f364cfd416b0d8e
SHA256

52f3dcfa89e2dc64a9f7a922f34980c4fb221945c86873c9ef9af59416c83cac
SHA512

e82a6152108482413fac0b9d039b8e7086146fd609f111a3ef768a1b9a95b0941c294b797ee454322680195c0b58c115a498e3a5a31b5198ea3196883e40a036

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c000000000200000000001066000000010000200000009ca9ef20015650c2720ec37f709215d18f188303ea6848a1ff3e15a0b3a33b7b000000000e8000000002000020000000b5ae7bad6d6adb9619cacbbc86161f3a6ac41e6551736b5567b56c4d4ca64c652000000019be75951374bdee5ea239bc936f6a2166b6216816bb0dbf80cd9a8a9f55278940000000f8b0123ccdc7ac26b4a6c83fd63be1ac819200015788a2c4a09359f71adb535b7cc27c231e9c65c4f6709bb31789f031d2a2a738f3179a5e8770b3aa2ac4fb0f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396886530"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8A5D741-2962-11EE-ADD6-5E6847EBFE3A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40482dd36fbdd901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c7eaec47cb7afa4887efc5e3f3ae1d8c00000000020000000000106600000001000020000000c63747b5f5eb4904a330bbf85242b2f34b538a592da6ce4e17a632cf8ac34f3c000000000e8000000002000020000000d5f151b1f1d242772011076787593090c0ab1a10e11a289e11afc5bf0a43d81490000000bba8329bca9ecaf89b3e03bf97f51c496aed141e7301e5a92d2bf72d2dd753d5622572a1c74ce7d0d2cb94818430e9baab45c4fa067005b03d9a5b430d7e77957c5aa94afb1102c41172a8680e68f22a86cb87ea8a44ac7a975d171cb3c9f7a87e6cd6af9179084e196331453c4916092c131cfb5412406672f5dc3fd23847cc23ca91d581eab9bb9548d0fe6215ce65400000004c1d530235c289a21b8d828bae0f74756b3e93e171088a303353cba4745bdfd22a031508e8b9a42b071a5d3fafa7e957b28a7016b7758151b0f06c1ea65e1922	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 276	2356	MSOXMLED.EXE	30
PID 2356 wrote to memory of 276	2356	MSOXMLED.EXE	30
PID 2356 wrote to memory of 276	2356	MSOXMLED.EXE	30
PID 2356 wrote to memory of 276	2356	MSOXMLED.EXE	30
PID 276 wrote to memory of 2080	276	iexplore.exe	31
PID 276 wrote to memory of 2080	276	iexplore.exe	31
PID 276 wrote to memory of 2080	276	iexplore.exe	31
PID 276 wrote to memory of 2080	276	iexplore.exe	31
PID 2080 wrote to memory of 2920	2080	IEXPLORE.EXE	32
PID 2080 wrote to memory of 2920	2080	IEXPLORE.EXE	32
PID 2080 wrote to memory of 2920	2080	IEXPLORE.EXE	32
PID 2080 wrote to memory of 2920	2080	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\launcher\images\logo\twitch.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5f3873abc1f42151151a0c748692f8dc

SHA1
4b5bd112733ffbbcef698415a2793ed9417eb516

SHA256
90cc60326ef260d1a1e20932c9989f9ff886d0a2299f362a64c8c2e40f9cd153

SHA512
c2e03971bda9ef535bde1589ecb9b5a230ea6710c98a1b7a8fb10bc9fade9dafd28af26611b3d1bf127f614ffa69a8333d6472ba722a78003b571737d6a9ab43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4abfe31020b45cb6d1a8ee10f6eee718

SHA1
26c3fde0fc06d0a9929a562fd4de10df50d03e05

SHA256
7a7e7bb6f7107d3a627de3f166a50e5cf78eb409f335f0bc04215a936f1fcdbc

SHA512
0dd43c9e7b229b0e9d5bf65a370ee196b458a4433b54a71c2a4e7efab445d13c8c6ed7b2a73aaf8d756bd5e8527cd9c568b6b9623c2913878d77d3698941430e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
098b0f08a379b7209f83907e808454c0

SHA1
f390609e4a7c05ca62a370cd7dcc3ce25971dda1

SHA256
f552f3ce8070d2704ed81402ea1267485a07cf595239b8e2244857571c7e7fa8

SHA512
540310cda93d63274198278536e2530297e10b9e54e61eca806426b32a6ce599f93c29155cf010daee8ec7258a3a8c9a9728fad536c4bcf786429a845f3dc63f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6bac0a08a982a5a8b0b00b928d093276

SHA1
e40416070ff7c1db219f5ba9c8ff00ea14ba7da0

SHA256
7591948d1713b32f1f9389887034b3eaccfe9be2e2393c6cff1c7304dee42559

SHA512
6a421a722a963bf143519cdb5510a17be4789dbdde14f069f49ec8a590d2d7efa5c1a7990016d7b8727da18254bc4e5d838b5b36d8d028691a62d2819c5144ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
21cc00a89b295b394b53743c349e1397

SHA1
833e6886db302f1d7f9a2f105e68e388918ec55c

SHA256
352ad7cd247b1a7a532a18a4179461fe3d975854c048a52fc9a2bc624f8a4cac

SHA512
e85da9ba6a521c7fa56836255d072ab62c086771e3ec8c29cbae9de7f8ff4156fe36541ba7b983b93a3cd9f2966689f0a965a3dfebafe615b595a708408ed2ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
35117a8b137f609d6855f8a3d3962ec0

SHA1
0bafdbc856d8d1831b55c998b937e62de864b3e2

SHA256
91d8ad3db3829d840b849bffe8590fbf2463729dc23ee8d1b4d52ad62c18a00b

SHA512
7ec7eb683e270c2599449b8efac0fb7f2104db3032f23b47c24b16a7d58942c2c7d492e6bfaea2f224bccbf997649aac19b70b93d3018acc2fbd1e8c230e9cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
82a83c990bfe29c05e1f4d55fcc82fda

SHA1
8f6daba048bc19f53aed7180f2712edb0402f904

SHA256
9433556c4849d3c35acda4e82432ea887cf384f37437e419abe6fc6c4d9241c8

SHA512
84276698927a54160e1ce9e05fa6912ed47a9e90aff711819feaf5a6259642756d67375a34ded83ef0f6115f985c710cd0aa844b1352f080dbb9906f00c4527f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c6b801d19ff972056cb2fa5470f108bb

SHA1
401e15e7d4934b259ff680449db4eb980ff15745

SHA256
82b671a015423ba98b0a713cd4675c3b0f5846bab189c223d9a9afb71079b557

SHA512
998528b5370e4e2170579b206c103e2f53e06bc86687965bef2d0087ce10bf801ca887a01f81196e8a2fc31e4b958ee4c0356177e639ce1ca96e0bfdc9719026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5cb3d5e89d02a5331c6717e1c8ecd107

SHA1
e036645e052fb116699b21099a71fb566a94e5d1

SHA256
e48ae9a40d9c1dbde1c268b9b9f2b1ac74be39a9e7d37811bbe428cf52343947

SHA512
b1f616159d61181d63660dae0d2c5f6d59a3802970d7a1c4bf5b8d70c424a19593228a2b2edf3ce4f3a3f62b416f78f931ca89120ac63dec73ba3bd02dedc9ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
732629ce499c507e890e609fcaa960df

SHA1
baa95208a858035b40ebeddc9b56ef2932db5fb1

SHA256
11e7968f493d325cbd47e79175000b2d3a55d1b6dddb4f7981f571b729956291

SHA512
847b2f4fb2809a646b9980030225644f0d10ea13409d4f67a27bcbe57a47e394b2c8c4dec92488871c03c1e29301e92eb654071801e4323e6dc482cbae4945db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9ebeeb4814eacf3e2876576f37cb4384

SHA1
1ac9a82af68f80a47b5d8a08de551fab1ce9e227

SHA256
df758fe30a5b99bf80d21b2852b8821593010a7a71b1ba52cf9ad677e1985ea2

SHA512
a3107eee5298dc31e658eab94a35f558b5207c9b6420947bbe33c4cf46d430e8041d81dcf9a5ae9e6cc625989af63bfbc51b998ad13c46b47c7c05849e071142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8AJTUMOT\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAFC2.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB013.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZVHQPJIA.txt

Filesize
606B

MD5
24d40165303e17633e3f71fd817403fb

SHA1
13a075a456ca9649681cdc77e9e461a869858ae9

SHA256
8d475e8d33153293a7fbd26e75c3f8784177aa087fdffaec7d31287e99886666

SHA512
9377a05d0e89b0bb2b281e4fcd89555c8decb53753a16a9fc621360dad6d7adc00aceb6fafb38a0d793d0c8be4513d8ac98d242c16307ac6882ffd056a97e535

Download Submit