d13559e3f89ef853bb513ec853a738d77bc395bd1f9439f4076446b2aad9901a

Analysis

max time kernel
1561s
max time network
1571s
platform
windows7_x64
resource
win7-20231020-es
resource tags

arch:x64arch:x86image:win7-20231020-eslocale:es-esos:windows7-x64systemwindows
submitted
20/11/2023, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TGX V4 - 1.7.1/ICSharpCode.AvalonEdit.xml
Size

583KB
MD5

fc1bc59d9be1a1a6cec3f89a2afec25c
SHA1

8ac0979895dd60e4deae1c6b2cba2ebc9a491055
SHA256

4a15998403e903728c64c7120304c9e1144a3feeefb3b3e9284b7c4420d14f67
SHA512

b9ff4ce5da4044ed1abb9e14fdd823b721af5cb20852cded7293bc7712516422a9775f489a62d57e9c89866bc52d1a5de10ad6e052da1afbd3e9c2d8ccc4f78d
SSDEEP

6144:sFilxsTCj3BkjMG8AitANoPNzLINIFlhgTS9ycdxyhxlYbqEt:9g2Yc5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406645944"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0BEE0CD1-87A2-11EE-B5E1-C6303085B124} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 407ad6e1ae1bda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000f98bfd433d271958d81529a8c0e5239c8a9189a6ecaae1fc160d20a6f9c16be1000000000e800000000200002000000089628cb56e84887de7687221c3425cbf03e7301c8a0ef93fc126e5103424faa320000000f73f590f825692bd93b05c471e78384df9580ecbc9319b8289983dee6abfec7f40000000929c30d063d0a5b709c37f012b56a829a92208f2e880161a295cb5ec532b3051d5893e40a17d4d31f2065f0ddab25b8120f53fcd964c0b958bdf4e452ae03908	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000c6ebed4eb7377162c780a6eaae5b78e8afd83ca6c45b106e701b603af2009467000000000e8000000002000020000000307a9a3dec61e0dd61d759cfa98367a3fe55877628ba7c70311ffa330651a20190000000248bda8a439d3fae309a159fa0e97b0d0847d0d53fbc879009decae36fb20a43e13ef0f7123b55c5d95d4ad3dd79268ec581f96fd751dec95386488dfde388049a3c2fa1d25db35e13b4399f3013555a3cadd467ed07dc507c0396810cb734388768533e4bf05d2fe05416c88fe785376814f66515fca425676817aa8c8c8ceb95e0b153d9c86ac3b316a9c164b143e34000000080146848d3020bfe21fa91de1547907a0cc1b26b3d580c2a9a4c7468e54b4dc90232d94e97a34b18469f13393d0b90fab0b66db826e5aa5b527597b924fe31cc	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2332	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1688	1428	MSOXMLED.EXE	28
PID 1428 wrote to memory of 1688	1428	MSOXMLED.EXE	28
PID 1428 wrote to memory of 1688	1428	MSOXMLED.EXE	28
PID 1428 wrote to memory of 1688	1428	MSOXMLED.EXE	28
PID 1688 wrote to memory of 2332	1688	iexplore.exe	29
PID 1688 wrote to memory of 2332	1688	iexplore.exe	29
PID 1688 wrote to memory of 2332	1688	iexplore.exe	29
PID 1688 wrote to memory of 2332	1688	iexplore.exe	29
PID 2332 wrote to memory of 2796	2332	IEXPLORE.EXE	30
PID 2332 wrote to memory of 2796	2332	IEXPLORE.EXE	30
PID 2332 wrote to memory of 2796	2332	IEXPLORE.EXE	30
PID 2332 wrote to memory of 2796	2332	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\TGX V4 - 1.7.1\ICSharpCode.AvalonEdit.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef9c6cb54ad300f614b590427d3b2cd6

SHA1
a1c8348221d342efe23c717ec6b20c3e69d11700

SHA256
80bab4945ee996e3d5398e9455f90c50488cc6861a18587550c15699ff1fdf4e

SHA512
ab80caba89f6697f1309f7f9f7d645b1830b6734b2bbd9f56b474b186492fc08963e836ad5800cdf7001c7881018fae92fe0890c1308a32015af6e7e917ba372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6496a99d4ae1391713d2d5eafdc8dd23

SHA1
a162e6a3e38ffac3ab7fa60af61815134125d5cb

SHA256
b4a03d9bb8d319773bbb91fee572dfe1c61668fa873ed17c7ad688b05386a4d2

SHA512
cca25eec470b3fec0af5c602e0051ce2d1511c1666f5f8ea81f377f8f39322253363154ad87945bd9dd4d266197d63a5ad6645ece81326a27f31a50ecbeb65ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a376e7e0cc89e4be25db507f73b7684

SHA1
a75e5d0bb754a89878210ec28352bd2db3c6e217

SHA256
95adddb4f53bc839b12ac9e6dd31c0eac59a00505ceccb4f4c3084d3fad2b28a

SHA512
d226c9d0991a07d93ffb17b291603421ca8f9476f908e585c6e28528c385a65d9fbb703e12feb2a451c2ed081dcab39d90e08b4ba260e993311d384362a85c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3153567feb1327b43ab203528e753816

SHA1
725f2615ad2865e8d2a9c604a267d24c6c8499f2

SHA256
ab67f7c3104189ca45594222653cc67e9b96fdac41b55a035765d42d6a9a6c03

SHA512
1cf3b0b2b636d510d5851452c42e6d67fb08c53d37f0e05ccbb5efc91b004e78c269d5e4d74ed1fe97c7d3ce7970675e70e328c2b1e49de13f5b2c9cce943a12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
065511a8ef864fb8a1ffc92dfa7225cb

SHA1
cd862560331e9b38c48a5811e4ca631e0cf5cbda

SHA256
cbe3944686fce4fc609c8fd7552f46c0563f54cdffcba0b5c411a03798c61511

SHA512
1fa1ed80429b92bbd7b3c6ea67f400a8020c39cc1a76e36b87ea68d61f4e5233c378fd56ae08123b9a4497b73d43538f86944a99c754778d57b9c62f15da1435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13e5c31dac835a2d9df38b861525e497

SHA1
5cfa60b05429d1cf4dcf6ef4a238b7cccbc345e5

SHA256
998d997b338e9c0c987d8eb4440040ae161546de358f516cfd12888cc7524bde

SHA512
96d0ab8525bfdd1956854931a4176e7b6c642e41cb60b1f57efc79bde42c5a8f770615e65e8b076f1cfc621c2966b14d39439c2dc65adb30c14cdabdd942d626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e59727ac876ac54696ebe9ae5c9e99c

SHA1
66db9a2cd11190cfb0f43b7f1a5a1282944eb57c

SHA256
2070774541b7aa5aba4f94a9d567e74040b56c2a571123f34ae45a6f3bb1ee22

SHA512
9c146b511cb2ca01c2f3826954677e2897cba3aa2b02dabb74215426f1343e208ef51f96d2e43e645e14100ed4c96a5b6d2c60aea3abb8c114fb2c9673a22f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e20ba8466449a8ce26bc32c22a73d67

SHA1
a8f12730e69629ff486dbf8f7e50bac05667e12e

SHA256
9b36cbc84faac67d643a394a59d9ee78e79f2d36c8d2d221274ef032dbe357ab

SHA512
1fb4ff405fb0a183e028b631c016f2c74d6dee6fb61f8dc849b739ec6153b65fdf93e9c39bb169a2c790e30acee6370cf459767846ae53f599ac3136ace266da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3ea2c75ea8910818b0015f2c1348a18

SHA1
11c593503eb520e92a8821db14c82f3a996b6c69

SHA256
28b2d862e2beb9001ef4e4cbf984bd139ece088499ef02a830edb46bffa0867a

SHA512
5dd87993c25cd5075cfb12e5df26a865e5dd55b42168e3c9779cb0ad515b24c8dfef97c9bd6121b98a4eb88ed7e7d8cb91abf6c02a7b33d798f472bb6048eb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8624.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8694.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit