Analysis Report CTR00068CP1XML.XML

Overview

General Information

Sample Name: CTR00068CP1XML.XML
Analysis ID: 358586
MD5: 63c074333d2e4746d9da321c93941c4a
SHA1: 6c8fb2fc7414107b7cca214dcef3bd30e3885041
SHA256: 7c8f599200235035ed03dae5e18da4961a71f4f381a02b4b479172cb13a38538
Infos:

Most interesting Screenshot:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: msapplication.xml0.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x27191d0b,0x01d70bb8</date><accdate>0x27191d0b,0x01d70bb8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x27191d0b,0x01d70bb8</date><accdate>0x27191d0b,0x01d70bb8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x271b7f7e,0x01d70bb8</date><accdate>0x271b7f7e,0x01d70bb8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x271b7f7e,0x01d70bb8</date><accdate>0x271b7f7e,0x01d70bb8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x271de1b0,0x01d70bb8</date><accdate>0x271de1b0,0x01d70bb8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x271de1b0,0x01d70bb8</date><accdate>0x271de1b0,0x01d70bb8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml.2.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.2.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.2.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.2.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.2.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.2.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.2.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.2.dr String found in binary or memory: http://www.youtube.com/
Source: classification engine Classification label: clean1.winXML@5/14@0/0
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{51D9031F-77AB-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFABAAF56B4E43D88B.TMP Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE 'C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSOXMLED.EXE' /verb open 'C:\Users\user\Desktop\CTR00068CP1XML.XML'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\CTR00068CP1XML.XML
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4584 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\CTR00068CP1XML.XML Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4584 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\CTR00068CP1XML.XML Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 358586 Sample: CTR00068CP1XML.XML Startdate: 25/02/2021 Architecture: WINDOWS Score: 1 6 MSOXMLED.EXE 3 13 2->6         started        process3 8 iexplore.exe 1 78 6->8         started        process4 10 iexplore.exe 22 8->10         started       
No contacted IP infos