005c66b92f2d170ce77c25a01d15061f47cc34bae8e7c75ae5a01a97617f1a73

Analysis

max time kernel
150s
max time network
261s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadClientStateSchema.xml
Size

659B
MD5

edc049f2e19347def1618f1db5524c28
SHA1

bec895006a6023a879c89210be508971c4fa5738
SHA256

3ac3a89e3835494d1604e37cd2c350cb61869b8d2e302818d9ccb91132d68b7c
SHA512

ad475cd800d249cc258e8bb924252e53caf0895b25bfd6c20bc4759b3ff5b45990fa75adc4778e143c4bc51465141a0c806999c0a9f7189c52fe54cd5c1811c9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{964BD7C1-441B-11ED-8C11-42FEA5F7B9B2} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000040ff9a888eaa549e5f1b3e2f44e1ecc92376c0d54fe6f47d743f4599352b7728000000000e80000000020000200000002eb2de34c3d67cd4095fee7837e20c29faf16929eb4522c789375dae825b0ef4200000002871ba39a8459b887d49fdb6d55f8c51c48d1e16fcfc57c80765159c040ae07e4000000024a73e64e11bb43c6096c5200b10b6c0c4e831dd637b0da78d3d65c1f7564fd8697636b61e7d0fc33dc2da6a0a65729dcbc39826188ab6bfa3686f803836d34e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b7b17d28d8d801	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000032d0cb54e22701984537744e9854b75d495b6b0ae49ccdac2fc1be6851631bb5000000000e80000000020000200000008353430048307af59bb8b7099f87616da93f9d8d9451d2c4c6d85258f622457f900000006c7964048e6f7c7a0a0af171e06617f6107ea2eda495a95ce384dcd6394463180d7f955b167257162ab68b0af59de875570f6e7fbd4d876959884af238a3e3ef6dca5f6712bbe9657dc569f03c539d0006d6e915ca18c69c2b5fe1226f1c6ba8db539693a4e73030fa7370a7e812f1072861a9bf918b36d9c9c200bdeae37a00af8b82a2bdf0149008f8f722c9e8f45440000000f100117ef7cd530539d675e89e8b1b22e336814d6063d3a84d35851ab5b637d5d33160ddd179dbb27a8bea8301cdaac1e880d28dc909844f76db508bf59c927f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371677077"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2040 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2040 IEXPLORE.EXE
2040 IEXPLORE.EXE
520 IEXPLORE.EXE
520 IEXPLORE.EXE
520 IEXPLORE.EXE
520 IEXPLORE.EXE

pid	process
2040	IEXPLORE.EXE

pid	process
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
520	IEXPLORE.EXE
520	IEXPLORE.EXE
520	IEXPLORE.EXE
520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1868 wrote to memory of 1928	1868	MSOXMLED.EXE	iexplore.exe
PID 1868 wrote to memory of 1928	1868	MSOXMLED.EXE	iexplore.exe
PID 1868 wrote to memory of 1928	1868	MSOXMLED.EXE	iexplore.exe
PID 1868 wrote to memory of 1928	1868	MSOXMLED.EXE	iexplore.exe
PID 1928 wrote to memory of 2040	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 2040	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 2040	1928	iexplore.exe	IEXPLORE.EXE
PID 1928 wrote to memory of 2040	1928	iexplore.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 520	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 520	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 520	2040	IEXPLORE.EXE	IEXPLORE.EXE
PID 2040 wrote to memory of 520	2040	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Instagram.app\Frameworks\FBSharedFramework.framework\SQLiteSchemas\SQLiteDirectThreadClientStateSchema.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7RXUGLX5.txt
Filesize
606B

MD5
1e4ac53a54f7bee1099af4c54c2706b0

SHA1
d977469a3ae5e55ceb3e188ca17696e599fc52cb

SHA256
01ee2eab3dd8fb0880aab9ec33e9fb8231aa805f17eb9465928c3331da5db2ab

SHA512
099ae6810e4b5bb0466fe84011d6a5d3da35ebf6c6be780728e9be196bc32b3a4ea6cdcb39d617ca823c556d9d3c4b4aa7b610d385c4f18f0a51e33354593c28

Download Submit
memory/1868-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download