986c071feabb74f5805428203a84f7bc08df4812de0c32aeda063f4793bafd13

Resubmissions

10/05/2023, 15:05

230510-sf581sad3x 1

10/05/2023, 15:04

230510-sfnnzaad3t 3

Analysis

max time kernel
100s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/05/2023, 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photos Library.photoslibrary/resources/cpl/cloudsync.noindex/cloudphotos-1.0.xml
Size

1KB
MD5

ecf71e5dbbf4a1f71c5c5e840a1cbb81
SHA1

b779c2862310a0dd5b70c8b0fece82c0c9d16c76
SHA256

a9de7f3064b87dd4cee987f6862984bdeca09b9f67a43ff05a960b4f30dc77f4
SHA512

8425ba5370469318c17901af5ab3231d4342f5cf23480806794c1b5e945ca3fae9f93082e14cfd7fe61f0b517e27db3958fd9ef077213497f3e08f3bae50ab2f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000420c25e9680eec628677ba883a55e59f2a25f896ae4a6bc9f8bdc0f5e1840174000000000e80000000020000200000005dee7e06a4d5e6d9392b3df64dc304573b220f84bdda5aa9a913213187f0c94090000000845bfd6a494367a7d539fb7feeb026859e9020ccb7e9feae23677de0ed17cf778c6cf8490c2ae3a00f05627dd64ab806bce38708936dd261c2e0df7a3a687b04c390f018f11a6789644d6c527fb1902dcab2230b7255ef3e6e711f4d5ce2a92ad25de10d4c5f1361b005d6d6eabd14f40efc72cd8eef3bec6c49d0f9e8178c71ee9eff446fd254865ac5395857cc8df7400000003da4b0652feb1ce76c6d2374bfe8e5f1052c23ff5ef9a11b882b1a2092e1663fcc5f94ca5ea98685d778fbb819417e8bf455761f0737c7e3640700d3b9729a3a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000fa53438a538320ea4d0aa9437fe27d200bd9da687ab11677ebeb7bbc538b522c000000000e8000000002000020000000452a23859089ef487a0eafbaffcc3e840582cc9e7bb147e279781099041f03942000000048cc71290332ee605c96a0f7eaa811678e14da089b46b0065a69aa6d903a6b1b4000000015089c738303734085c17d4d0ec5902ae6ca88980fe35283fa4a1eecb33ed2eb8539661ded40568751f56678b39f1c51aed23350e2dc558b6906ed31d7b5382d	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BDDB4A71-EF54-11ED-88B8-C6A949C40DC2} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909d8c946183d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390503251"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
112	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
112	IEXPLORE.EXE
112	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1152	1768	MSOXMLED.EXE	29
PID 1768 wrote to memory of 1152	1768	MSOXMLED.EXE	29
PID 1768 wrote to memory of 1152	1768	MSOXMLED.EXE	29
PID 1768 wrote to memory of 1152	1768	MSOXMLED.EXE	29
PID 1152 wrote to memory of 112	1152	iexplore.exe	30
PID 1152 wrote to memory of 112	1152	iexplore.exe	30
PID 1152 wrote to memory of 112	1152	iexplore.exe	30
PID 1152 wrote to memory of 112	1152	iexplore.exe	30
PID 112 wrote to memory of 1756	112	IEXPLORE.EXE	31
PID 112 wrote to memory of 1756	112	IEXPLORE.EXE	31
PID 112 wrote to memory of 1756	112	IEXPLORE.EXE	31
PID 112 wrote to memory of 1756	112	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Photos Library.photoslibrary\resources\cpl\cloudsync.noindex\cloudphotos-1.0.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1741952dcddf90bb3b50bbe4bf0ce945

SHA1
dbc3f9d7c591f2f6f8fb8fd09b6a25c0b6b0f940

SHA256
a1e50b927fa28316f8d9288ac3a9e04f20b7a7d25f0321ea3aef70611557a764

SHA512
bbcb24c66c4dd5b01b98ad2c3426938bdf07e6d58709250c3b2defdedfce206e79c7c335cfdf2ff8b5051f14341ccac2663c33936f138d17aa8768c7ed2baf24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11844e5e51a0f4fa64a43c99968d0ce1

SHA1
1c75d265bf43c66df1b2532915112c768afb1547

SHA256
e8412a621e8c7a68bded22b57a4d008a10b64c65dc9d52c631d6d57e6f879f66

SHA512
ac82f01cf09ac28e29944912b7a369c62674039a7c8014cb50a2c55ac9edb0510b0982ca440f674bf788e0cdd809718b610c7ff1ebee10b615eec9783c6460c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b04360ce5ba10453a5dacfa01c24552

SHA1
88d529fd1b9c78da872772166437eea0117f9f11

SHA256
2b40466d6d25cad0f9b2fdf9e59f5c7532cfe318b3b52ae188544283a1b530a3

SHA512
7e33ec1e548d697bdbea1b005b291610419eabf067bf62aabd7004dee077b96cdcaf9edcbf3c149c82fd833e14e04f7ec020edacd93d4bfdded4dd47f1825bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd630c96ec1bb80fb208ab2743e68798

SHA1
c947b1427469df5745dcfa579956514de0e7d6aa

SHA256
d06cb0fcd06397408073d3bad0757d6ee482b0d015b56f35f59dfbbbc0baa2a6

SHA512
dbc715492d76e3b76e6b49a07124638d91424fd834990d47e8cc8b2b14680e887038a6f79eadc684d138d64a1e3e8a38f4845642751b17ed2eaf9ec4c950c894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a525238f2727bace66dcd51aa0afef7

SHA1
a7d5d4879d82a2f14b6295a7e4828266251f8a70

SHA256
1bf064f4bc4bd950941e5425b572914ecf38ff977d391bc700f73571a51f2f8f

SHA512
b06c19f961bd22cb12446759d0f738ffa396b3718b708f805128a1b0354f6a61193f366c171f9b030a2b1a0c56c5b497bc999110375e8253df9f60f9b237ef53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f0acc4d7c059833eb18e4e48fcc9467

SHA1
e988e19f99b198c5efbfde1c72143f333aa9fd1e

SHA256
660d518f0b9f5a8d6465098cb0019d7e0d63432079bf06f4d634fd98e57f5746

SHA512
af73c7c4813dd9bf1b2b20f60ef082ddfa0ab2708083810530a9e11da6354526066a9144ad73546936e7187ebf2c8207dcb2acd8217414333068d6af72cb4fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9310dc69f2b91ed326fa0ae9d2afb06f

SHA1
ed959eac9a45b92654cf7990c2c08f9f8e792049

SHA256
e1dfefb60ce3effd082c88cd28cbe849b0d0b563a0af2a54ee4ae19a5a2d0d3e

SHA512
12228bcfeadc8ae9b48c125796d00c3d64174b259303e0b58b3d49f0e790f9889d53ab055a8af465d16cd916badcc5b0e20974125403c11afb55d5cc72a65cf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0d845151b198ca6067603b2c37ccd21

SHA1
0c94e986f2f5ca758dd70f74f487b4798e9460ae

SHA256
ff99b89dcfbea4140c2b4a71ae3a35cab0e8ad9d76d461d61a4f901b4127fa14

SHA512
9207a7c57eb4697cda1fe2673ceb2dc6c51c092eb2ebcd3385f9734c81cdddda5a5a6d7493cd5cb0758dda6e66d551a7e2e2ad22c815c5d3797eb875d066b6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38f0fd54083b98c11a6a5ce2bcee7025

SHA1
fa5c9a7d1b1485e2eeec5fb42e674ea7a81db69f

SHA256
1cc18e7887f1f55d31aaae9146e62dfd5038805b6cb7b2e1f7f4c1dda6a8ff8b

SHA512
1994963dd56dbc4a350fdb2e61e2c773e3616870385c1ccd9dc46c9d70db6fbf38e857bac09b24f27307ae4bed2c1d8b4fc71effb2f07ac2a3c809d05a5180b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3a34141d7edf97b41544773e8f118fb

SHA1
04369372d69355a9451abd5b0c840090e3af507b

SHA256
e47b02d7c532794ecd994691a72bf193ce011be3a7e8db6941eab57d8ac3e18b

SHA512
81ec8e636af9ff38cf139be0f968ae7ea11153e0c168cdad4663a4d43f39e98d18bdee3722316e7c53a431eb0a6ed8149357c85b58004a59f3194ac41bfa790a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3362.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35CB.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M6N8IIGV.txt

Filesize
600B

MD5
7ad0ece57e384bcf14595aca741b2e28

SHA1
e2268f6afe5c6cb0a536eaf79cf54acbee570706

SHA256
8a43fcbd1e04ff613e72f30714e91516228e56f842fee8ad018da947f3ae70bd

SHA512
c841bada20bbe0ce17b4cecd3bd21d4b0c95213771da9e6be8545718398ec626ad5f7e23c652d4bf45c9e04fb0293a7cb687487a12a148f3d668945be25bfe88

Download Submit