7350e4610fd476ec7d36aa495e46e9c20a036d8592339649918711a70b987c04

Analysis

max time kernel
118s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-05-2023 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plist_resource.xml
Size

9KB
MD5

65cef279873d1e07f2aeda7810be1c08
SHA1

e18e00baff2a34eed24c000204b50ce90f9c881a
SHA256

e6b324bbbcf9e80e8cdaaeb3100e1e4f51856ee4a589a3844d699333ba4f6502
SHA512

1ca94843920ded31990c6acbc0e34dfe14ca6aa4f4d6131316773c3ca9689e1c536fa0c3c87b71b5c32f8ade2df5731e2654dbccdce4b37dd8ac2f47946f23e4
SSDEEP

96:mysb02ehxV8VPZDptiSI4M15xIjwPC4PWwgwsfrQp:zsheTmfjMVZR

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011e8751b123bd94395edaac967ce86f50000000002000000000010660000000100002000000011e4c918e86458ef78a174b33a5be6f001ef3c22593aa3aff232b6fe2864ca79000000000e8000000002000020000000340bf4ee2a7e1be217d17c37c39804517640cf42a0526106ec8b13f398420af29000000046cc9467284c659193a03d8481e4eae8d2b7d5f02b228b28b122ef506fd261b9f9dc91807bd3c93a778e766398bfd7232f17209f0ded4109e4308864f321cea075135d44cf0f5596a6864fd315d99719b24210ec9491481c03291dfed7f1f5de67f75316d12f5dc1b449a02db720eb3133790f730dea8c97ee47ce951898d77c5b10f74399121ec28757b79446747a6e400000008d6eccecf789bb3522257c93e7f099fa4909cbce1b1d353376229777f63dbf028f573a96c2800cc18466a5c67527d9bf04dfd62687706948ce0de205a0373574	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392099120"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04c3e3ae591d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011e8751b123bd94395edaac967ce86f500000000020000000000106600000001000020000000817c2f87e22c044ae75b8f94453bb1aed9530337a623d9cb10adbe6845a0f269000000000e8000000002000020000000d96677526d0a883d4667592b8d1211fed2d9667107ed69d51b3384f6016ab26c20000000b3e9b5f616668887c914241a4e2aafe3b80e6a8b92a6179c282dd97a49ac0a3f40000000b583f840211c733fe7c1d19cdd2f2e3e59234e0ba3fa7b79eba4ccd907e9925ffa7497d3210816c7d5daeeb4b68189975942961e8ef9febeba09587314001cbd	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{623001B1-FDD8-11ED-AC42-C227D5A71BE4} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1352	1980	MSOXMLED.EXE	27
PID 1980 wrote to memory of 1352	1980	MSOXMLED.EXE	27
PID 1980 wrote to memory of 1352	1980	MSOXMLED.EXE	27
PID 1980 wrote to memory of 1352	1980	MSOXMLED.EXE	27
PID 1352 wrote to memory of 1760	1352	iexplore.exe	28
PID 1352 wrote to memory of 1760	1352	iexplore.exe	28
PID 1352 wrote to memory of 1760	1352	iexplore.exe	28
PID 1352 wrote to memory of 1760	1352	iexplore.exe	28
PID 1760 wrote to memory of 1012	1760	IEXPLORE.EXE	29
PID 1760 wrote to memory of 1012	1760	IEXPLORE.EXE	29
PID 1760 wrote to memory of 1012	1760	IEXPLORE.EXE	29
PID 1760 wrote to memory of 1012	1760	IEXPLORE.EXE	29

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Plist_resource.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3026d733028f57f1f5f184b70e413255

SHA1
0d485d37fb90116d60f88eda803a31a35ba9dbfc

SHA256
1c9b44b01a709b1bb7025118582c7243ffb1ade089d7fc6721edff5cd1b6bcab

SHA512
50c20df10562227b7486c0ad6d01f006e1437142e20ab97d5e44d95d9bab6dc808c4825377b4b3e10aadb0f8a7452c15f4821eec112be7683602ab38338e06d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c109ec5d287ac087e022fc8a495f4d5d

SHA1
bcc737ef40dbe18fe3eaf140341c032059f6b231

SHA256
d2337e8b20033349810cf68f3113d4844ea32f630e54daf85ab3448ef75e18db

SHA512
c17e6a5c195af721da5f3954fbba62ce96aa504ae3433445e8e55b9f3c78ac8b05498c93fe4e2d0dfa4e48fc0e5c2d0435bac0f26918d62c29ba0888d80e8b46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
20dfffe0d145db00ec4c481165e4a15a

SHA1
a8c761c9955a15f9987921b8931183c12dd28528

SHA256
90771864e5841abf29a075a73c05a1ed836abdee0ee44fc4c86e4b347936720c

SHA512
a56718b22e0687b25b816a0cc8ddb062133cb35afc2c1ee4ab89e43869e19a132b39b548d2b65b6bf152fa3d480a469ed5346a7d954bd2d6c593cb73d94377e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
22375dac377f892870919f269c5e49a3

SHA1
e324eb85c75e36fc6f29134e1ee6f994dadd27b4

SHA256
a6b6c2b3160411b136d070bf7f87bb969251b40a3180320c35ccc3dc53856735

SHA512
0622e113b0a8872b66940b51606b44ee656b57d3ad58a11de09eb5447ac7a5c387ed47409e3ed8af18b38807e150c17032befa05038a6d19f4107962ae1100f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
76819fdefda843bf57bfcae5071b09d2

SHA1
9ece61f768ce264b4d3f88fa9b863d4f05f00375

SHA256
f02b04c1126278fb39d37a454f00886fccd89f9b9a0e0e6cec121bb49c770b60

SHA512
c29038293a9210a772f94e4daadcc3df9cbc72430b02f8db854f22454e01973dae6e193e31ef2680296800b21a35e2b37c8b839bcf8f5db713127a37c2f984e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1f41b438876535008cb63828393cc7af

SHA1
c63d924d65cb7d4e2f3e8156407644eb99bfca98

SHA256
815cadd518db2682fc42710c6224034c5ef7ec505bdab3383bb0d9c9046f1b8c

SHA512
4cc38e2cc7bdde7d53b4174184fe3363da3b6ed55f11c2109420a4623c00dc012bd01c1e2bdbb8402513f8739cbcf121716c513eae926f8dbc2e56087f71041a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f03288f39088c8c386a40413e85bdd35

SHA1
66a0b10a84cd2812faaa0579387204dce4702d2d

SHA256
7380db63b3c873f9a4bceb756e047430cc25d89e21ab1f572f061f46f12bbed6

SHA512
e280f371561127a3bff189789523a5f055408941a72033864a302c72fb988bf8982b9bc5e85129ef81c7599acc3c6f68dfea767109500db15d6c047e6c7ed439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b6772504fcf7d95a05b7ce902a9ce233

SHA1
d9596e181990d0aa7de30674edfeb1d2af0ab58a

SHA256
36b370f89d5a61169858a3d82c049f3e39c016a0d414995fe47a4f6710c55cd4

SHA512
640870d7ca759f9e742f6dbe1856c98721e218c69d469732c34695f0aad99637e369671aae457a87340cb78202213630c8de284319d67a60069ad602681be012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
79f3191f0e0a358019701839f36884d7

SHA1
7386c2e60bb1dd6a8384a9c21b624267ac2265e9

SHA256
661f712532ca9cfe1dbfa32771698037ca994785165df2d8107463ff12eb71ee

SHA512
1186d3667f795573dbcb0732fadc953313f9f1a852a1b9ccb991cd9310871ba6c5d4b340cc9b707b59c4f232ce31a95dd58afcb9e40da4ced8cd7ce666642665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab203F.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21A0.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZHVD71ID.txt

Filesize
608B

MD5
dc8680f3916026813dbfeb7b9c3a80ea

SHA1
ac32b814f316fa21fac006b52f7c7db95889c4e5

SHA256
a1663bdd9a2895a0c0216518894e23b4142505642f4e567fa33be385832b980b

SHA512
553a29d00abf09665a16f636a735dae6d1746b46b23849dc1454a74e97620b527ac29c9e63854dcb8d72496956874f42e45a202b096a20a55aa48cf2569ebcb2

Download Submit