7350e4610fd476ec7d36aa495e46e9c20a036d8592339649918711a70b987c04

Analysis

max time kernel
100s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-05-2023 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plist_share.xml
Size

6KB
MD5

ac26f88055a29abc1d7743484fce8620
SHA1

be3dfeb521a24ab06820c994221b9ba6d5166aeb
SHA256

28b435f30e834abefaa896db7a4c7567c68f289a14ab59aa1e91d402fe06a464
SHA512

168a003f92d72b9ae8521a8b9a21a239f68ab20dc8271fcaf6039fc8d7dd2306bee89f0ef8192f7e67be0e5069e116485af2a454e4f017be0334669394d747e6
SSDEEP

24:2dnysvVeinvFREvcMUISSqzznNREvcMUISTzLXin7qREvcMUISUzbnhVnvuREvcr:cnys4wHB8MS3outZqH8a17BbxS0j

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000838a74bdaa15a1468dbe7bc6a837040000000000020000000000106600000001000020000000bcce1ff2c1a794f75fbdd0f1ffe4a956875ba9d7717b1c4d2dd194595c606b2e000000000e80000000020000200000000a2f1e90cb7962035e3b4d77e882daf5f46f6d59829b62ddc0c6b5847f48424890000000a179e0a82d797474c5daa2ef81f35d39e886dce9a13d6f7bfa18e4de5eb58f721e521297de37834805d169a887aef5a9b70d50549c59a0cc05fc75e9b36b6bdca8ff79566e0b749a271c74e454949d0faca1a4e6e8546bb384fcf4a262277166327e5f41a71dc99b3c1216325ad28519ee078904766b448668714cfa6d43c0bef394fe4cf123d729d89ef4f8c54b4f0f4000000087c5a046b136c8fdab9cd97c232e4bd28819574a489c670453f6b23e68a48e42481b00e18e7f3e3d34d7ec45ddcb65d85451e7a48f028f840a360a7775244d23	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392106298"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000838a74bdaa15a1468dbe7bc6a8370400000000000200000000001066000000010000200000005063204520b5e708b7a36ae44f7e17066bea4e1c04777321390b4908e5e81edd000000000e8000000002000020000000868b97f1f9d1c0c8dcd983b15338e87efcf2eb8863d70bbdcbcafe56cca4265f200000008c21353564f0bcb10b4df41067ed46abfa779ff305fbd8d5d3e0e2f86630b82040000000fddde009fefa56d82038302b9fd82c8565ed548614a820970595b8855fda4f2f5e77c7f2c58b578d42448089bc694b94648d0f6d42efdf5b9bb23a5ccd189c60	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08f92f8f591d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2081CC11-FDE9-11ED-AD83-6AEE4B25B7A6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE
740	IEXPLORE.EXE
740	IEXPLORE.EXE
740	IEXPLORE.EXE
740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1264	1420	MSOXMLED.EXE	29
PID 1420 wrote to memory of 1264	1420	MSOXMLED.EXE	29
PID 1420 wrote to memory of 1264	1420	MSOXMLED.EXE	29
PID 1420 wrote to memory of 1264	1420	MSOXMLED.EXE	29
PID 1264 wrote to memory of 1284	1264	iexplore.exe	30
PID 1264 wrote to memory of 1284	1264	iexplore.exe	30
PID 1264 wrote to memory of 1284	1264	iexplore.exe	30
PID 1264 wrote to memory of 1284	1264	iexplore.exe	30
PID 1284 wrote to memory of 740	1284	IEXPLORE.EXE	31
PID 1284 wrote to memory of 740	1284	IEXPLORE.EXE	31
PID 1284 wrote to memory of 740	1284	IEXPLORE.EXE	31
PID 1284 wrote to memory of 740	1284	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Plist_share.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4826c5daee2215103f9c8e12083eae58

SHA1
29a0b17cd32b973fedea7725f5195334ee4d2e21

SHA256
e016a3aed4720cd93035a6c73bae6f3f4b05c373008908cf22ad10a55a1a936a

SHA512
e967a320cc1e7eb977a45b4d099f4e580c1312e30b8434bb3cbdf694fa256261a0870d44b81d16c5d80af4dc6d5f60d05edb632b7bd2515d817bb4555102e60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
925a07ef6f3c76f4c11e09cbebe73016

SHA1
f71fd376d1a6190afc8ba765a655044dfb9113c7

SHA256
786a3a3912e6bbe7cb956f6fa80dabc378ba5d733c68c1246acf0250620f4bc0

SHA512
1fee6069dbb63e7d36759051711ebb6af9f689ee3141e6581ef7320388fdb4911a0e0c7ddd79496d903cf8416e0f8b440674d6bcda8a532fb1d8f6416014c434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a50debd02f540cf647e7bc3dfc6c4222

SHA1
e6f99143c4bdbf748e913ccce256e5fa8734a9eb

SHA256
8c98ac57f0c4cd408fff25ee6350e56839d20492d00377eb2d25c7825cfc0375

SHA512
ffd604f5c5eb522aec0e888758eb2391d548f6898f960e35524f9d69cb361dad097eda1a9369d8c80314f7a95822b63f02923b60f58331af78afbb6bd019f766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1569e9fc61d6d48a321f2a443b6a7ce9

SHA1
fd4cec0b1d35bdecbfcfb99cb4a6e9e94b8b696a

SHA256
6536da2fddcc7dc46055083d90714475c00cd5a9d161c9174e5b3bc87312e9dd

SHA512
eaa27db2e7621baf712e70fc51155f8ba6a2d393dfa0a35a0e5c8a6e2f3c56458bb169dba0e2e9c748d0905a1553ecfc060787d083f1b4777db09ab066e7287c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a50046795bb58818abab66a89044f46b

SHA1
c64dbcd74857a28daa6e949c8def939dacfa9013

SHA256
32b92656ba90337a180a745d71a15e20e977806f24b358888604aba97542e02a

SHA512
3dcc79ae38c48697930d461b658d78eb7c8f5b6dd7bbd27484fd95582f4c2f854a7041fafe452756e63507f179b7f0a2cf0e701fe4fe8908608c8c988f145c30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cd001f120cbf23588b3597073c5d7816

SHA1
244d7bfb84147a1b228f1d4669f5a305df58d2e1

SHA256
0236d3a7fc499da1687afeb267ef03cbbeb9a03dcab429c29a00f7ff34107b3c

SHA512
b5ca0ee74dbc6932d2562713f27cb76b2b9d4a84c4bfe1db2859026d5d4d42584ef185bd54b08c84a627cee9938358a799f77e4094ee27341283005276285445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6c61a55eb11193fb388175cec1b3f7b3

SHA1
de6afb1c55a804be6b6b667daf0f252a6a580d38

SHA256
fcb2a05e509330ea14c30351efe159534afba54eed335a7b4bab463bcb81fb54

SHA512
de5c0dc111f46dc5980351605eb6808d08df7fa4e1a8ee2eaf3eafaf14e4ed2e5da8b16931d11dd353a0f78a2f9ef7cb8dca303171839f283e21b10a0117fb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a8e7a4d3f8790463cb3d37a0a4830d18

SHA1
60296dd0d684175b6cc54cd432d3078e28bdbc7e

SHA256
5d3ea0b21722f6093ec7f596abe98557d8d3a099fc5ebf87436136f793cf56b0

SHA512
4ac45d1d37ec88a429a6c62345615a431ce8fddc228c37adb53666612f3c0476592b2158020de12096d6aaa5b5eff19fea1cf2eee89563a1d5f3fe4936411147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE5B.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF0D.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZEAZWAEZ.txt

Filesize
601B

MD5
cf1e3d269918a521505a4630e7a78610

SHA1
b215b6abc437dcd5851eb7c72c4f74a372d9f298

SHA256
177f5859554e81885cc3469c4af50d0e68b871828c6f712da41ab936e35741cc

SHA512
90761499e5e6ac65d00b72214c974d96eb3b41a4ae8043454abebaf7ddaa6238aab40ea84ba8bff246c7c9286ef7f0d4cc462bded550860399cc894ba66534dc

Download Submit