hxxps://setup[.]icloud[.]com/email/prefs/storage?path=STORAGE_AND_BACKUP/CHANGE_STORAGE_PLAN%E3%80%82

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://setup.icloud.com/email/prefs/storage?path=STORAGE_AND_BACKUP/CHANGE_STORAGE_PLAN%E3%80%82

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{589F5ED7-05E1-11EE-9156-4221DB3A75C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037934"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "765088912"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31037934"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f7d12df452ac3540a7ae195c82089633000000000200000000001066000000010000200000009c9ba64fc3368a2a9d88675ba95a4750dfee16ded7c7d4428e23f24e7dd8f4c5000000000e800000000200002000000067f2af558dc4112e98b133f8891d2ec9a2b2687deafb2e014b6d97f84aad11f2200000009db87b7fc0b867c22649f53140bbaa16babe24c021649073ed863e4833af5c6540000000644f10fd43ffa7ff97cff1ba9160860c0efdcfa8ad59688a6ec86e8d644dfc893bef0de91703980d55da1e9fa2e5d9441e1ed885def4df4c6315efac095e9b3b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3035bc2fee99d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f7d12df452ac3540a7ae195c8208963300000000020000000000106600000001000020000000125e8efc098c4b3afbffb1a8ec0fb421ffd6ded982a9f6e0abdca8d62124697b000000000e8000000002000020000000a532be6d532ba050423c55e66826816d1231b5ea6f5d4fceb6b2d0e3ada4797e20000000abce059d43c4866a166e55506b88b8222e6b387745757bfc8fac941870f89d7840000000ae9d752b033a36259cdbf02679402a36462551c312be73a630411a0ed801549e26b958e2f4e855f7173ad44eb22969babc68ae0314efbccc859d7410b233d69b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "756026299"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31037934"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e09fdd2fee99d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "756026299"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392982566"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2276	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2276	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2276	iexplore.exe
2276	iexplore.exe
1200	IEXPLORE.EXE
1200	IEXPLORE.EXE
1200	IEXPLORE.EXE
1200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1200	2276	iexplore.exe	82
PID 2276 wrote to memory of 1200	2276	iexplore.exe	82
PID 2276 wrote to memory of 1200	2276	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://setup.icloud.com/email/prefs/storage?path=STORAGE_AND_BACKUP/CHANGE_STORAGE_PLAN%E3%80%82
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
20e784043bf9dd5a4a234ce3703f825e

SHA1
178607f94705ec6161c2c3a88177ef6a5aaded49

SHA256
1455f3acd9f00c4a3d7fac6caf8566bdffb868aec09f86fea8acc17a525b6c72

SHA512
8ae93f0b68ee867a881dcac4628b8ad77c559925f721b46be904d40ec00f909916280057ce09cf8e28cb3eca938aab58d4e210f4c61e56e3443c3555e113f955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c4f2ca5ae86e662e47baaa72202f6994

SHA1
4723f1b0017ee7008d23a2e69e746463a520ad48

SHA256
c1123daf5af5216a86572c05f52f88b0ab0cf8dc12cbdc31f5a068d9c9062303

SHA512
3f59e008138e9f94e8ed4c65ad0b7f76c322ad42705886b0b9e3cfdd94f83c6ac3642f34e1a44bf961ade26413d0f6bdb5e010a5d80ba63175aa68b235dcb9a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\95fmw5u\imagestore.dat

Filesize
22KB

MD5
8a11e919f4e2d83e01d848457a2c8670

SHA1
ea31aab9ede277ea548848961113ae1619cf192e

SHA256
37c2ab7f8efb0d116c3f5bf07e4554b9c4bbb0932e1959cd00939acd3be94618

SHA512
0ef68b17fc7a1fd991235dee24a5249a0c370a6e7eaef2089cbcad6ac63323eaeab1bf9996c8d81441fcf6f94a135f895140281dbfab5ba08ae32f8a6e3f9e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\favicon[1].ico

Filesize
21KB

MD5
891e510219786f543ca998282ed99f45

SHA1
19fe2ff6a2418bcb44b02308b998cef84199ee08

SHA256
e4bdf72e2f803f7e19907c12f407ac7f7cd5f1f94bfd730b9be24b0d49191b48

SHA512
e6729e7e1ed1909297317e249adb7af6c230b2a7082ea792c7776fa5037c8ed8aaf02bcc4015334b6c439732f965ce19291ffe863126d0c20bed9a0c89c4a95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\favicon[1].ico

Filesize
21KB

MD5
891e510219786f543ca998282ed99f45

SHA1
19fe2ff6a2418bcb44b02308b998cef84199ee08

SHA256
e4bdf72e2f803f7e19907c12f407ac7f7cd5f1f94bfd730b9be24b0d49191b48

SHA512
e6729e7e1ed1909297317e249adb7af6c230b2a7082ea792c7776fa5037c8ed8aaf02bcc4015334b6c439732f965ce19291ffe863126d0c20bed9a0c89c4a95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H82VOZS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit