479e12d47db33b3ad27b857f6d1b480de7304dc93ce951d282b945530a48bb56

Analysis

max time kernel
100s
max time network
138s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apple.xml
Size

1KB
MD5

386807d5a6de6f8b74bf26897af8e092
SHA1

9184e48a9f8276f32be763a254773c4e5f2017e1
SHA256

be1bdd07dae30ddf977d7f1d34574f6e6d6f9cc68d3b5428315af589a8d15ca2
SHA512

ab99eaf548b8f1b25516a62d814f3d7610a2d6d16c5a9401b96368cccdc5fdc84762eaa6041ff17e59a99a08c5f89b4b97662e080825d5159003d21ca7f767c1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005e2967218a20af4e980a9f47ecd196a4000000000200000000001066000000010000200000006fa98ef32237743d06e826b08251b75c7e613b6fdeec97d17ccad551a328a0b5000000000e800000000200002000000040ab67f535f885d21cf291df5db753725220a0e08ffbbb515d33f5c83b94d23520000000884a55ea5c7fba3e546ae2e699209d7b0d67b95dd05728eb131e8dce9fd596dd4000000015a392ff4010b21d8d29ea1aac124bd8bd7647e2dd242efd1d6a1406982fa610aefec1c337e9294010163f032466ae60ab17339d61d9ef914f1e7c9228cde827	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05AEF461-160A-11EE-96DD-42C84A33452B} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394759255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005e2967218a20af4e980a9f47ecd196a4000000000200000000001066000000010000200000002bb63557f0d961b1b8d946d8063f10d414a0b2cb4dabc35d20291f04367ab4c9000000000e80000000020000200000007ced4ccedf99c0911ff6e9c1a0e14579a0d83a758cb98181ea3b0e7c7b082b9d900000008f72c88af72eab79bdd57e2a78935f551b8105384734bcbc99d2df306927a87d84750c3c03c6c8e63be4611ce80f098d314e54dd16dc957ba89db6242cc375e823c7b99867338791f14829b5122a272c6d766e51ed69edbc72d1004a1c7be9c46425d1b1d6e454778ecd4f0f3c76b0243a7b6ea33c8c19a76c179255754d3074577febf73d54951d357fb55221ba7a47400000009672f2c49f586b42a4e75e8e4d90e63c24e346aee5eabbf613b810e31edb9988bce179917e44b27db7e5629e09f104d7fc12a681c52baeed09cc9cb96f0db541	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002e4bdb16aad901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1684 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1684 IEXPLORE.EXE
1684 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE
584 IEXPLORE.EXE

pid	process
1684	IEXPLORE.EXE

pid	process
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE
584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 112 wrote to memory of 600	112	MSOXMLED.EXE	iexplore.exe
PID 112 wrote to memory of 600	112	MSOXMLED.EXE	iexplore.exe
PID 112 wrote to memory of 600	112	MSOXMLED.EXE	iexplore.exe
PID 112 wrote to memory of 600	112	MSOXMLED.EXE	iexplore.exe
PID 600 wrote to memory of 1684	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1684	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1684	600	iexplore.exe	IEXPLORE.EXE
PID 600 wrote to memory of 1684	600	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 584	1684	IEXPLORE.EXE	IEXPLORE.EXE
PID 1684 wrote to memory of 584	1684	IEXPLORE.EXE	IEXPLORE.EXE
PID 1684 wrote to memory of 584	1684	IEXPLORE.EXE	IEXPLORE.EXE
PID 1684 wrote to memory of 584	1684	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\apple.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:112
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcb06eb6e901d2b652ca605f964eb138

SHA1
8974f233b2b6511a4cacd4e4e2cb2618180d06c9

SHA256
43aa590bc32ffbf4c4a5f9e59ba41b77b87a8d78b0c932281245b70449e57de8

SHA512
78d238729d5a205f5192eb36c260e0b3c5005b160bc6673ceb0d51d7e029f96b45875e6be126dfe1fb8766fa1e58c9232d3f3c18bab5c933bcb9a9a9d02207bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f113215dae585882e42996a0f48b8b9

SHA1
6ec075fcfa7a17e8ca61ac8cb2cdae88f8e17db5

SHA256
b4d97afb2286b1db417414f5e941e8509220ac8f59b0913971e2a3efb7648beb

SHA512
87e69c35b0f96338e2aabb3be44553ca5fefb0ce78e7e723fefd06f2a96121e961b2486cc0a1b4f36cfa85ff0080cb38dec1da8a3d9d6387be2d9ee621fd457e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04184946786a88eec6be6cfc410f2f75

SHA1
6d47ef3dcc98e5d2d5dee4232accb472e6c45021

SHA256
22c93cb422a900cc8e8ab6b1e3483f7be0f2775b76ec3489f6a10b876b53cdad

SHA512
a4c1639f3840d05232f48d7432429e974eec66f1323a6e092f03ea37b4f9745548005bda1bb0975b9efb31ecbb6692222145037560385bc2d76acb158d48724f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd72d32d51ff441bb10840d699229368

SHA1
dcb30e2b3153902828a7205bbcefe879945b119e

SHA256
bd9b47d3b908440b4fcc0317af094f23c232b5f6a4f1daede6d57e4eb900a192

SHA512
db855a3ea8fd63173f5e1459c6f16f0326e4f7c10f2a1e29fdbbacd927a0dbe1cad831964cef1b796f03d72a9956c9541cf97d80798453f3c05df9baf5cd4e46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ce9d823f2871a451aeae2b1b5b81d81

SHA1
b71a31cb4a1882c34db76369da827418ceb82eba

SHA256
21039bedd496b050b4775cb7ba3435de653c3b37866d4ccbcbe7335c72c78f86

SHA512
5374529785aeb38d0e1f6a490d07ef6b90a9a1e478c865a4adc16b8a8db033a5343599590a5ac0d15900508689d2dae6c1520698775f66359c1562d8ed7b4d35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORT469H\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3508.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35A8.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X7EVQYJ5.txt

Filesize
606B

MD5
067e73f2a77d6f0ddc9fc6b940d2771e

SHA1
d9a89c021786dc6ddda5042269b3cedaf361b68e

SHA256
97390cdff99699012ae717a17420dce95f0fe3c30ac695da1831611f5938fdfc

SHA512
c3ce28f4114ee03774f345e3a8d0ae8087e3732335fbe937a38be155919c10f1e605d7f032ebc5a222a77f63f3a325e87028ba0214f5d2f29e90a814330c851a

Download Submit