58feca1b4b8c19b000d7911e2586659d65d8add75d96c3611530afc3cf11f841

Analysis

max time kernel
99s
max time network
132s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apple.xml
Size

1KB
MD5

386807d5a6de6f8b74bf26897af8e092
SHA1

9184e48a9f8276f32be763a254773c4e5f2017e1
SHA256

be1bdd07dae30ddf977d7f1d34574f6e6d6f9cc68d3b5428315af589a8d15ca2
SHA512

ab99eaf548b8f1b25516a62d814f3d7610a2d6d16c5a9401b96368cccdc5fdc84762eaa6041ff17e59a99a08c5f89b4b97662e080825d5159003d21ca7f767c1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307cf7a319aad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000e601570ee489c098a0b8b06908c5082bab55868660206d1a6c445355755a53e2000000000e8000000002000020000000268527c34f24b6c6f324bd521a36722305b35c1c05d21f1d561062d102bf265b90000000b011bf812768da5a2505a57fa9d3a1aca9cde3dcc783f5f5f2feda5898a0cc636eaa927b3ea135e233e2e86e18c41aa17b7c6c1064d17130e7605c1d7308615c9cf26a30254b1281f9c8bf92bd597faaa5a08e93118de0fd89c4537b9ba9069059dabfb53342e62fa063a3ca1058f36aed93d7c524e8bfcd850acacd4ddf66f282110f7142c75d4db1047f065733c5aa4000000081e2ab1fc40ff144e5d2ba77b3ef4220c9c1f2392d1b3eacda77fa38ad2bf6ec7afd32cd5703818fc5ae6ab3c5577e6425d3a2999984345ce91b45e702ada613	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE6719D1-160C-11EE-AD7B-EEADDA397F5C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a48000000000200000000001066000000010000200000000dffc5a40dd80188e4687f47d0a069520470c19bdf4d4d803602b6ed7b0e8990000000000e80000000020000200000008a06588958f5147e86a7bb2eaeb9b29179b1c4b869ee1c104db8bfec4b4d6b63200000007e8dab8ed5ff8c5c70cc486f0d441f24039d89ab5cf9b4532bbd7b0b266e126b40000000bfcdca7fa7ede93582dd94af3a9ce8af0bd40be3de3f0f98d554eb7612c726b8967b98d743e1b0536d7ccf538ab8e94ef9aec67729acf8defeb875dfd79e1de8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394760450"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1896	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 776	1792	MSOXMLED.EXE	28
PID 1792 wrote to memory of 776	1792	MSOXMLED.EXE	28
PID 1792 wrote to memory of 776	1792	MSOXMLED.EXE	28
PID 1792 wrote to memory of 776	1792	MSOXMLED.EXE	28
PID 776 wrote to memory of 1896	776	iexplore.exe	29
PID 776 wrote to memory of 1896	776	iexplore.exe	29
PID 776 wrote to memory of 1896	776	iexplore.exe	29
PID 776 wrote to memory of 1896	776	iexplore.exe	29
PID 1896 wrote to memory of 1468	1896	IEXPLORE.EXE	30
PID 1896 wrote to memory of 1468	1896	IEXPLORE.EXE	30
PID 1896 wrote to memory of 1468	1896	IEXPLORE.EXE	30
PID 1896 wrote to memory of 1468	1896	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\apple.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61893015c3e3f6f2260cfc55849cfd84

SHA1
3ffac54079fbf47dcb0e23414bb723c175ba84d8

SHA256
e700b65cf4077b08cf0137270f64a02c6bfdfeb63134f00d038597bd792424ed

SHA512
ea44843c05d2f51cf84e2ee6cb68a3e03b3325f5c4ed2a344eeacbe7275a8a40b5c0e1032ace297470672d20e2ca1285cbeef5d2eee68e1c4a71eb594d23b79f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d884120f5b9f7d170dfadaec07ab7bf

SHA1
b46438688c669257d049502f9316ec246388bf27

SHA256
bf84b2a1c9b817b40a67aa8e710350ca9fd6537335faf30ac2c399602f3dc5ab

SHA512
fc7d041a62734c34df0bf78d71da357e905e496bca6a742d49dcb701a282a7d07a2c2ac1d33d8ebe43d115cac07786ad1fda5449f24a581093f5e3410ca1ddca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db9d93bc8c178630f29c46e744157a2b

SHA1
f81a5a0c2b8f67c397b3148db99809cc525792e3

SHA256
71c3a0106d727475589f01db9641268231fe616df78812c0bb138fd24d7fafe6

SHA512
155bf26abd032a604dd433897cfbae19792ef4bbb9879e53f3a7e14cbf29949d4eb608e6af8ee93da3c8d4733e9359d1a79918df75c18e2539abc54c0bb2ea2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
178c7c88ad7d5d1aa95d12766c3ec80e

SHA1
87b36c84c26e7e3deded623747e3a344ae547f78

SHA256
edbe553f1c7756d229d50d8ccc8d8951b4be9ed8ada3a7350454cae01bc80f98

SHA512
c039599b12b7a176be5511300f28dca395716f2d3d03cfa708c2cfdc177bccc711a73460394472de17b58f5398dadac99864f705ce186ab53e11fe0f25e9271d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
100e713f2e9e680b795180bbccaaa000

SHA1
099bab761832085e49f57ae9193a0a030fa39683

SHA256
4d56072bc6b18d914480a40501c29ccaa30c63f6ef51b24e7c6a787afe5f893a

SHA512
c248c2c9048496e7a963db44ed48cb9965cad5c0cf0b0c6aaea5907c38012db1e869adbf22dee10661acd47f58bd6a4ff031c8eb938cb741c8adb0256ccd49d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d189e4f9ae4126d845bdde1ee2175c1e

SHA1
cfae369af7fd19e7f02a989b97233ec3822ea482

SHA256
aecad7fb1eac17e33e3266bd829d460b3092118c50f778f95dc740c514a3cc5b

SHA512
8c6a80179d50b46064aceb367232b1c254b2d267aa86e7cd8faa66ae20aedffca040b046bddc574c4d78f1574bd53629114f785d2a9c9c2455fcc65c4479ebdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d592cc10dc450d06b8a35e96083a6e52

SHA1
b2abcba1d7d14236e89adc1d376ff580ba397d77

SHA256
dfa8ac784035f16cc07366a4578335f261ec34ea7cc4b07497bc5cd526940d7d

SHA512
4d6510f26786db4c7fd07ed19e263d06292d625ff4cb99964d423cd45975422bbd8d2fdfed42c7830e037dd5645f7391dc4257906e12a0c1b3a048c9fbfbb9e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1d7138583a62114f521c9c50c27718d

SHA1
8466766ecfb9f6baaf673cab00001af26b568700

SHA256
1dc6674f379ac9b9d1b0f059d2fa004db25cd6a84d198f57dcf634f29f7f4f06

SHA512
6a8056f16f70973bc5704206d0312db1352fb93bd54e2679e35190474bea28ad9cdbe2a6b07646a4289745ca9a94132443f96706bb5500de43e23ca9e1383322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2fa73b0234a608fa9a5340809b2818f2

SHA1
ecd6988c40212f6757bc35b22ba3c227ba175ccc

SHA256
45b5a5a01ba561147a1601f4f50e6ced675c67d6fa8f4698070c78c743f974f0

SHA512
9bf2a197daabb43559116adba05dd53b08becc67f558257e116adc15d23a272c7e0792cc97cdacfac07d807bdac0a608402d93301aa25554284ff95e0861fb8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50D0.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5123.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4SU91AZX.txt

Filesize
608B

MD5
e203d4260d91e1b84fb35b8cc8383dc5

SHA1
c31906fa3e6a7b52caa4386b0abca568dfecf0eb

SHA256
00b23e8acd58a593b4ab57548502b9f625a29b4168d91c0832f787ba1deaa1e2

SHA512
876aef8b452679a38eaf678167f0da355dd1d1f4769b4039de2fe10fdff2c7127452b02a08d0913306c86e980e77522bcd4db1f5dcadd91b3e10c7e398129b57

Download Submit