855c03fb9cb069d04ffc33626e3bff7a4913fd036e08d0efcbe0e17f3706aca3

Analysis

max time kernel
134s
max time network
156s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meitu_camera_function__builtin_params.xml
Size

2KB
MD5

fa10685e30a8aa676f151371fcc3f9fa
SHA1

72bb07bc3fd2179ca8ec17cf8aacdf3c16da0df6
SHA256

ee7126d1cc05239a9285e09d1ce9e201fff6724ab56f7c4bca819ff96d9ce668
SHA512

89ec4d616d1026840543fb3ab10110c6913378d6cd59a6c8989b8143e1dc7fcee71cc4540d92609175c29c87e9dad6a8b9d365f25face494b8234b2b8682da21

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396531312"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd827940000000002000000000010660000000100002000000056eeb2992f1e22074e24c310c6a7c07b9e5ac024d070dddda4aef5077c51748a000000000e8000000002000020000000f44f3ee762431aa1c62d04856511819ce8a89cee3d0c0e4f6597512e236ef7c920000000e28dea197d253f2d60d0c2577d273443af51801e7fbc4a584735f9807b4241e04000000064d9d89439dfecf3f4f545f46f75c67f1377846a17614ae251854499ff7fe0c07b30db388e34ef1c4853681d326a4f3fe77a052f0169936469d9caeab6b6d4de	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d363b334bad901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DE45BB61-2627-11EE-8A04-E23FD76D3CC4} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000038fcd23b1b9d0bdb8b3fc1d8be0121d75bab0917ff2d9b2a06e59f596bdaade000000000e80000000020000200000002eb5c2ff5b5d22917fa3e4c09090af5038c33692bbed73f5ccebc59574154fa990000000b476120fa0f1ae617a026c4b97b6ec83e6ebce00d5c9b0869c8907569e2e3fe877d812c87fe6e407171f19ba13e36134d98643b0a5e0e764ec3d99323354d413e9a11bf8c0b0c4b09f3e6756d9abd8ae7b428a300821b55e8f87ca78a79a2ed92bb4fcec9e488731347a7a4f9891d14d28a1ed33f918ed0b2ff925a620ea5fe9cef9e6e35d6a32b6b7102e0f1a2d889640000000dbfc84185af904d08de0028ae1828188c25bebe11b3d2f265738ea346c53448d265c1a800f28e3889173b1f71820c540dea8f24ad49adf928412e14a75a839c2	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1724	2268	MSOXMLED.EXE	28
PID 2268 wrote to memory of 1724	2268	MSOXMLED.EXE	28
PID 2268 wrote to memory of 1724	2268	MSOXMLED.EXE	28
PID 2268 wrote to memory of 1724	2268	MSOXMLED.EXE	28
PID 1724 wrote to memory of 2692	1724	iexplore.exe	29
PID 1724 wrote to memory of 2692	1724	iexplore.exe	29
PID 1724 wrote to memory of 2692	1724	iexplore.exe	29
PID 1724 wrote to memory of 2692	1724	iexplore.exe	29
PID 2692 wrote to memory of 1476	2692	IEXPLORE.EXE	30
PID 2692 wrote to memory of 1476	2692	IEXPLORE.EXE	30
PID 2692 wrote to memory of 1476	2692	IEXPLORE.EXE	30
PID 2692 wrote to memory of 1476	2692	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\meitu_camera_function__builtin_params.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb3eeeb2499d6606812b8846e3a503d3

SHA1
8a2cb1f93b1114c4ffb2653ea5dce630cf3f952d

SHA256
eb42cdd36a9d9819cf35fd185a174c6c1ba59fd18a1bbb14a8181f9451b8273c

SHA512
2febb54c75c1123093cd33da1af28a2c1f42d06e41ceda22ece13033360beb640853504cf309f3967d03ab6870b17336401311eb0e5c5ad24385f416563bb321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c884413355386a2b7d3f735af4c60d2

SHA1
11e85d467df08c8e678aa996afcc2514877cf679

SHA256
6df8ee06816e049331e58255e095d04e856f0dccb5c70dd8b213b4b1d8c24562

SHA512
26f6889a55712d9778fe4cdd419ee2c6f9976a9bc67c6edfc29358ba3ad301bc56c3abca927ddb2e2899800db9b13aab6bc20fa125e984d546903aa8796ff8d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4721bf8425947535694d5cb2b842a846

SHA1
fd04a1a3bbc63f53ad804d9f142153fdc641185c

SHA256
99a29d955a0cafb5340ec9c1e5db7640342189a4b1297eecdbe894c8aede6468

SHA512
07b50b503bd86a396e5c6fab743b3220a65dbee1026eafeaa10721429b9b3269d0416e7f51a90439fb9fd0465c287fb317e5a7322c5f5b64c614a04ba0cdfa56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
104c5f8641f7da49c489e6dd09a81273

SHA1
ea54a9dcb429778809bafca91d28fa943b4193ae

SHA256
d59f15e60fa9576b31a2bbfc6848353c820e58e67a83c4b3e11057dffaadbb71

SHA512
d675911b50bd750d1bd20830f014d73701448741d8fcabee871a5e5c8211e1556173b4aaaab19c3c730216cc8de43bac5ca9b5e8126fa8334536046ee1e4b350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ea0226508fb2e2f7a2ee6f94e48cd2b

SHA1
23da40046392debcb21e643b76451b7933243fef

SHA256
6ff628a7c07f896f6bb494859d168243574e97bebc3ee9ad4d6dfe67deb3c84c

SHA512
689aba51b2b9ac8c553f3245bb617cd47ae1d6138bfa261ec97a8b01dbbe9cf686f78f5921b5fa5cbde077641e9a53900841a944a4f1934a35e8907c6ef51f08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a6b358e3917e57fbea018db38381e65

SHA1
d670583a5fc9c4daa03afe2accc80c3046f1c55b

SHA256
c330ca4421417f0ad9be3e1bb18abd365d1d6fe12a6c762b66f3b122c290e3d1

SHA512
b4e25c0b3b0fd33829306f222c4b0b8308dfec257a67664337d5670f4b2c1f30a14df07931ba8afc63cb536d5463695152f311b3296c6cb9053beff8b7220509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bdab4d85513bfdc86853a2e0430bb4d

SHA1
5929fef1933fd3650ddeb8aa48ca69238a9ba679

SHA256
9250424ea4a7f036841f44f9a58e55f3d8b187d933e802be5569de553a32e290

SHA512
3070213deb873228d40cdfd6104ca3a21333cad13da745986bdbcf33373073089fe47a819d205bd0fd317a1b668cdbe512bbfc096cb3df3fc3ed183f038e8e9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
daa42c2d49918d785af839f03c80285b

SHA1
903687c57dda6386007b01be6048e6403244bf56

SHA256
737dfb55e1a76976cc3a9d7c0357f505ce6035e00cc4ef6f81b98a9951e61c7c

SHA512
2b013d43767e76acbf5e402db48ac4c93e3098e38032e6c74fdaf528b20c8f7dbf5868015f77bd32f20ed3e2f7de47f42460b95767ff1769618586d7581246d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c43f7fbfc3cf2d252bde3ceb0f61b81

SHA1
8a7b8a163f9df3ffefdade68a131b8657c8f687b

SHA256
d36666f39dfcf1fc887e005d68220c2b657d3e6aebf10dc193c7c1e5317861b9

SHA512
e72168467ac45fbce4d6cf247a29ecb73ab9207c75978dce1c0ae18ed22b01b87e6c4f7480c1997ab3f5323d869d1f8518e6fd90e43d49ce86ad715292e8e7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12APMO2Y\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F9.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4BDBU3S5.txt

Filesize
606B

MD5
42058285f860a4fa544a8eaecfe36edd

SHA1
5201a63792f753ee539d4fe5f42ca3b17d67a538

SHA256
a46cea762350852cbbd65a765dcb4c34263b4d45d9513e35f6887f4d6a5c954c

SHA512
7d5d952081f8aa07d027e2125a968b69c801262346d8297eb48e95e31fa0cb7518d1a3b57616ca3ccea46a646d9f796bfa4695e3ccf74f27ff5fd8f8d41fe838

Download Submit