855c03fb9cb069d04ffc33626e3bff7a4913fd036e08d0efcbe0e17f3706aca3

Analysis

max time kernel
134s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meitu_image_function__builtin_params.xml
Size

7KB
MD5

88fbd1e1464d85942f510db703ce1a6f
SHA1

72efdf32a7f3f0ad6bd647790645f787c30a0ea8
SHA256

a3bedd019164140e19ac2c5bafc27b48a85dec84c8430661d967ea0d188dd1ff
SHA512

ad7c689e856b1a8e5eb658fe4d00ff8aaa9b0b322192bdde3c77cc3210ea985c0aa3187aa0564f2f87d458b1b45a225c814a8a530ac6a6a64be10e5f3beb9109
SSDEEP

96:CyUlnZYbzYeDH8Hq7HoHTdHO7HoHK8Hq7H9HRElr75eboaO2yXkLZP/t2BS:XUAgK7I5u7I7K7dyiV

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e38ab334bad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DE92E161-2627-11EE-91D0-7E694F6CA729} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000007d69c22d170d6318b9fd30ecf201664cb483f614d68707b2bc9b1619cb1d82a7000000000e8000000002000020000000d6cb05c6484cb19b243e856499fb52bbe7e1829e226d0b3dafb01278bafd5c7b900000006b41ac43b87bd251c4d4a13669ac4886a800116aef9258352c9087c0651fba04aaad26cc923783375a8df428af0a0c5b0c1050b5e32bfe7965827c4d067ddb4b67ddc183cf80c2b10cd755f6f2d657a41088108c76d30d92dc0f662fc846cb2755af5d52a3ffd249cfb351764fda4c2b29c2ecc875522bf5053abc19e7946a7bd09f1672da80274d0cc68e8059d5fa22400000006818207e0eae8abb6d9ee08321cb23cffd22491af5d87fd19fe5d6305771d4afbb7404ef12f1b628706d73792b8d29a50ee97b81ccd84de4540c66372cf0224e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396531313"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000a448407f4784befcb8b4a573b9bcf0fc282345de25b780fe5567aae1b11b6763000000000e8000000002000020000000e5e0771087010ed7b9b5ad55aabc2624a4fead287a6d733520e88d4f667b4cb12000000096e70c03f8d21d5e9998265d27c1039f150d9bfd4afdce65f1001c1f32cd90d9400000003f4fe80ee848860ec976bdc2f55d7dfb945ab7f30d120ea0f0657c2fd96c217f4444c882bd6d40e7e74f07ca3f6e93e637c64b362f6a6bb83705eb5d4b36d91d	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1608	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1608	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2532	880	MSOXMLED.EXE	28
PID 880 wrote to memory of 2532	880	MSOXMLED.EXE	28
PID 880 wrote to memory of 2532	880	MSOXMLED.EXE	28
PID 880 wrote to memory of 2532	880	MSOXMLED.EXE	28
PID 2532 wrote to memory of 1608	2532	iexplore.exe	29
PID 2532 wrote to memory of 1608	2532	iexplore.exe	29
PID 2532 wrote to memory of 1608	2532	iexplore.exe	29
PID 2532 wrote to memory of 1608	2532	iexplore.exe	29
PID 1608 wrote to memory of 2992	1608	IEXPLORE.EXE	30
PID 1608 wrote to memory of 2992	1608	IEXPLORE.EXE	30
PID 1608 wrote to memory of 2992	1608	IEXPLORE.EXE	30
PID 1608 wrote to memory of 2992	1608	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\meitu_image_function__builtin_params.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d5ecb35f1522a3e2ac63dcfe1736b83

SHA1
1d0b1ed1b5f178123d8a0dfc653de07df03c33f9

SHA256
ea720a93efae57f3b7d0145d7cdd0d5afda66c6ea86bcbcafac6233724ab4adb

SHA512
b939e23efdfb3ca8c28ba430df14ce80fff1bbca16a5738633b7bada57b170fb072357fe7eaea7f933a35e6a0fed7f421974e13ddaf32bc0281ac403d57e9b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15a8dcd43014f96c704da81e1662c9b5

SHA1
60671ca448ddcd4755319f8bf13d8232f34b458e

SHA256
fad2969d5fed02bd3825e0a53ce8cce79ec831e76d2f6696222b94ee23850a65

SHA512
722bafad19b5994b02a5f25a8b84f7a996efe1a86c467a981cf0c92abe3d1e4d32d0fa2ed404c3d28475f7169716d210c435978bdfe5f570e32b3a4404e5d1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93f10c6a1882a41931525c1d5ebd9cf0

SHA1
6797ac0bd5fc73b1e3c36c382e41a05472a0134f

SHA256
a9546f063dcaf9f841c9c9ec2baf4db73409062ccb2c7f9eebb926e8bf2b34f1

SHA512
6b53d9314cd6883ea2c3d2cde9c7623b33bce2a94e369a0e65a640bba89ba908db06b3115e14e91cc15b20777ba5fd26f9ea0c147cc9585fc3936bb6799e08de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8fad5958174b743bc23540c132ae2f8

SHA1
6f9c1f5599fe238908f4d55cfe821dd2e83e9a50

SHA256
efe5295e21386b546573b3f7991980b20c1f33a3a48ce8f305186bb2e4d056d2

SHA512
8bc87d9cbba0d59907f6c1d5051d7ed0528c320fda761f4e8e3be7a53f5c6a63e8f6df8562ece45d4e6ab673eef3f1f96559400e0d56233ef22e048990552a07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff58840dc9cd18f2cf10026682f15da6

SHA1
712801780c6de0adbacf696fcc7eb52dcdb3b99c

SHA256
4eaedcc1ab12ce7d7ef09b32a6da44a8dd06a23f7e7ae827b5279c74c57d205d

SHA512
88b8b7260c91a73da66063cdbcf38c78f508a07688b47fbb38280d32ea5f875fa9588d9cd6346805186e41fed0dacaaaad41bf10b6b4a1058310e7a38a49e050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46e4c0ceb0ff99932f2e25d21a015bed

SHA1
7b2a2626974ca434415a49622090bb6e28abf43e

SHA256
f671b1479e9bdb4c27a225265331ea80b5eb5517e6fec132dff3aee34d4fbd5e

SHA512
16bfc14f2f9734a405e691211b219792979089afd3aef024eb7c601c29feeeb251fa8e800326fd46a966fc665ed4fef189bef09b18595fe518e0b2a8ced7feb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f472c14d1186088b14b7b00b958b038

SHA1
cb660c53cb9166aafef0ef700b4e490fe8c5d8ad

SHA256
5bc0aa52833bcccfe70c8d48e04759b659704a6866220a12c3f460c85bb9f8e3

SHA512
aa0714fd56b3162ab4614713cbeb69343e11b48c90a0627d35665cacaa15080194fb314425afcb70335d418553742a2ae490b066a066bb44ccf265b7ec875866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3467586313df634a2003854bf36fb0f2

SHA1
db864758c18c251b228473248f27dafac262305e

SHA256
3657777b7880f0a365a29b2599b8fbb98080c34bb6453a982c12d3b7ebcfb362

SHA512
a9c086094fd4374b88258d50fc68e6d657aee07c559d8d7345a59691da5be7c7b6e5ddce05fc15a5d735d8a8ea03326a80033cdad938309dd6a0252b83839121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1eafd13e79ee04a0c9cd8feb634bf522

SHA1
050cb9b07b6fc4b5cfbc1717d62079c5cc1b0def

SHA256
8559694a5bddab176fe9adcc60d0a88506d77000c2b538b254af534eee38dcaa

SHA512
5d72a53af237851a3b82cbc5fef9795aec8752ec6ac7c2cd6c85f69151f0e87ac05840636a9030ef2d70a2e6045a233833e03f52eecc89516136ef75c4f61a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2AKN11NC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B09.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9D5E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4H1LAANK.txt

Filesize
606B

MD5
5119f82be7e230850881a3bb150d02ba

SHA1
97dd86165193fb72c44084aeae37d1a719cfac9d

SHA256
662907e1278e8c6fc80ba2cadf7f4b358c535dfbfb3d0b80623a667e639306ab

SHA512
58585534055ebfdeaff8065ce494db6c583c90fb3cb4d1e645cc77e520716666c848cd96a226beddc587bc7b887f94f20a1fba9cbdcc44b05f47c90ead0834d6

Download Submit