9a58928021619edf547ba8793a91c219b4fdd4b6d1cb8ccbbd840ea2c8596c94

Analysis

max time kernel
134s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apple.xml
Size

1KB
MD5

386807d5a6de6f8b74bf26897af8e092
SHA1

9184e48a9f8276f32be763a254773c4e5f2017e1
SHA256

be1bdd07dae30ddf977d7f1d34574f6e6d6f9cc68d3b5428315af589a8d15ca2
SHA512

ab99eaf548b8f1b25516a62d814f3d7610a2d6d16c5a9401b96368cccdc5fdc84762eaa6041ff17e59a99a08c5f89b4b97662e080825d5159003d21ca7f767c1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a979206ec9d901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000bafd38d931a2496e05ed51ad999ceb1962c68515db4aaf32ad367006c35792d7000000000e800000000200002000000069889ebe499c101618a577076956af8208f565d976971ea8816b5acf01126a7790000000b7cd7bdd28565ef55e827f27bd6442445b1c2c0706c8d3f1467fcd84068784278614e8a649c30a97d6a22eafd8f11b91388568fdd756cd45f14aa923e8c0c638a1adc77479d66edcfce42bfd0517ac9a45acc681fe9f8f905cd0f95674f40b5bb0c3f143fc576d5bdcd7e9701fdd5b6fd4e2d2f641fb198a18f3a70750c512e8751599d53a8a5e3b0324978c7c608c0e4000000027289a557a7d7e1110fc64a4ae4017b0293d128de0700451e5486285a0c48f8f69f110e01728e7c7198f2e5464d20154a80f64f68255427e04423b8ed30d01c7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000066c510c2263ecf83b7090463f6446deb851d09dfe53f72eb2581d98bd9b50d9b000000000e8000000002000020000000f48a36adbad6caf754f05d21100c8c953afa4a9ef37bb559b596864a5def6b6a20000000620b25368dae26d93a55e5143290964d2430df1c38ff1664b1455baf9b804bd540000000650419fbf2805218ffe89bcb06e55a991944d9fd5945723285bb341f165f4fc76d5fe33f9105f91e0abac3d92178bc5f6ac12b28b91ff521e02f6c8b1a8d67ff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602119"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BD03C31-3561-11EE-94E9-EE35A7B3029D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

892 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

892 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

892 IEXPLORE.EXE
892 IEXPLORE.EXE
2832 IEXPLORE.EXE
2832 IEXPLORE.EXE
2832 IEXPLORE.EXE
2832 IEXPLORE.EXE

pid	process
892	IEXPLORE.EXE

pid	process
892	IEXPLORE.EXE

pid	process
892	IEXPLORE.EXE
892	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2144 wrote to memory of 1724	2144	MSOXMLED.EXE	iexplore.exe
PID 2144 wrote to memory of 1724	2144	MSOXMLED.EXE	iexplore.exe
PID 2144 wrote to memory of 1724	2144	MSOXMLED.EXE	iexplore.exe
PID 2144 wrote to memory of 1724	2144	MSOXMLED.EXE	iexplore.exe
PID 1724 wrote to memory of 892	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 892	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 892	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 892	1724	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 2832	892	IEXPLORE.EXE	IEXPLORE.EXE
PID 892 wrote to memory of 2832	892	IEXPLORE.EXE	IEXPLORE.EXE
PID 892 wrote to memory of 2832	892	IEXPLORE.EXE	IEXPLORE.EXE
PID 892 wrote to memory of 2832	892	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\apple.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
849f37e8ddc3dcec2335c75a048d7b28

SHA1
fc55027cfa9852a2f6c4c8210f91454bbe7ee991

SHA256
495324f28e160266ac015fb80a2276ae7cb3f0aab80d385abc4aadbad07c0b58

SHA512
993d5fbfe0fa12bc73ef45ff5793f7e3c437fdca9c107e1ed17ee31ea91bff9b865e9c65c3e017ab3ddf3f6c7495edb64f37d25f886123055e066e1b2e876e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8226c1578aa7110881518a49dbba03ca

SHA1
b98e3ab6cb5f767564a8f252c0db32acc112712f

SHA256
73438c1bcf093ab527a7e67c86ca6703f85da408f09004832c82bbcf35dcc70c

SHA512
18a291b1833e032612387ffc1f15ce433590d53c5ea0f972ca619c36bc161a388ab3f6f8efd2b79078478f9908c9ac18cd615dd8d0eb51d0b44282c1d61c1061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a32730d33bb75a2596e605fdef7c41c0

SHA1
ee58e2163853c967c539ebd3e7fb83a95a0969e9

SHA256
130d15b8582baaf4c381dc5804671bf1c5e02cb141a5f3cf3d1f2f64654b9211

SHA512
c2dc70b545387d5d621d333958e299b2e1637c881798e34d5faa3a7fe17bd57b6f6160b531c63ecc948c4755e9c9743527d60a817d901f40c696916babbabd32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
536b253dd5862a0a70a8e9e78d6bbfb7

SHA1
32b890a677ae21e77bde08dd67e458f5481553e8

SHA256
923bc4d5b8a55f3e70fcbc841e72bb083160ccbe792ef88ea5a942b29cd94cbd

SHA512
7d87ac323139f4ea46870493e7c016e3c83dee4bbb447ac5fb4844b4741678c658f3de9a5b9e4beda4fd870b7566976454c1d4e117b8c6a4c7c6cf4b2758ade9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b8887f58959f1795ed26d0feee4fde1

SHA1
97d02ce618fbce2ec50929eea3a3814503838ed2

SHA256
d4ecd93f56b20e48eb07b3f93c599da347828e7361cd56713777d6f2037bcb54

SHA512
81532a5d418f03c34455f5c79fbfabbc294295e70abb3ea7e2fa32a851d9cda94715a3cd5a6624436e94c3c9cce296f617773fcfd47435b3399e8048ff664102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1a9ad14d77404612e76949a257c0fec

SHA1
afa397db97719bee5ca51b1d21081a82ecd3f240

SHA256
15cdd1482fa12fec0710d0fbf7205ad151c0f3a3990107e4f0cc07b04f3c547b

SHA512
64460efb02f72eaf84bf456d309719797a8bfac5c084ac2d5d79a7843047c5d7432c044c2fc96340c8cfa0a65af7e84014fc02e49f5b38de41d7fb71d6e9aef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2803dafe1d34d7d1ee1e8ccd549842db

SHA1
248b19165f143a74667c6c99bb04bc0faca40e8b

SHA256
7e441bfe32a12287110f5917bfd1fdf2de9c4fee16fc6e5bcc0941f2439c40e3

SHA512
17b8e686dd47701e1daf9d3de13e964427b1971c837e81b7ba5a4e6944fd84305363278b888be3e251780fce34c17294e507fdb586d142913deb36222fe0fa86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c43b1070ed311d2ad01e408235f3a6c7

SHA1
1df4ce4792682fc87cb7f31b7c539958729eeb06

SHA256
df72c027426422c31fe1be6fcecb820a33c95d7cf69fd4ffea8a8f1477458246

SHA512
b563291a1b1b0af3964082416eae8355c97153198d75b273d6e23b444789f77d57ae33bddc29d0ffd6db986a30dd7803803b6ae50762321a215faa38eca29b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8b76ef3b673d8d9c16fae64ec126d20

SHA1
b4120c66fafcf8fa7824010dc61d995a2bb33ddb

SHA256
bcfce7450c3e7c057e24774c9c8c9bea6ed8ba2d014942b29767afcaa3d4d303

SHA512
2e2cf303d68f25de34fcbd160be31b67c64dff20eac78d00fe0cb49adf85a4b5e2075126764db219982574fee877ef61d59138f361988b5477a48fd4e2370e8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a86016f228c3925b066ace68ca25e063

SHA1
7ddebde1fbda66c516090e1b88803f6666824ba5

SHA256
26a6c9be321302cba6a5b5c2c134c1c6d2bfeaf86a630f689b8862da1754cfdd

SHA512
e823cb4b7e2bacb3cdd4d9152974e769bfe139e48b48711aa159c8e523fb35c5ab96b9fc1479b20b32c5189c7360c30e7369eab6ebad9591d8597614dbedf980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bda89af265f2cd408d8996fb50ea5087

SHA1
1b8f1be31d7390143e16670da7c883123cdcad6e

SHA256
f73e0077c6d038ee974cadbda9ac99a99873c1370d1f636f6dcc9a82bc3f89b1

SHA512
9ac81a5bf9444ffc9073727bc590dd872c415c7f1e0a732576a5167a21fc2e8c5a2165c252c7e24020e69d890da1da8f1ef77f742c71d1161534f147bc986c06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebfeae1adc89cbea9d3351892f917b40

SHA1
84b965c55ab3e5e976a18a2b8d1927cc496249db

SHA256
67132c697fb4456c1f19a75f615128bed19a7dc876cb0c55bc67ec441a7d3c72

SHA512
de62bf11af9ff7aa59618e8d35dab468daa8a431ff6a9cef3ad7e3d6814e0287206524f3dcb15dffbccf958be7cf38f3b9132d54b9c30aec6275762293a3e4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E5C.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EBE.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit