332231ca3fb405b7621611bd22e7016cc73c32d90318753424ca598833775d76

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apple.xml
Size

1KB
MD5

386807d5a6de6f8b74bf26897af8e092
SHA1

9184e48a9f8276f32be763a254773c4e5f2017e1
SHA256

be1bdd07dae30ddf977d7f1d34574f6e6d6f9cc68d3b5428315af589a8d15ca2
SHA512

ab99eaf548b8f1b25516a62d814f3d7610a2d6d16c5a9401b96368cccdc5fdc84762eaa6041ff17e59a99a08c5f89b4b97662e080825d5159003d21ca7f767c1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000000478cf37f2931968c4108927f31b5eeea06c2c218fe310972403eec52302a8cd000000000e8000000002000020000000d33022fc93b3e7723106e7a8361460681bc8d91debbe6198f4392737227febfa2000000016ae0ab1b53fce3bcaa4b15ea51baa6e5c108f56ca0311dca1d9ee84921ecd1340000000012afd9557575f585c4542ab012bdc5640c59a93389b13e411a933e62de36d64fbd8af9ea85e20acd677d2457919c932d6918ced98bf6694f0ed1f2774fcec28	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c2a8ec44cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000003de4ec3dd33726616744f6adf8aa41057ec9a7371ec4d474fe823b55291e359f000000000e80000000020000200000007207c603ac0dbc1f3fe3a74ae3ce04ab4d9ef812b555d44753d1079132d8e742900000007e1ca60f5167406075774b793d6e4cc032352aafcf060a1640f83b10a5cd471a46e260e84bdb9ea29f160a5ab7918fb1c76af19919023e44130180777a236bf8c9f2ed3eca1aa260ac88a88c3c7c06062eba0293398c4db0144cde4c53ff44b5c9676ea320ca7557ce9cd7bd7a9e1c1bbee341367be968f105291061f2f330f4c11831cb255864cc5e4bbfb73e340d8240000000e9eaa581486127360897b269a538fd35116841e6e8745167491a94ba8b67655a5e678af1f53afb884ea9e7a2d81854ebe13b9ccccbd6c2417a6114e6a8d2f2cc	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17F819A1-3638-11EE-AC13-CA145D9C6258} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694376"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2764	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2764	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1192 wrote to memory of 1400	1192	MSOXMLED.EXE	28
PID 1192 wrote to memory of 1400	1192	MSOXMLED.EXE	28
PID 1192 wrote to memory of 1400	1192	MSOXMLED.EXE	28
PID 1192 wrote to memory of 1400	1192	MSOXMLED.EXE	28
PID 1400 wrote to memory of 2764	1400	iexplore.exe	29
PID 1400 wrote to memory of 2764	1400	iexplore.exe	29
PID 1400 wrote to memory of 2764	1400	iexplore.exe	29
PID 1400 wrote to memory of 2764	1400	iexplore.exe	29
PID 2764 wrote to memory of 2244	2764	IEXPLORE.EXE	30
PID 2764 wrote to memory of 2244	2764	IEXPLORE.EXE	30
PID 2764 wrote to memory of 2244	2764	IEXPLORE.EXE	30
PID 2764 wrote to memory of 2244	2764	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\apple.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc9c50a600650c8e4755256d34fe0919

SHA1
c7f843137041fc4b7ce19199da164b16144aea6a

SHA256
a32916ecb7854d8b20b92ef6ae5895a5b2e57dbb6739d8111f098db304b74b01

SHA512
fa426885b0dd59c0612a4d32f4a1d222547649fcdcab7082a0c013e227c73fc7af31fc230e68cd421703a0aec8f232e5d777d820c8a805e424c665bcea497fad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d7fad01bd03ee547ce67b108cf935c1

SHA1
21b2f017ea50f4858ab5f3669598520ac60f3e22

SHA256
984448fb5f59df681811b48f79fd9cfd5d5a24f0565a6e340ba53405fda1e556

SHA512
b86a2ca9c05156c31293f2901cfe570cc0579a62a287b7cf7c7442074ad8ab043e5be62c2f38dd571c65f150c7d1cacf75a5a542a1d34445732f82aef1aef8e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48b86848307d9f9016a677349beec882

SHA1
17ee1d2e4218c26cd7fb83c22586ba098b820e34

SHA256
28d0c53ba5a12d892bb1bc1d2c9959e72c7e881bedb079cb2323635042be2bf5

SHA512
94e222d7db6355cdaf7a29d7fc64b025e4170a5d9ab45cfbad5e3e2bfcb742a7cfa5f8e296de30f320d5b677a5f6086268d3f334b666b7a730071bab2d097862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d3cce17a7d7c02c8c56395c8fd1e191

SHA1
5732f009b4131fecb09cd2c7cc4ebe526c3223e0

SHA256
ad6a211b533e6d1339d3a0ebc5f5eacbe549442a2734d02ffbeebb73ad860c01

SHA512
42fe611cd32832d358206f86dbf450c28e383b4d46250baea834b75b1a3b027b5b3be130355e2c8f6d173c7a04b666d55b6d9e4b817d3ee787da29f1c880b8a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38e543b96fb50f3317352425253baeba

SHA1
3638e48a6f3963ad4c3af60d031ea5fa0ebad326

SHA256
05119a6cb41d7430244bfdeee9b1631fb6cc6652f93a4cf3d0ebb6ff560cabce

SHA512
77cc1737026397066b149d6f9f983460bb1e0b068394de85195206bf550696b4fcddadad527ef3a8b54383fe9534272a37cc75b65cf18c2c7185b9d9da6fac44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
493aa9d1e75b9aab0f47ed08e097f3f4

SHA1
93a30dfd10ce1f88aa858a52368c93b0d248e5ea

SHA256
9f67ac8dc1f9f9e87713aec86aa7101aed1917544cbc125b18bd71db0db56367

SHA512
7c67514a3e1cdb1dd2e80e07406979abc0c38f8d667b09a5c71a07acc64018b8bd0fb6b65464377f60bd9a9c473ff557244f16fe236621efced6abc2a4ddc634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8197b55f540fc0562845bfc23962e136

SHA1
a14822a43dcb52f2fd38ab47fe32af3a4de48546

SHA256
ce9fb09080957655fc072ed6c0344f741078cd5839c8d32a33b1d3c7769ddaf8

SHA512
d3919170302ff3ce0d4185521269ca633109d5484469c035f70e1aab334d35bab24f480475582126ca770fca02ef9565e117785f232735fba96337cb5680f4e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff6c7c6fe9fa947333283b92dfc55d79

SHA1
dcb9ac05c38a26ef1ea7c803c71e043a8d0a6f33

SHA256
f73efe17ee6a1a57d2d03ba4c4762016815bae0532244df81072ed13ee6fa8f2

SHA512
7341d2188af4e5f5875302c781feb6da3436afdcc50069309b87e0f447ec8b82bdf5f95ff0ccf017548871e525540e6270083bbbb63c927990ccbd9c340469d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86070cee01b122dadbaac93821799bc3

SHA1
cb2df8790334a3457db4282d7a860372acce039c

SHA256
0f89cbaed187a19fd49bf6ee17df42b2ffb2812a96c94ea15f00860f737856e9

SHA512
49c393a0de1358474bdd0c92969ac2ce85d26cbf7e21375378bdeb9c7d525a8f62a36c7fcffdd1611a7a574f3d7915c73e5f865fdb9f63155e76d77868f905b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0df5157fd802f8bae684d27b37d4ad1b

SHA1
6b831ffdfcfd1ff6fe0d4496a21d083efdf51019

SHA256
8323b8b433f3a83b06490f34f74867152f7cb52a9227f9ae42d2520f784dfab5

SHA512
90a9379f8f56328160e0f0b51ebf5d37fe8a94841f79b67e8ac41543f34fa38efbef159a82871be4864d58c0c2dc2230645b63123f44121e122c7cd11b72b04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F86.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8FE7.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit