a2731e6bd555142f43622734f8b3a6c27672831269fe6cafdd98d53cba75b57c

Analysis

max time kernel
138s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/09/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meitu_camera_function__builtin_params.xml
Size

2KB
MD5

fa10685e30a8aa676f151371fcc3f9fa
SHA1

72bb07bc3fd2179ca8ec17cf8aacdf3c16da0df6
SHA256

ee7126d1cc05239a9285e09d1ce9e201fff6724ab56f7c4bca819ff96d9ce668
SHA512

89ec4d616d1026840543fb3ab10110c6913378d6cd59a6c8989b8143e1dc7fcee71cc4540d92609175c29c87e9dad6a8b9d365f25face494b8234b2b8682da21

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{381224D1-49DC-11EE-A44F-D2B3C10F014B} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000039c422f8e4a62e4116797ff0b5c65b4fe573284f23b5a8b57b3583b410b6eb22000000000e8000000002000020000000c52a74b15f9b7b45aabdbaae765dc65bd1b76570f74eb402c7abebd429e95618900000003edc52536db0a0ad88a73bd8667d521475692c728c2e7b93ad70c3145f9b8ae7de294fdb0ae9173dc45460ba15c4a20fe2bdaf2f7961aa96d3218ed95f9eb699df706b281f18ea10dbf9c74d2116a1df70b2a8d0439147454f51530eaf3e26eb9c1bee3593ec90e2fab13c0875f9ad665819531743db047eac2c8b0cfaa10df6a51ec6e60890962eea27b84493d0f2ce40000000e1194bfc225a5a08499c71cf7a9484a8660745a663ea6b2ac0980181f196802f0bbed42cf5dc1e74a570eae1391dccb2561343cc17d5d2ef60754aa649cee552	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a13f0ee9ddd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b000000000200000000001066000000010000200000009a7e9c05914cd2f4d62162633720f7f33e185ecd079f37854023be62157cd3b5000000000e80000000020000200000000aac0df88c1873656964c519f9ebda3b1603f04983513d29022a54a3ba4f1b3120000000b5b87e0e65038e6dc9a64e441a82d29947998ffd24d884d9d41fea80a30e04c8400000004a500d7dcccec66834b48ac57a23a2487e53b1f1164100895abe9cbf279628c3d8f864bfc477324c30915ca257ce3837a5bc13f976b061b268e65fbc509e57a5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399853937"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2872	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2872	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2612	2112	MSOXMLED.EXE	28
PID 2112 wrote to memory of 2612	2112	MSOXMLED.EXE	28
PID 2112 wrote to memory of 2612	2112	MSOXMLED.EXE	28
PID 2112 wrote to memory of 2612	2112	MSOXMLED.EXE	28
PID 2612 wrote to memory of 2872	2612	iexplore.exe	29
PID 2612 wrote to memory of 2872	2612	iexplore.exe	29
PID 2612 wrote to memory of 2872	2612	iexplore.exe	29
PID 2612 wrote to memory of 2872	2612	iexplore.exe	29
PID 2872 wrote to memory of 2508	2872	IEXPLORE.EXE	30
PID 2872 wrote to memory of 2508	2872	IEXPLORE.EXE	30
PID 2872 wrote to memory of 2508	2872	IEXPLORE.EXE	30
PID 2872 wrote to memory of 2508	2872	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\meitu_camera_function__builtin_params.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e2444da450e7a3225c768943537d20e8

SHA1
4b7ccd4c8b6046528fadad9cfc7034ae959ce253

SHA256
b364b78d16beee8452924a78b2f373c3a47441c8e11da0784e1ce413c81a613d

SHA512
c769ddee4756eb7038c29704eb59bd95eade0970644366f23412154bfe02eac709e543bb132dff8538182383e1dc9ba13d8fcc61f07f597984cf549817d8839f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0c9d3beb055ffd1b9b75992fea5f3e01

SHA1
de820b4ab7da8f6656a762dedaa55de601f5c076

SHA256
07c8ba576e5aee67a01e4e80790a2fcffe805850567caa54d701a80e8b0c1ffd

SHA512
39497e4eee49d00ecdc3007a3ddf8aafe6271f3cdcc8cc26ff6cb527dc0de30587be893ded0590f4fd34f9d9dc896da666e67313184d9d83d61d0f469f260c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
144fa15c679a20224956d092b4d47505

SHA1
c7e33777fd3fa2342d42a3e2c7a90218303b7389

SHA256
569510e3a4e3ef54342b6f08b7aa90484ecd8175e9e9a9f46389774a18cbecd6

SHA512
103560d9e2d77738ab89478e9cab44cc4dffed195dcf7205b16b8336ef2954ce8e811d79b5c175c78001fdc396158b6ec45c75f8643e5c46a9b55671cd283d47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
be1772e6376606e3b6a7ea5b2f332f98

SHA1
800c71e575004b1edf26d63182b7f3185304a878

SHA256
a09fb6bf8414f281a80a4529385184beb1f1838d289fb86dce02e0c4c93cd1e0

SHA512
1dc449b05630aff13a3f1df97bb312fb0eea30e52da9273fad3489f84cf5c2545f188eaf9c9e80494ae28c7e6e12df4fefe85c6d76abc0d7c93a71add424a4f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c740ea0a05d024b7fd4510230b53a9e1

SHA1
985ac3aab19672fa6c06f4d76db26087a4177508

SHA256
40b5c704d943f9e39c1290ee2f0f2968c37ba4f35a3234c024b8b0d1bd25db48

SHA512
066b5335779ff5a506c7eb4674b61186dc99fef547cf5b1fd8ade92b8145905a1cef9a151b9da9e5e5a628e8a29ba4079bb2fb4a5b29dc75f4bff7f223920201

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b093c4fa275508e68130f563c6477420

SHA1
ec2ac4ec54b9fa2f2dcf4a11bc0eef38e17dcd07

SHA256
ea5b64200c5aa744405906a11c5912f4cb6edfc08c33b78b676b0342b89a3f62

SHA512
272731b7c88f085c46c83d1d11aceebf8c3ea6453845a70b3978e9242bb0f483a77d3bc4d5bd29dd58f28b7e48fff4d0fdf69966d5a9b8e52c46e018c65f2465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f0c1c0104419edd360cfd718f245d734

SHA1
95780ae98f95ddc5f40d67854bbd9b51b23e6d5d

SHA256
1dd0102771c244c639222f294bf899993d5aa0d44cc0a553ef1bc05276d33e6e

SHA512
b6f356447318895e43a18e204d1366978e0e45d1da8766bd98c8a30126f5b9623ee181009067bcc935660f8fa6eac8eef03baa86686b207001cf3899baaff63d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d9912c648e3a1717f6457b8660bd51f4

SHA1
0e54f2d3c004470a73cbd291be1c65c475a0b552

SHA256
278d74b39496f0c1dfa3ad307c07a1cd9aab897fdfe86f4e9cb887fcbb77e8cc

SHA512
b832c300514eeb88c30a5e48f2f12910efb4424dc6002f67ff71ff46725c630ca8089ce12ac482886d19ba6868e60346ed3c0b36a87da5c92a5237d235dccc7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
898b220ff452e56647aeb9f4b077c7f1

SHA1
812fb96a1835ee686fe0287c718d6e5bf9604c89

SHA256
61589caf933077133d58877a965b4f9b8464ee704e65769b3a0ac3c6782794ef

SHA512
05031ac2c16d9149885b6a1ca38b6b518661cbc4d51901e921f61ca6e090ea3b7aab38dba40fa398e844b599c4a78a78daf7a7739126f3335fcba8990bacc09f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c3d1222c462f40688b00a82a4ce826bc

SHA1
f6e53e76bf557b89868f1c1c8d44f88f5e1dd846

SHA256
681a0ee0369cd4941a018c3645fcaf3f32e5f07ccdf598fc16cdc206579e5822

SHA512
9a21fac7bd635931432dfaeb974f2879448c6ee6dd06b9b162ac10e55e107f87f92d86e7b6c370639d9fd9a9a81aff97f5a8d499359412368f12ef4c94c2352b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
84cdb32de37418ebf869ebcd58d5dd2a

SHA1
f96706246ff77bc1f92b6a0392a11936531dd61a

SHA256
f5c0e0300035015b866db76eedced02e5db5706dfaa57b4ad10449b867dc172d

SHA512
2f0269c18610bf3e9b0866a3e5a7d82bbd1425c873e69bf721bf747ffaade6b9a6f2af39687c8a0852f3fd48a67153ed7c6c0e3a8dbcb3a509d69b580e72de58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab936B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar93BD.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit