a2731e6bd555142f43622734f8b3a6c27672831269fe6cafdd98d53cba75b57c

Analysis

max time kernel
135s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meitu_image_function__builtin_params.xml
Size

7KB
MD5

88fbd1e1464d85942f510db703ce1a6f
SHA1

72efdf32a7f3f0ad6bd647790645f787c30a0ea8
SHA256

a3bedd019164140e19ac2c5bafc27b48a85dec84c8430661d967ea0d188dd1ff
SHA512

ad7c689e856b1a8e5eb658fe4d00ff8aaa9b0b322192bdde3c77cc3210ea985c0aa3187aa0564f2f87d458b1b45a225c814a8a530ac6a6a64be10e5f3beb9109
SSDEEP

96:CyUlnZYbzYeDH8Hq7HoHTdHO7HoHK8Hq7H9HRElr75eboaO2yXkLZP/t2BS:XUAgK7I5u7I7K7dyiV

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{375B5FC1-49DC-11EE-A109-7A253D57155B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000bdd946c1d269ce873692b12ccb636df3cc77f4546e139a5f3f82613a02468d63000000000e800000000200002000000030ffb70ee1638f241359d31a7e41807a2e1dba0f86263ba53d3ffac03f8c89109000000032fb4ff573a29fb5d9614a2c9edcbf60e409aa0f62fdba2ce9f745b7e956b2004a531bcf85effa2559c2a743ac8b32a933ee8d42339790cdbd6a9f462ac7034d9d61189ab56b562d8d596712033d1f5834aa0103e275a9604460a3b43ade2d9251b8fa9779bfc259b02912f239daf5f7e3674854b5050003168e3ea0c07879a059e454c86c41b247847f682e9f84eb9d400000000fb59f8d7cb045d6427d5cabc7ef77f46e35d03bbdc00dffbdda3267e64d4b7a0028743d5bb8019bcb5bc0cf86a24c109cec031d66f1c14382267e7147ebe447	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399853934"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a71400000000002000000000010660000000100002000000087011f8388e5ddb6933b2d871c30f6d415a7a78ad90fd95b7f7bcf3ef5cc71f7000000000e8000000002000020000000e8933cc4f367cc79e11dbaa94f8ee006f33874da1f3c98d7408d15110a7dd89320000000358b5dee5affa593176e466b9f71e8628b11c5111ef1e094439532b02c8f020440000000e5273613ea4b54f4c583a9b369a7b7da294beded082a7d5b2dd85d545e401d7b7130762614dadb6b72c24e2b8deb97502922bc23495ea4a2a4f209e52077ac63	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ba610ce9ddd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1212	2008	MSOXMLED.EXE	29
PID 2008 wrote to memory of 1212	2008	MSOXMLED.EXE	29
PID 2008 wrote to memory of 1212	2008	MSOXMLED.EXE	29
PID 2008 wrote to memory of 1212	2008	MSOXMLED.EXE	29
PID 1212 wrote to memory of 2844	1212	iexplore.exe	30
PID 1212 wrote to memory of 2844	1212	iexplore.exe	30
PID 1212 wrote to memory of 2844	1212	iexplore.exe	30
PID 1212 wrote to memory of 2844	1212	iexplore.exe	30
PID 2844 wrote to memory of 2764	2844	IEXPLORE.EXE	31
PID 2844 wrote to memory of 2764	2844	IEXPLORE.EXE	31
PID 2844 wrote to memory of 2764	2844	IEXPLORE.EXE	31
PID 2844 wrote to memory of 2764	2844	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\meitu_image_function__builtin_params.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f0b48611451657c9a8cb934a22ce55f

SHA1
2f3c8d87671075f00344b038b52de96be27cfd20

SHA256
b8b9615cf6aa6038373cb014b2714d7fb49be67fab4d1ec3ad639741bbc50321

SHA512
049fbae24377de15619d1c923787183437d28da3616dae69618befd7a7701781c3a0202236e222039e50b8b7729796227640ac3ac349372966ead6a1f884a65a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2597ca2c158a31d75c5a3843edba86a

SHA1
f1dfefbe2dc0fd86241aedbf00b72fbc6b832405

SHA256
5ab28126c2c8bf9ce76c90ad898af3199e5d94f7382623ea3258d06a2759dff6

SHA512
dbe49709108fb0bbb8e5e15a6cf198f9a1a9473e297ed29e50869283438d78972eb038d11c2181d632d844496006ebd2432a8c7d6f0be456941b2a70c3cb11b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
737af08ca36c6acbe7dfd393bd6c6ec1

SHA1
1c536a2bd1f6b8e0899577a98ad5c46c420cbd5b

SHA256
3d5e39e654df9c5d4d29f026b4b4e611c6836e6867678fd3f31ea19512b70882

SHA512
80751826f275b50cdb437a10efc02bc9b2ae33b593ba5d86a72abc70ddd8ec6dfcf3b9efc862a06e8b3e726c950ca24fe133c993c4a36bc54096d4faac4744fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f02b4f3bcba55d4e70471f6e5315f2e

SHA1
cc27147a934123bebf2b8e73b1ec0d7192cabb20

SHA256
4987038dc78bee9e6bcb9f66df1291134731e9af6132fbe23fa7f0380c4039f3

SHA512
59e79288abfe3e57031bced2f512b0e800fbc6cc75383e7817f177691f3dcefa085bcc161cdc0def8c9847763989bcf5f327a59b3a33a95dd9d2310bdf45c05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6d746fd6fbc28eec540e88b0439f320

SHA1
a913eb58d1207fb61c7d8a4e76719ea6b86c3da1

SHA256
ae697c3f39d0774f5c12d3bdd91b07eb0b054dff65c09b5462a086d54d2918a6

SHA512
efcdc006904a22a31c621dad310a022e7d25d8a0da518eb13ba2026ebfcfd6b3e2927a7adde129b9fb1e47494f62e0d5c6bce2660a70f11cac3a7f3024b797f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b360aa4e3416ac8f507fa78bc8346292

SHA1
6c1e1e6905705f7a4468b0787d930c1c9449e373

SHA256
4cbb02d2a430d4d0ddb49eca60770ccd1eee8711cfd28fa971b726142eb3543e

SHA512
fbe0872771b0f231f68f56721c24c59e4a44cfa5af60fd3a910b823a91d88328558f9fed841d6df7473d885b4f0050094781e3dc814b204c2a02d49f97166715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c212bbe47a0c4c41fdcccd0f71370d6

SHA1
624c8e5797566db56cc7ece087d502947785227e

SHA256
f1ab01169ffc05881ccb0313fc218cfc6e1f9b8e051b893f2fef0b3f5c9c0a76

SHA512
52fbc29bddfd47734ae57d9f79f8f5f83f8e7af61863934aa447181c2c0cf0ee561adb59f5b26f1bd28eae4c51cfe8f82852cb20ac9f7f9897d8820b182644c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77d275859565f97bf56da5ce5c7c82bb

SHA1
d53de7b708fb1c8be1900925de9b5176d37e2e91

SHA256
40de5881ccd847794524f8b581d758c019b84a576b51801d7caa9bf6d9212ae0

SHA512
6cda7e95c7874c0d8f46521f8927694e1c9c9818816ff440e01d1fc86c1a6f17d416efb8a1cc87a6e67ff456ebaee664304ac7ff189177a73c0277c84324ce7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce88fd4ade90ff02da78a2d5812bcc92

SHA1
6ad926aacdf7c94f07f4b4343d930be5f14e6dd7

SHA256
580282d0e109f9b90fbf007738ebef4af95a4c0f8714fdd7e56f4a8f411225f5

SHA512
03cbf9463efe213f2cfa0e43f200f169c0398fdc4370c6dbc3bfb4b13a83dbcd2b9806a56e4b69f781995c3292839e29ecd655edde92a594099482702b4e584c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e715d3d0ad789b4703d369be6f698176

SHA1
502c0babff3a2cf3f72c691449ee68c02c34e5e1

SHA256
4bb5c4ba15591343739ba358a3387a2a14ff8419d7ec9dda10c6824aae916d58

SHA512
a9a725988fdfc75bf893dc5533f9fc9aa6ab750484513ef62b17a905ae8569fcaa38475eaecf1dd8678b2cc22d7b2b96717249b4e234cf6d02a3db506dc4a21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab52F3.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5325.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit