d169f5cddd7b7d6b45dfed7e9e216a4af93b9738eb2b736362484ee777d76bac

Analysis

max time kernel
121s
max time network
149s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-09-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ionic-push-notification-android/android/app/build/generated/res/pngs/debug/drawable-anydpi-v24/ic_launcher_foreground.xml
Size

1KB
MD5

53a6c064d1f26ae56bf3803c51c7af2e
SHA1

0aa4581e882a3229027b03ee31623761c41d3344
SHA256

a8514094f754b099d3e55ce1d6e0b2de79db418b2eeacb0fc2a6bb0bfadef221
SHA512

50ec23fa075c294914a119c0acba82d6feb5419aa95d4a9a3c9d65b24f7e12eb219b9da7151ee600773de910431a520cb5e24b65f8b90bc718d2f6c12c9e3971

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000004a62b56c6314c832173d7dc384f8f1ffe02850fc6441de8099491450ab83c89b000000000e800000000200002000000081d5c339aae8864785256eef064c1832ce14f6989ad57fb10e4a963526ae9648200000006f02fb0724a8409c7d677759876532d3da4144f31f8e3ea7c54e1e3bb405c46e400000009ecbdac8603dfb3d1b8fa9653a8f1d0e04a7634bb8f9e2f1620a95015447d2560c0fa64892191eb426f01632fcebe062cd492f0c3d2cfc49e042c660b2810f54	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000f1703c53b7ea1c96271bb01a11e106c58c3e12016cfb0a37e22cd2b8830aa501000000000e8000000002000020000000bfa4adafa0b5e7035fead5d3ba3b18c258d0f71207b38fbc6296fcf3b5585f0c90000000d13e25ed227b0098d38ac779604c485ac2f5f43abca45a129bbbba2233e3b7f551a674b992e02f938a029035f18f17110271e8093b836420930a535664951e0d4283f6a9d259f6c9a04ccdbc5dadc2ff0e7a00ca914df79a4bc4479681e174496c44a53fd45d64b95c7097981b7fdb6b2fbe69c90c89f94c7e4f2fcf4bb7e6324e0faab57e276d9fd51e977bc16d0e4d40000000da0207963b6ce8ae4d1922949546512cfc9cfb0640c1992644eca5651367f15743cccb068788b35df95e1bcc2f54eb26eea1c72708ada766d161a6e7a450730f	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400004625"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{121F8FA1-4B3B-11EE-83A6-7A253D57155B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204547e747dfd901	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2984	2432	MSOXMLED.EXE	28
PID 2432 wrote to memory of 2984	2432	MSOXMLED.EXE	28
PID 2432 wrote to memory of 2984	2432	MSOXMLED.EXE	28
PID 2432 wrote to memory of 2984	2432	MSOXMLED.EXE	28
PID 2984 wrote to memory of 2380	2984	iexplore.exe	29
PID 2984 wrote to memory of 2380	2984	iexplore.exe	29
PID 2984 wrote to memory of 2380	2984	iexplore.exe	29
PID 2984 wrote to memory of 2380	2984	iexplore.exe	29
PID 2380 wrote to memory of 2788	2380	IEXPLORE.EXE	30
PID 2380 wrote to memory of 2788	2380	IEXPLORE.EXE	30
PID 2380 wrote to memory of 2788	2380	IEXPLORE.EXE	30
PID 2380 wrote to memory of 2788	2380	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ionic-push-notification-android\android\app\build\generated\res\pngs\debug\drawable-anydpi-v24\ic_launcher_foreground.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3309891eeec9c278771c6a2e38e24e9

SHA1
04a000d057089dae3c70ecdd680287aaf785d62b

SHA256
31707f57c54f26620be7d574671ef9e1df24dca83fd20bcd1d0d902f0fae98f7

SHA512
5d1229288ad3ed4c61c043f9d4e017f4225b4be78af25b21cbf46d740d24ac4f56236f3ca3443d1106f8d249a61e4a9badce069edadea5f261ed5725a74c9996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34b3fce655cbce855a09aa471886152d

SHA1
5a47046a192a323901efd5428904bb58500e1059

SHA256
f2127d39ee564a8a283d514333a1c07cbf1e085913ecd50ea76f9d7cda0dea52

SHA512
6115babcdb9049f650158f888940c3d187aa9e505306dfd6d420abb01f26681bc34c53c511e58a378d31bb677c1777f01328d5061e962d5b97f5d6b48da3834c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3aacd70aded9eabeae51c3b066c0dbdc

SHA1
f78fffe8102cb16c839ae972b63a748729542ded

SHA256
f5c748c19591aa7f35b2de4cb3615a52ae94babbcb1be349af0308bc350bcf0e

SHA512
e8308c5c5f7e4307619caa0ded72d27c1013c5e00a74f357d5fc3dc9c9429c6f3ac38ebe5295b1f384188a3999c6660b88f2996e3e555511dc2bc8aeedfb05a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4300c28f1042c2d2eb575d2739a351fd

SHA1
bacb7de6f0e1216d35f07bfdb50fccc09c5a763a

SHA256
e39c13b77bef450b5cdce77e208feb1aa269d5bc91f72f5e8a3f53d0e6f0e2dc

SHA512
72e3dd7aedf886647ccc89a2d7fd0e9e32646e8137a07bcbb48874e929dfdd72e2f551e48a1bf3faba3f3efda6c21c5e3572cb89bb472f1a3c0085d0579ffcfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18f073ef4f05eb6afa8ce5384ef3747d

SHA1
f9dba4212ca6bf9a83fb0e1bc85c6327faa8e53b

SHA256
e5916d1fe2db66dc4ae9bc092dd12e2485b5c20eecac38fc22ce2d238021dc27

SHA512
982f2d044d3e10bc9577c8851cfb2f790009aea326a07a50b34221b57e89b8d81a13358e733c297f18affd9d9904a2793ffe605623337dcc99c3bd0c06ee7168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d7c658fdfa0cc888eaeb8e6502118fb

SHA1
28966188fe67a43d233adb4068a18cb8eff424f3

SHA256
6b7e1f6146cb65cc0d749f635f5f196ac202df0af067bf3b127ef0f57046dc82

SHA512
cd80488d7b2b231843d7f99db0fdbc0f5abd1dca19f7c36cfdc6658633f5090cdf7db20d970cb3ebbc4b0a2e1f5cb79352b5158208b0c45645e9db80ee5e7cf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30755479a5ec7da31d8d416ba8f727d9

SHA1
1fabf283967ceb5b65af0eb110ad9d7727a61a77

SHA256
f12f63dbb1b5101984dedc04adbc2570cacde844e6ff82bda2832f08615ee485

SHA512
d2418e9274a624efd640fe94716f0cd10de58be8a0618933834471d9cfc31370157f8920b3f4ece3565397f5555c21476141104251563c1f1ff3835d250f844f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6020d9d1f4891b896efaaa4dee6a56f7

SHA1
73e616e91088be0789bf06c492a7f8c01fd2f1e1

SHA256
4dafcbee349e6d2ba032e400b6737ccd1cbcddd79df27a3015dd489b0a695afd

SHA512
c86efd8ce68b4388c676a7ae377aa1f4cba7b8280f873ab1cee03b172ba1605e1cec254727ad1678f2fd1cfb970b8fb64d6fb0b417f059b1439f8e19cb76c158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58e6239cbf5a05ae932b41b5bfc29844

SHA1
64aaa023d8e37d3df5265a9c5f98ec7b280246c6

SHA256
5faf48e1cb8194ca774f649d1449aa22b89fdb62b5b87f500c2a745964045a79

SHA512
02d306b0cd03b2b76d4317025a7c1ac1b96c6b5337f2181521cb8f4bcfb77bb7cb9597c2b6bcc24af18482668148e8592ba03808fc844d17240f1cb662693677

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9688.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar96BA.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit