5e9a3b7c09b846141c577674b503cd048a286467af96cb22039c3eb6044c581f

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/CapCut.app/pl.lproj/InfoPlist.xml
Size

1KB
MD5

148ba997b776f9d3be8f9785f1407672
SHA1

59f1bfc08740d78caaafe5fcadc7ecd0f26cbbeb
SHA256

9b96df2fe3fc8fc6db5e2822d6133834f3eaf541ca1e3a91587b63f67f1f748d
SHA512

ec98922994ac5bed2c4276c292dfc871629da6ef1c2fc0f43142a7a49ea42cde98d8249ffb2d363e3224c6a90a33e9ae382b0652f895227172d86c2851830b5f

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B10DA01-C09B-11EF-8967-F2DF7204BD4F} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400d8d5fa854db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dbce85ed23f714ba6550769afcb8f640000000002000000000010660000000100002000000033f48382c8b65085794c792fc26ba59afd0d26880b94693565e89f2c643ec20e000000000e80000000020000200000009dfbc5f801ea087610824a455dc138365b15301d8087028afeb5799597904f9f90000000f958c1af113b49af4c4a20e5deb7016cdb3ee22b60f47b41fc3c91ea16a01874926504e7c5a5b4eab12623998e64a8166bb97d3d2cefc4bf43e4207e5f4c81dd55edd4be3342532f16baaa19136f263e62c21094ceee5cae80ac09f887f71e8632b63f31ebd0e6566a895af6d12239d210cb5f16c3685ce881d173308f0eb09b248b0da91e179fd4deb957c12ecf488440000000cf517b70b9da559ceb49019163fd144db72357a756156afdee8a286713154d267da33326b5933048f20805c88f00f1b2a1355d4dec35be8958b4e03d6c1f5343	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441057843"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dbce85ed23f714ba6550769afcb8f6400000000020000000000106600000001000020000000959474e68690fdad3f7d59015d19d7a0364cad3eda9cfa0f858a79c9e8460e9b000000000e8000000002000020000000b0940ba0c26ca159da5a6f90396ae0cca9f45bf947c403e7b3b25c9cc2c2db2d2000000009abfba38fced04b345ff4c04761cdf04cebd40d80a6af7f32b65cc3b8a16c2c400000000f78dcb7d6db83bddf20d872b1d3eaab34037115e7cddcebb95263a07739f8ebc437d3554ee4a309394600a0c9065c0992b16048dc651b37638e801433defd1b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2280	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2280	IEXPLORE.EXE
2280	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2488	1748	MSOXMLED.EXE	30
PID 1748 wrote to memory of 2488	1748	MSOXMLED.EXE	30
PID 1748 wrote to memory of 2488	1748	MSOXMLED.EXE	30
PID 1748 wrote to memory of 2488	1748	MSOXMLED.EXE	30
PID 2488 wrote to memory of 2280	2488	iexplore.exe	31
PID 2488 wrote to memory of 2280	2488	iexplore.exe	31
PID 2488 wrote to memory of 2280	2488	iexplore.exe	31
PID 2488 wrote to memory of 2280	2488	iexplore.exe	31
PID 2280 wrote to memory of 2180	2280	IEXPLORE.EXE	32
PID 2280 wrote to memory of 2180	2280	IEXPLORE.EXE	32
PID 2280 wrote to memory of 2180	2280	IEXPLORE.EXE	32
PID 2280 wrote to memory of 2180	2280	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\CapCut.app\pl.lproj\InfoPlist.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56ca4daa46962893786c4f5e3d904240

SHA1
d8500c4ad52c68081e42d34387a8b42e76de1bef

SHA256
2bc5ff22532ff30f08067de18901c8df52c9132a846577c5be6f87ed5683ca9b

SHA512
b4fa9c7c698f581cc4863d06bf1968e172f172f61d8ef01140782190eb45d9a85432ee2624b7655af2dc28e9faf6d8e15608373a978777eb1e3f795ad2a40c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f60b433c5184b9c8087d6ee4453310bf

SHA1
fd56ff90cb69c7a0be49ea806b0219a69162ea88

SHA256
5ac8425a2ff5a46a34eb737dbe99e2c3b7af4b6d784a65f50d8a59bbcafed637

SHA512
fd70bb7c5e37636ba7e54ba533e8446a814b2e3a60645bc14f15ad6ce1f95d94845932f096e4a9356c0ffc992045d7ab2e20da7a2598813284cebf442efae712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87d07444d458663fa2c40bc7919d2184

SHA1
b12e10c04a2e29104d50d86145bc7a5563656387

SHA256
d697d2fd4894ad47d82fca43ab121bb6b6698cc471d4bd95dd93ebc10c9766bf

SHA512
2a20902ffb3e3e4de25bb4c251e2ce4e46d4bb05a4f4a6de9a202b950d9aa6db621cfd4575af0e8cbb89989f57815db6f78b8c81d867e49ffe80dbebeb8eb8e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b195f8cd205a9ab5b74f00ee0003e48e

SHA1
6209aa4ddd17ca03c2c2b5ef70d6d236149d1413

SHA256
e31252d300e303ab181b7a7dc02326c4dc30caef4cc9379af63f2bc78d2891fc

SHA512
f10b9467bd5fc554f186ebf72bf86814aaf418031500345d8ee266a2d7a1409e616d774a14316ba45b2b19d09be0e051724bacdc7ba52a300dd25172d2ece20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74c7cec97dd000ffc6b8f693dacf7154

SHA1
3e4726d54ef4b1fe007aa2691214bd7467e683de

SHA256
1e1ec0a667cbe5868f3c8b978ae8a800f2a47693663b092e04a7884bfc213055

SHA512
d8566ffe4a625fb4cae2498dbcd92eb0046c81d33018dc9e6533acc303619d7155829087d25e1ece43ac57b8a571d8fc03407630843dc2b3440a0e4a594d151f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3caf3ed603affbe504b7df7b774c60a

SHA1
606f016edd9fb652c439d965a26ce7a1278bcc54

SHA256
5562e6649c99f8cd18a2925703d04215a685d6698c11e1764436ed681e608c4f

SHA512
e41ae1ffb884fd6f8f50e9ddfa369e299b6eea0a96b9a4e528a2670bffc9f3ffe83fe4ef6d6ea979a1fa3d2563fa9f756b3abdf9a14f35caf7e02b508f099393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3984437d792e27a827bf6321b1b82c7

SHA1
b5eb9a812a4b2d07a397ed35135a34b6ee956d7f

SHA256
fce5c9fe5325316255860f1e395d70c510147eb52e00a152b6128626cbd243ed

SHA512
a7a25a8f6d623de2019260df62618bb8792deb5bbc9b0ba9b56b105e692d71f1f10649c71a72c1f563f7635249fde1cef715aa881335f9e9309dda8516f1510a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1f9a6306e99a2eaf5e8f4ae991b5493

SHA1
3432f0921fc15c9c6f812a440d35e2a2e7aa88ef

SHA256
0c72fab61b6247066a1204fb3a66e38b9cb05b8fdece8cf1d5869d1b37c3ccde

SHA512
ca714cf802e154d35cac3cec69bf3762e42f21a652ffa3dc9dcd564432092fc1258cc7f4306031fff7ed72ef43167cea34d0d7db44bd1517fe38e0ab011d8d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daf8673b14e9a4e759a6af62dee8c65a

SHA1
c9d665635a4bcd166f67c19c874e935733ba0e71

SHA256
4f8545908d9773e62bfcf27b379ad27b5e52852124ffddab65624208b1a29357

SHA512
b4f70fa99dddf786583743a066fc0aade6eef7d4a0d2c885a408447fcbecb810ab840d581c048070931f086c68a0f4266eebe49a05971c4b453e9c4ff3d01d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6668358a9f74fef72bc88a8cd85d4d0

SHA1
7c355e852f8baabc8a978e74e43be7a2d0b50258

SHA256
e43c8b2c32019bd90c7c7a47e1bca071b25f7e58de14a888f662b16691ca9d9e

SHA512
55563eea7dd208321a0810f9040ba34b5400c6e79e78b45b735d1aed3ca7fbb8592c3dac0969c321701f51f7b6c12f062cedbb653a12070cdca3981d7798158f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b6f7ea55d6345eae91e28eae946de7

SHA1
f09e41810b943fb229af7b2a57c1a23af0b8d6b0

SHA256
38695d39b9bd7bf1eff1ff386ddd23edc3f5f79f5bb18b2863f453f75cffec46

SHA512
562097d4b7c38e62695230441d574cd4acb874176aa3aa134207c8a8c842108a88ab219be9f47262edb8b25c5ae303e5c161779c6fb240a719de21118c1ac0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC96A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9F9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit