58feca1b4b8c19b000d7911e2586659d65d8add75d96c3611530afc3cf11f841

Analysis

max time kernel
137s
max time network
144s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_11_shadow.xml
Size

2KB
MD5

a43eaf2037b2a882b41912e5bf68e3f4
SHA1

b1b73e482269c1c5370f7a6e4ab5a3b47d2c6373
SHA256

354cbc8433a0fb42c500fa7039f4c7254db20eb9f589f8866846f142c45d94c2
SHA512

5aa4640b5cc83376ae6f61c80bfe6e1aedd2e6eec2337f9478f4a5544cba6b1a09fd46cb4c93a8313d4843a7c42b498f610bf51ca90d476819088e8fd52b2c69

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ddbc2eb40027547a7b75ae262b677ea00000000020000000000106600000001000020000000ec99a5ef5659b943865171122c0aeca313f925d489910d0017192e84b63f697b000000000e8000000002000020000000c9dd08481d15b50aca95fb1cbf0685fb71a6b3a0108aba48d680c89598d21ce720000000f21147a93b367cbb6d091f71aa7b1ec41f9c98cc8c4f3fed9e76637e77fb8f2e40000000120a2ca965e39941c56281f2edc25020267843ecd920859578bb154b470642b11513d57d10a36d0eeef6b5e5c738c0c36c533704e14487556a404b1a9ca1700f	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10cd1ba419aad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394760461"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ddbc2eb40027547a7b75ae262b677ea0000000002000000000010660000000100002000000035797f4512ed31e47efb83f4db08be28d9fc4b8180fbd420b7fd0ce52ee171af000000000e80000000020000200000003d51dff05579cae9c6d33ddfde3e5c1c73784c411e3147ef607646b9c7bfa87f90000000564eadbdccf85a2dbfadb4b985f916055d03c735b8c31df3bdd16c3cfff7ba2390207b2d5ae373d33518700269b6fd4184a6d7ba6d8e8cd5e5b04a01671ba3ed2f89284a1b870167d268416243763b9b1167b9e7a9af849b451e44cd7ce92829bf6b2617b16b026d09e0b85596eff81efca4d4d348e5c7234bafa51f781ded28bcde9785b1e16c67cfaeca34e00d028c400000001dc70a9569ae51c0e50cc9c945f05b7a8883c5486a8fdd5585fe9ab85c0afa15df9404038a61882f14b676ae265cdff53044cb4eb7becc647dacae6c726d3539	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEAF0FB1-160C-11EE-BFF5-C6B9AD923FE3} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1820 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1820 IEXPLORE.EXE
1820 IEXPLORE.EXE
336 IEXPLORE.EXE
336 IEXPLORE.EXE
336 IEXPLORE.EXE
336 IEXPLORE.EXE

pid	process
1820	IEXPLORE.EXE

pid	process
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1988 wrote to memory of 1812	1988	MSOXMLED.EXE	iexplore.exe
PID 1988 wrote to memory of 1812	1988	MSOXMLED.EXE	iexplore.exe
PID 1988 wrote to memory of 1812	1988	MSOXMLED.EXE	iexplore.exe
PID 1988 wrote to memory of 1812	1988	MSOXMLED.EXE	iexplore.exe
PID 1812 wrote to memory of 1820	1812	iexplore.exe	IEXPLORE.EXE
PID 1812 wrote to memory of 1820	1812	iexplore.exe	IEXPLORE.EXE
PID 1812 wrote to memory of 1820	1812	iexplore.exe	IEXPLORE.EXE
PID 1812 wrote to memory of 1820	1812	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 336	1820	IEXPLORE.EXE	IEXPLORE.EXE
PID 1820 wrote to memory of 336	1820	IEXPLORE.EXE	IEXPLORE.EXE
PID 1820 wrote to memory of 336	1820	IEXPLORE.EXE	IEXPLORE.EXE
PID 1820 wrote to memory of 336	1820	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_11_shadow.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
29f97319ef9af311c6283f0609f7a598

SHA1
66ca7d60959d3e4dc7a614ae778c5299589877b6

SHA256
5627660ec53d0925ceeb4693daa7d75fad4da6efe8f441a5ad1cdbfc801c336a

SHA512
795d1186ae92d41932de4bae2c58010a2bd2834c4a0ee7d278b112290a25ce9cce3408ac39d2dd20dea79737549b07e6de8fbd191316785f265488bc002b489f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c4420ad9676705697375a152a903b52f

SHA1
9a3a43097b1c56856998221265f50eb2de6d7d98

SHA256
35d90b79ef38529b5375c484f06c546f0d54d3e02f8fa7f03e8a8a069bbccce5

SHA512
d239ce1fcf31b81f705f20ed4ae0a056916ad8e7278cb6c668788ade4eb7efcbedc3a9268de9d14abae67cf0d0a6555a5103bd9411dc338748b46d51e09bd5b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8e300a393f8de775f71a34ec99f29106

SHA1
6893036b8b5a160a0709d1b5f3a5c0c1c31efc8e

SHA256
483121e68f569991fa6b722a3135a8b89e2f6fb232444e728c91330893ec02d4

SHA512
4626abff43ffd795352f9f2bdd414424abe86b24d5d3b01ea3a3f266ef3f7f454f2baf4950ecf4424cd3010bc767e3d15904ae0c4ba29f051bc674d9888b23c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
acf5f5d668bd51f5992fe0c69d10d814

SHA1
24ffd183e7651a3aae924997b09af15b37df12ba

SHA256
f938ad07c887a84bc45ac8f08efdf57d738788e3acd78627cc65543461271edc

SHA512
098bff0dd853745274e71d56e2aa9e7c10a96300ee8e0716154725995198c7c2fb2d505b3ff19466e28ccc3d0c825da16cfd69952c758e516176c199ec22fa40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3dcd4c6213953be7c70135b7b240c540

SHA1
de533684f9c6b7a015b3cef55f74de8339875bc6

SHA256
e2d8abf0d219fbf5cfe113d48091af8e2b00f5ec3aa577d25a775be0ebe9d3ba

SHA512
eaae23df7f41acf656b2257aa542671298cfd96371648791d6543216d06622a4c88bff8d5416c5dc3ccdf148681366dff236a144979dced979ce3cac5ddb5e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b209ec98a9e983e2200ea74388253654

SHA1
26a9d163d3da264786c05acd12fa27f3951385f0

SHA256
1d978002090dd1c6196ad578a3a14ad8f8161d39ad0e27f591df143cddc49f5d

SHA512
dd5f937156a0651db1590effe5e918dd5726d37d87021b318de3e0271f7efbd0e53430698343badec4b1ebbbf212ac21bc0e615dab3fb286446ad91e934d14b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
569a2007117eb1cd5bad5e5c4c7528dd

SHA1
87cea19207e4df396219e5f3315502d03fb71b41

SHA256
70a5bb0b33c1e2e7db15e4b9af0a3f2df7a645cceefa0d40fb04b6e48ccbcca5

SHA512
e0586cbf223132e7113f9bd615abf8e0036e4ced411ea7ae3d808c91456abac27948641650486ea4cdfe5617ee57c3a41d19d33c6515e1ffab2543b1aaff7803

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
88d6b5e71a0adb4982863405293e9941

SHA1
39c31ed41da5e058d0934dd42e396c94e89b3ae0

SHA256
2ee366b76fb3263fa912de154f6d9b345b4ac973b8ae0e834ab04207b1530421

SHA512
60713ed942a776b6877f99312b4fbeb1db86efb014022272b672570fc891b041af1a30204257470da971e5422df310d2c5e99fc8435286310ae96902c9ffda82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b7c5d3cd2e3babb0356b9b301c23ccb7

SHA1
2c3a4b55b7a7f1acf3e56210f1fc4c3c05fbce2e

SHA256
61793a30d06b4f748b34494a23ebf69aa2c20232a41bc7e79272c63654e45734

SHA512
10c31e9b02621e0af6ba231472d795c48fcca1f69cba506e19eab102b2d1cabfda7155447765a12c03d1dc15c1e03ac9fc1c0cef720fa1ce726d86da6e0ca496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPQI3YTS\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41D4.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4295.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SID3TGAT.txt
Filesize
606B

MD5
6ab0278a14def5ce4ad689332d19de98

SHA1
494ad12e0e361ba256b152d6d381769f1b182b7e

SHA256
73136c14411e2edc17990ce0585b5cff6684a955d742cc608b61ab98d117f4e6

SHA512
2a1b0fbb5cb47c52f7e138235bc7ae7347aafd9464b950ac969bafd04cf22f4cb6da1f33881662512b8334901cb7f4e81ab5c0fdd6a28a03124742f2e52041cb

Download Submit