8a15f942dc320c465a63dd15614dbdb659b267a29539f807c93f2ac66f5f0fe6

Analysis

max time kernel
135s
max time network
137s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_11_shadow.xml
Size

2KB
MD5

a43eaf2037b2a882b41912e5bf68e3f4
SHA1

b1b73e482269c1c5370f7a6e4ab5a3b47d2c6373
SHA256

354cbc8433a0fb42c500fa7039f4c7254db20eb9f589f8866846f142c45d94c2
SHA512

5aa4640b5cc83376ae6f61c80bfe6e1aedd2e6eec2337f9478f4a5544cba6b1a09fd46cb4c93a8313d4843a7c42b498f610bf51ca90d476819088e8fd52b2c69

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a480000000002000000000010660000000100002000000024a641dabe7fbda18133d6e6b443095059d8465f7d240be7d2689562500a2d44000000000e8000000002000020000000adf17a0d0a82256eb2d7773bd5c24571cc99bec2f47622b022b573486d9b10c82000000098ee07a833828d5d16596051e0b48ab5e309e223895baef1dd64eb5101f462fa40000000ed369c92ee9d158fc960d720324126f0f43bc3215344a5389552aacd5bb69430401a8727b4ccc9dcf65a46e62e9c892160246e6afbcdbe4ec9b567b1736563d5	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a48000000000200000000001066000000010000200000003fb36fe14aeacfc010bcb606897e359b5f30c3e8aa428ed2971bee71f4e05537000000000e80000000020000200000007d56ec4fab6d48bc9e8298067c598b8542ba4b9dcc016d0b1e7280e222d98a2b9000000098e5e67db65b13642e86eb2ba6cf4869fdfb57b468f105bc93e8e695bede15890776ca074e8cbaf0fbdc970f8b05ceadcd2d13c02d260510fddb15a1306807bb0298076dcd8e67c5cedec3da360ad6a49ce71bb393757b98f8cf2dd4f5ad565c9d5f930faac45731acad236143248ae82a973151e432bebb5b0c5b11a882df51f9ac384579e58b5854a21278138a7a3540000000c73c1cca77fda591f97c70f180ec1e24cca17b574bf654b47ffc17244bc0a86aab4e19fdce37185db680c1394abc7435e436c1f0176c9d5ca4ced0c6034eadad	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400dc8a7bbabd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394939986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1FE9981-17AE-11EE-A9F2-DA01AA0573FA} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
1364	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
1364	IEXPLORE.EXE
1364	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1216 wrote to memory of 1064	1216	MSOXMLED.EXE	28
PID 1216 wrote to memory of 1064	1216	MSOXMLED.EXE	28
PID 1216 wrote to memory of 1064	1216	MSOXMLED.EXE	28
PID 1216 wrote to memory of 1064	1216	MSOXMLED.EXE	28
PID 1064 wrote to memory of 1364	1064	iexplore.exe	29
PID 1064 wrote to memory of 1364	1064	iexplore.exe	29
PID 1064 wrote to memory of 1364	1064	iexplore.exe	29
PID 1064 wrote to memory of 1364	1064	iexplore.exe	29
PID 1364 wrote to memory of 1744	1364	IEXPLORE.EXE	30
PID 1364 wrote to memory of 1744	1364	IEXPLORE.EXE	30
PID 1364 wrote to memory of 1744	1364	IEXPLORE.EXE	30
PID 1364 wrote to memory of 1744	1364	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_11_shadow.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8c152f3b49b6258539e4e9c5326b51a

SHA1
bb70cd6b060e561571f0a09c831c79f4d7cd6201

SHA256
1792b7ba4558b44a149652bea4b1e29972a404f7c04779ff5c1d6d6d7d35955f

SHA512
70b450b5d30a0d44d5e6c126b05b876aa9fc40156ce2dfe8d0ee7944d923716230ef03ead5d31f5a43c4fa5f93989060ea8a1ecdbb1ea76b44a2142af303db91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed18cbc77daca2ed0434beec22acd465

SHA1
c7690bad178f1d533db37a76638a46eda5ebd14a

SHA256
7db0fdcdb4b46b50bb520fb7402b0897f17530a299dd4a0c5c6ee013ea451ca6

SHA512
3bbabf598c5682b632a8783419ddec9d5bed9ede77590dcc56da1e238417ca232d01a155241896c9f5a78a648e5125e93c54c8907ce7dd148cdce3864e13342a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96d3a14f08a07d6a4b8673fd28b521dd

SHA1
7562d4073cd41bb879662da73a45d56243b50b33

SHA256
be3ca4ae5c3cea7aba9c78f96cd972268d615b6deb8ef288043c462730c3a71b

SHA512
cf36ea0cef93a664ddc7ca78ec62b0b1ff679c80ca8a1ea76c776daf8eec2ebaeebe237cbe6be6c0f12f60cc1294093136bcc05b7ad669270ded4f2f3399f786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afcd9df76e8ec8e032e88d8b2f27a1da

SHA1
254ec4370c68ef90beece3cb29f1c405fcd40434

SHA256
058c2f632d057c95c35c975b19a6ef87718697d204dc57c9e8cee01d0291036e

SHA512
9a04a35cf52e6b51559bb5ebd665d890ccc07888df3b6456be11dca0b0860d3080a190a0e20c0eb767676d26d3f42aeefe28f973b1b29f7d45343f7ba62fb68c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f4c57c51c99e8f1786aaa74993361bc

SHA1
7961b6970041b3bc3e77c4b0173b9c6f74b1ba87

SHA256
45794aca78e37188073e54288cbbb471e44a4f6c634015f1fefb819074e30220

SHA512
4cc0d640078ca9595f177480277391ff217c06e74212bf53aaa32027b15fb059656795bc7329c656fda2007de41f9b6c77e5625674fbab004171c503508b5da2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1950f4fb4cafb8b33cb5c9fccbaef6a

SHA1
ef1e35aabecd91abc719303c2f65d02804cee95e

SHA256
0035280f07a26596dffa9552236919d93b527f2502b1f5fc007d73c3884d0d72

SHA512
1a57ff699bf76fc9d838e2f02493bcb1547d923104fb695dbc8a5f5763b21b62a10c3198b3afde9105ab2781174872c6034a4bccfa68af2dc191f9384084daa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e67112912800b360510ff4538aecbcf

SHA1
b0c71e67a249d13f37d39a11a8d5eda5b2c3429b

SHA256
c294d59c4917a32f5038470e4f35783c16c064b933da805ca3d2da7595fa0c97

SHA512
8592cd0dd1f51c28de02a3c08e11ab7a7cfaef4991510ce9d155b411d67e9f48ef4caa0397e1ca1dc867b7c02ad58244315b8db015602a726d524fbcdf6432d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e75118541a211cefd48e4d5144ac3391

SHA1
5a9c7af61b2e1acab0f639b2b8f994f1abb67435

SHA256
c808e1ba5beeea7f5f314d56ef065b08747a49985fa933f2ab9e1357b78fa8d0

SHA512
f024a07f3708895d4cf79aaddfd9e6a60e9d8d914def9535d21ca0d5490b02908a9146901043d3b9fdfaf872fa897fc736c94ad13a6389cf46bc41b9375c9697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab85A8.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8618.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2M9AW95O.txt

Filesize
608B

MD5
9653179fa482ff7a256687b41e3b0139

SHA1
7a113353bab5bbd0dc86c177d4788ade90c53f72

SHA256
0b173769444a90aaf0bf2b38dca14c2ece4e354cf08b64f5b75686a492d336d5

SHA512
9d3eff1a74484b7e0326b23fd6568909199b38df864b6c270c94fda5e1c472125ee58ebe53da45bdd3ace07cece8fb09e2eb4bdf11d777f109fca8838c1a722b

Download Submit