8a15f942dc320c465a63dd15614dbdb659b267a29539f807c93f2ac66f5f0fe6

Analysis

max time kernel
97s
max time network
133s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_2.xml
Size

4KB
MD5

6dc1e0aa43dd2a582b24b6487605fb76
SHA1

c403b4c464908b8d740d03775742fdc72a6e8327
SHA256

f6ec4c71c9e3ebfc1d23691364cc5736a12c3180ad35e55f4f9dc0fa3ce03669
SHA512

3cced4fb52552f26f35eac6eacf8fc408b6f5e251984f486e203777b0889261db83ea127a97b5e53c246456c819b23b6d6209fec1bb3a6df5f173e66de370ce2
SSDEEP

96:7OKfvMkrs4v9rTicBaUTnpI5kS0nvVfiYPl9Cb7dMM/SAWicJPjiBwlH:SoT44Vp3hrnvVqY99CR/SAWicgwN

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{44728D51-17DC-11EE-BC08-F6084FDF346F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000d6844da2244efa36111c07fabd962267f065b843eae1255609762669702f0d87000000000e8000000002000020000000aae1be4230691fadfd5529075d6f3d13179eab1834db217a2941b64c535ca4939000000013cc7bf03ac964bf45978428e39900b7d1a0cf13f0b47ec806a9d4a437fc85521bd255940ce9b79cef48e294cbbe15444be7f277882df18bc6c676cee1ff71f173ee4d6da3244cd802c2f9b70042bd1fc7b11dda125012c2b10357fc24544327958690767dcf3895c77537b8aaab710edb005dca6192631c0d7fab8045734f2cb20cf812806623d03fb8e475c167433f40000000d0645ac27880a8b2dfef7bfe78b06f673c8027e2f009e557f9e49c3a5e3353c0f9cc0f14c715df9e00873fd2036fa2d515c68b005b50b7892dfe842a326a5c75	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000db6f701e97286f7137d01e7a7332f00598257c70a165907749eae88e260f2564000000000e800000000200002000000081b5dd373690f37359a4c9f1e84ec7ce02837f09c36d2f117e1e16d8208f0d5e2000000097ad0fe15e9d7da009e8dd5ddffb665cd42bd2c217bcf91480d6eb64fde278dc40000000176b608588d2f635f9ed7a9d22035ff348803ae358ac785913e13d345a707bfe2684e8379056cf1275702063865bf3dfc71d712bb34b1b35eab93d884e04d4bd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394959505"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b07e001ae9abd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
580	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
580	IEXPLORE.EXE
580	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2040 wrote to memory of 564	2040	MSOXMLED.EXE	27
PID 2040 wrote to memory of 564	2040	MSOXMLED.EXE	27
PID 2040 wrote to memory of 564	2040	MSOXMLED.EXE	27
PID 2040 wrote to memory of 564	2040	MSOXMLED.EXE	27
PID 564 wrote to memory of 580	564	iexplore.exe	28
PID 564 wrote to memory of 580	564	iexplore.exe	28
PID 564 wrote to memory of 580	564	iexplore.exe	28
PID 564 wrote to memory of 580	564	iexplore.exe	28
PID 580 wrote to memory of 1764	580	IEXPLORE.EXE	29
PID 580 wrote to memory of 1764	580	IEXPLORE.EXE	29
PID 580 wrote to memory of 1764	580	IEXPLORE.EXE	29
PID 580 wrote to memory of 1764	580	IEXPLORE.EXE	29

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8e5bf3e8b3761e2064acce280ee745f

SHA1
d4172997510c4138617464341312392f9405beb7

SHA256
4f4e5a67d18ec29dd45cb34c797904ff2447e4bfbf2995167e6b9f7d9dd0691b

SHA512
101dcbf01e3c31d73d9af18a6ab71e2f89bd85aeeebaa9e5154cc1f7007e25e5b1ce069bb4634e8459196917d5edfdee5dba5a43de5ba9300b80027f10e43fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b355a5f1d392cf74be5f8b4d2ec1ff48

SHA1
7a25edb106d8d4f668fb0de7162b6c2ca488715b

SHA256
64fbd4712c4525011812bf468857cf607494104c2868c04a073a70a3e80f02b1

SHA512
26ff345fa84f97c112092c416dbea483e95c6854f2551d3002a77db1b505903e6e9c332125082c949a481bcd71abfa6617e3b4be0d7262c0f9b25eed8595bcde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69f88f5f8d8ba6192bb1a3b7bcca158a

SHA1
29c659272e998bfbd9381de17593886b1eefe82b

SHA256
72cbcd4bd36282c235914a1e6e66c8e87131641cb1908537c7f9f8b16e56cdca

SHA512
f142f7ed473792430958b56ce7da63e15e5f43f673b3141bdfd17691ba0c75df558a31fdbc923dd2f647af7599a34120a5ef9f6b6d421c5bf51c1a672ee9712e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0903f4168b6b91f3a870d8fd926f08aa

SHA1
fd5f255e2656672de83397e8e283418b21d1b1e1

SHA256
b1ac50ee49edd935e4f410d8240fc8d1f98f16b76201323a59b5be4c287045d3

SHA512
716f5380df6c25db30a2bcb4cdf8a096ab6aa08735ac786b39143908be0f8f5bd4c2d9998a30d2008a901aada0d216b6fe8a6470dc8ab1ee41db7f85a671e181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de3a7b2e5c8d43b953108694c4635dd6

SHA1
57faca640ac0010d1a2e8378a953924ad2a012a5

SHA256
46e87b081f39620f436ae968ac3273fd7e3c859338980817cdd426a50aea1837

SHA512
ad3351cec2428dffede2751416e33a13626a95d1fc54fcf5373fee0073e252feccaaad1045569e864703f9d6677ed50fd8d7cad2230e85db27eb9f1c20a3a2ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e669d28b9a252db199e7e579d2bff8a

SHA1
525ceda068df4fd79532b0a2def2718d35389a7e

SHA256
fe4000b6a1dd66cd8f342f45d62fbcdbf65ebb35b8e4946428315550861d696c

SHA512
f8cdfd9a6cfa6a93184cf5e31f096b3f6b269163dba7faab8600da54e5a28b58b2bf0c151430787b45b860369409cd0acfea464bf6de701d51c1bfb5cdf2a4e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33605ec86f42ba449c185ea5c5db55b0

SHA1
3ff10bc0a10492540c4033759fa42cbd38422547

SHA256
b3fcccfcb63d45daf386c16e5ba6ebffb6c7524b760560b170d461ca30b7b88c

SHA512
8097514b963f6b9d9b2bd778df48d9a3e18226e219c7553785f633cca17a0fe862dbb754c0380587989edfdc0e5f77f6a35afb59faa2aab928173db3990c6ad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a478289a7f214662fe69b3d95f8c9af

SHA1
6e48ff1c764aefd599db8af43b26ae94915a69c7

SHA256
da9490fe1f3f65ac988edd8ffdcc05056e6bc5cbbc92954740ba9d2b902e4a2d

SHA512
16240078772ac9b84214cf56bdb57533cfff16c708ebc0f57c30bc75123f8263d621d4ccab30374ce4adabf8b5a197ee053a17ff6d5084bc747c31bb753f1efa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f857dfc851315da2531796dc4aaa205

SHA1
7f081a67d8eeae2edbdf740774f284093da53dce

SHA256
af00bbbc4a0b0b966cbc919076fdea0ee2858df69ca11f3de276d8aa1b079c46

SHA512
6d2ebdd94118e2102e3417d81d8365b024d745ebea6701648d32909855e6f649fa8f55b38bd2e8c1ebf0caa7899e65e4397092ab6bfc7393de40c81f23b061ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E0B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6050.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RB91J0SX.txt

Filesize
603B

MD5
1d6e6243e15560295865a94f28ff7cd2

SHA1
dc4826ec279bd3b69af35d7f9aadc44ed25ee5de

SHA256
acc15962e6c97a67a61bec4e433bcc0aaa11d254ffc03d12647f62994b3fb8dc

SHA512
2a2c535bec912a6e180fa9415e72ae0f0cb74b059301ebaf5d78a9548c826905c2622f818a37f314e0433f6afb2d4540e30efc7c1a6722a6fed1ff7b9732703b

Download Submit