229dff2f805ee436aa067b023ee4dd9155bfd8914b575c80042193db59d3e07d

Analysis

max time kernel
100s
max time network
138s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_1.xml
Size

2KB
MD5

e846bf277dbfd6e9495cf7fdd1f29db8
SHA1

ef5d091c0d88c90ff6eee4d22aea1b41f14f01ae
SHA256

7e200f1aa007bf6457e3929b72a6a41f0e324641c8625ae4048d137b14427be0
SHA512

3ede672162f3b7e0805610ba501cd9d411d803ccfae8a101e4406032f9046c40f2767972445a79a33aaa6c530753ce07e21ce50bf45f86f5d84c061507c444af

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2813EB91-1A75-11EE-9CAB-5E12BD6EB171} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395245073"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303e1afd81aed901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f400000000002000000000010660000000100002000000088d4bbfb2eb3bc2f8f07ea466b0dbd952f867368352497ac51ae4e44637dc3f0000000000e800000000200002000000041b607bbf2be729e518ddb859f85e55e8807f5a084dd78e68ecb770982a95560900000003c5ab4609d5922227d2abb503c3b4a039d50df25de8c7bbef80cee515a4364aae5fdfd4c084e14e450ff1774e1118e4e1b2462212480883f950ecf980f036095a4a5749c161ee738e7ce7165fcf199bc4e0d54223389a3e2af599e92e6ba9486fb198e19ab02ea59e121a201a28ca0eb1323d9c2fad45371fcd6c7fb107e1ee223ccfac9f3f509703a13631478c720a4400000003be99d164620b767d50608549e61750d9a5f1a0f4d6a1b2e4bb6fcd9b899f78059b78c98bb69a72c943e2f6b6e62d6014718cdc0c46ac4c54eff2d3a992d59d5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f4000000000020000000000106600000001000020000000989fca3b5219531da5cf747faac586263bd591cd7cdfc5c1577e657b228550ed000000000e80000000020000200000000c01f3e4a67a0563db542206084792ea162371c2ad8fb531a9208ad96fb7d4f320000000c456f38ad174081cdc90787d566060d731ba75ef0abf6ab44873a4bc532ede484000000060e8b9c1dcc1a2af122af90d99176f852f73c579b8f154aec14ceecd21a7698b61e13d7b1ccf8530aa6a78d8e8660c40a03e1f17a1652cbd3e97eb6fb4242c52	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1008	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3064	2408	MSOXMLED.EXE	29
PID 2408 wrote to memory of 3064	2408	MSOXMLED.EXE	29
PID 2408 wrote to memory of 3064	2408	MSOXMLED.EXE	29
PID 2408 wrote to memory of 3064	2408	MSOXMLED.EXE	29
PID 3064 wrote to memory of 1008	3064	iexplore.exe	30
PID 3064 wrote to memory of 1008	3064	iexplore.exe	30
PID 3064 wrote to memory of 1008	3064	iexplore.exe	30
PID 3064 wrote to memory of 1008	3064	iexplore.exe	30
PID 1008 wrote to memory of 1668	1008	IEXPLORE.EXE	31
PID 1008 wrote to memory of 1668	1008	IEXPLORE.EXE	31
PID 1008 wrote to memory of 1668	1008	IEXPLORE.EXE	31
PID 1008 wrote to memory of 1668	1008	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_1.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2bf32cfe3b001f79c09b3739769af28

SHA1
74e0895cc31cc01a25f021e136b4000f5df08fb8

SHA256
042e607bc85772526560392f276beec8ad7659a41b020dab9bd1141e5b543bda

SHA512
0a2c11a077b67fcd0abd660120bcba6b20e83bc8455d75377a6adbfdffa06540cbed1f2ab77e59162fcb1bbb05147710144261aa7bd3d81c286f2ed609a922d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
830a5ac53e03ef7f8b5351cfd4e3c835

SHA1
50e8926a303deee7fdc4fb0e97ecd563c1c2d3ea

SHA256
3f3fc8216b67377651f0a27a3d7b7dd83c563998ade02890bb0d7c4d05392b17

SHA512
93bef9a0d4f845e0601a6d3c60e6c751f03d2d001422c3ded24be4fb0373839ce49450b4725af8a4882e44b34e89f112423c8944de17be7650833c4129aa98c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
830a5ac53e03ef7f8b5351cfd4e3c835

SHA1
50e8926a303deee7fdc4fb0e97ecd563c1c2d3ea

SHA256
3f3fc8216b67377651f0a27a3d7b7dd83c563998ade02890bb0d7c4d05392b17

SHA512
93bef9a0d4f845e0601a6d3c60e6c751f03d2d001422c3ded24be4fb0373839ce49450b4725af8a4882e44b34e89f112423c8944de17be7650833c4129aa98c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
554bae1b9caad8ef3d5e0a3966f69773

SHA1
3a9b948c554e9c2eb2a26cbea56ff797826aa4d2

SHA256
da580b9e45ce8e2bca55cf09a934ef570dc0059881a790c1a6e0f5d2757fcb21

SHA512
7b3ffa8d230468d751365121e06b1c2467fb87775d7f602a92477ba1eb43d8c59dcf3f39abdeb4e97dda4f04b95d0a88a6a117ceebc19162f9a4dfd5fba9d597

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81a161a62a76822d7c7c5f92271721b6

SHA1
ad09de5719678538524cda7a638806ed6413897f

SHA256
1a8da0c15e904992c78fa9832d287091fcc4c1d5eb9e9a351dc2aea994da1992

SHA512
bcce61abe1502cdb9a1ef915168cbe579e2c3becdd974017d2545eb68e46e2c5b3a05ed9ea615d36fb63ad69456efc5d3fc94ba99bf56c21089e440ad9d90237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8395e4e323015fbbece59522ac41d2a2

SHA1
7a0005d13d72c66eae40202968e6881d2ec9a321

SHA256
e3c9a6983633cb07a3490132dbb04495e6fbf879b740f021468c45fe89fed184

SHA512
49d0e04d7779af3f9ab32fa634c687d9afc4df450b26e5a92823935e2cc3703791095aef6e32ad7b4cdaf0b9bf97fd284a009af31a79efb04eeaf627df22dec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65d297b295200fc9691c5ec87b3a0d14

SHA1
b01b3b23da24ca6c476b3b33e4fd32a3ff7628ae

SHA256
6646c81b70abe7cdbd8fa3b3eac6df716138b4b49a2cf903d951552fc716b4fb

SHA512
7c936b471b8acbf6b379a0ea75dd51da166df0faa6e3f2709ae08a74469373415b79b384513d323c939627ff2ce6173cd130bba5a8894e2e02ae6ae20f0a9e8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bfc6053c80176c7567b6468eabda7ed

SHA1
438fa3f406ccaa3f3c66b33907bdba28617bc501

SHA256
e06a27c7b35070b6c301c78127c5d362ec77c226471173a7c39490883d49eae7

SHA512
74204343964d2c4ba2c145f947158ac1596411b0c7b5f21434024ca3f1ef7c682325a2f1a92bfdd2d296b31446a684a1f1a8b58e90c5ec1c5a042655f96b9adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
233165e6defa92103f4565314392633c

SHA1
2be4db150e4bdc85786ba5dad454e00ec93abd0c

SHA256
0a0f8c1d68b3521b691fcd7d8d65982c357d6236a6e5cf8f76e42b08d31996fa

SHA512
63cf9b11ad843ded1661a72c4f558d7bb636873c9528fb0e8863ecca46ce19f1135fb983e49226cb7e367a57f95e031fb9a90662b90a1d4e14f1e512a9805a3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c27ad98ea901af52b23c6b843642baa

SHA1
68ab333af124b4062797e1ee22a38b14d0575ff5

SHA256
2dd32c3cd98cf50eb9d05c01e4eb66539b3bd8316c2eaeef229b496782982cd3

SHA512
59156783da239f0f78b2ac723475f4673b8dd4bb1b4780131cf131cad87653b3a9863b0b49943eb16ce1efbc260158afd94915b34cb198c1c62a3b626482ee6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM3TD3CI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab403F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40BF.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PFYIZMWM.txt

Filesize
603B

MD5
99481522d3caffb2f529c83dc3e38c16

SHA1
9afde1a33e84691ec3734ac426e3872ed2157287

SHA256
e07970d65f150fb0f70442f38bdab11f3335b3262ae4ad578479127450a18565

SHA512
6bbb82c204b9ffd7e4b5fe0c6aa1805de3ae140d14133d4a04ce448aee0c4cb9896642419d1c3712c3f9b54bc9822cfab2e9d71696d929a6193123005368db63

Download Submit