229dff2f805ee436aa067b023ee4dd9155bfd8914b575c80042193db59d3e07d

Analysis

max time kernel
97s
max time network
136s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_2.xml
Size

5KB
MD5

5be33710189bdadaf68a265f7732cdf9
SHA1

c7395a7bb3600eaf7ccb7e9373352a52ea3fd179
SHA256

265db1c83f274778c845a4e1418413c750c12e4c7e3a426cca24d9d56dd37763
SHA512

61dbee48445a912b541502f76d24bf0fb29c2802ae8ccaac04cc3f0f723a56112fcc43872c1163283cfbd3c296790a8cbe60b6cb94e8d3e7d2001f0e6da8e5a6
SSDEEP

96:CXQSfCMfrfBR8rTxcBJUTOp7LX020fmZGlW7r2fj1dSAW7xJPjL9wOy:WQATLBQ+UOk20uZOW7gdSAW7xTwZ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107af1ff81aed901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A801931-1A75-11EE-8756-FE04B564CAD6} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395245077"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ab35dbc53fd45498f88cda789e11c5000000000020000000000106600000001000020000000d5d1024ebf39cf4798925547330841b010f63f8003ba08878a2b3d5c88e1fa6e000000000e80000000020000200000006b7a6c7c6387fcdc225c5ed0b2e835a68d64ebdb1384b6387513ae93a58210a020000000815ed430896371854bd110abcbcdbf5f3c9389e3dcbcdf939b74c4e0c9bffbeb400000004808a55a4a42e7c1f1ce03361ccbcc72907cba418c2faad094f53e1e9c9bcf6c0dbfff58e7e2f8beede48a5e5d4a21c0152f07c49f2dc690a24a3bf28427efa3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ab35dbc53fd45498f88cda789e11c50000000000200000000001066000000010000200000006d0833469536e65e9f0b7cb8c0f1fce281042ad75c7e75c1ce79c1db7bff5e53000000000e8000000002000020000000efc659eb9c08fdf05d6a2513b32f9e743f72944b8f622ecb94157d561d136e6290000000f608c285b649c28aaafcae1019d6c3ca75f3864245c189da78ef475e01de5e6421129e082bba9ed4d3bf97b5fe87bf778c9d2ba653d2f26de9f2f3ec1f972c9e1ae54dd0bda41a5feccd3a3c79b00085abcd237ded358e42f324bb64beaba085f6a973d6689fcbeb48c97688cd10ce86b1106ae3eed5c57eb7b67cfa175a7201f9588cb9253b1b97658a6b327d221e9c40000000a0285af13f44e31aef143c442636895c4a44f9aadbf82594a6c389e45c6ea6b48ec3c156d2519c2f6921d52ba54ae049985ac7b2238c6d2eea9fdfed4c86a1c4	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3036	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2832	2960	MSOXMLED.EXE	28
PID 2960 wrote to memory of 2832	2960	MSOXMLED.EXE	28
PID 2960 wrote to memory of 2832	2960	MSOXMLED.EXE	28
PID 2960 wrote to memory of 2832	2960	MSOXMLED.EXE	28
PID 2832 wrote to memory of 3036	2832	iexplore.exe	29
PID 2832 wrote to memory of 3036	2832	iexplore.exe	29
PID 2832 wrote to memory of 3036	2832	iexplore.exe	29
PID 2832 wrote to memory of 3036	2832	iexplore.exe	29
PID 3036 wrote to memory of 1864	3036	IEXPLORE.EXE	30
PID 3036 wrote to memory of 1864	3036	IEXPLORE.EXE	30
PID 3036 wrote to memory of 1864	3036	IEXPLORE.EXE	30
PID 3036 wrote to memory of 1864	3036	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a636e574db739bd003b656d8ac0f2354

SHA1
2390dbfff0b484dd8fcda6ae6df077402b896555

SHA256
743c2ac42164f1001c0e65d05ababbbfb33a152c641e296e549321e35043b2ee

SHA512
3c4573ee050f5fe725ab63eb45b98473c48d0ac927dbf8d08dae1bf5525547a63031cedde3f0ac4576a124a5718fdc7ef3ac6487242a81d62f101e2144f4052b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e589c80cfcd89ca744502f2cd2519013

SHA1
cff6773e2b958fbd77d36820322bc1248a93d82c

SHA256
ced662cac0328145e23aa1465a809021d04de67a58c3f84f2dc3902e98daab66

SHA512
175c323c1ed32097658af321994aa82eb32c8fa3cb4b1411c75f36f122b6fcf7b512784fdd6ea11cb3a06e1879174f3c4a08a404a50aeccfe79d67f01a9e403a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c11a53419962a7c7c59b27b04e69def9

SHA1
f7e946b9d9e247eb9154453924683d02d5177bcb

SHA256
6e6acda337da939d5bab18746928e950c5faa818025e2de8e76884beb1594f92

SHA512
bff220d72fb2e5b3eff0e88f53fe73fe42b06c6bba2a86d280f9c3b3112d1ee5121d5afe5f42b742ede20c332c33c1dffd66e9ea07d56807dbe1522cb2087497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79e502256888326008894454220a1323

SHA1
1b30e6b10819f967032a9bddd4d8a048faedb38b

SHA256
d5801c5e137d3259ba46df238d0106b9f8bdc9ebf0da73e40e0bf5c62713e272

SHA512
c52cc1d0eed09becaa469d88872f169b585a089389ff435adbb92652a1c6dae7d59e4c7156e076a5c89f08d98dadcc142333a46e668f59c04c968f840619e819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8dc56bcb910e20cc755b4874cf5f85c

SHA1
533364fce929c4e0bb3a12d2732912314f8fae3c

SHA256
4f56d90661f549d404107995d5a55b9a700b3e53ac85997fc3c772f357e51250

SHA512
5acd7ef2a7d7cb27e316579f5e3d6516b7b1f8e999b469ef7ea2ef0363ae8f8df4401a36cff8e5b4c6313ce08292f9e887cca3a1c7acacc3be52e0d90d85114a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44c6b35d6bdb5c7b50cca07f08bd96fc

SHA1
4eb5b6e956a43f96fe1ce7a052cba716d4776c49

SHA256
2c1dfc62e0835f4dce2e48304e8202f6aa157961399af114bd9a44d4e9612dc2

SHA512
96c54d69e11d8d05a21334f124b109d870a2f7048818aa331049d7e82a0a63500e0d95898436b85d03f8bfba6aa84098adff3885b42a46d1e5b6facad1b30ad3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d16e65814f124c31a1228bf90fa30034

SHA1
2d102d2801ba6454019ff1a5dbd3fc4b19b01031

SHA256
3668731a2fe3633449937d2042e35ef1a23c3d551480598724824211cdd0349f

SHA512
24ed3ead3d3635abdf7c6a6b7a659b4a72a5c404841dec2e3c04bd2a688f00697e461b462316eb282b3b9aee3583390f285e6e56da5cec63195b52e130a5fbca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f49cc798d06ef34a940ce13672566a1e

SHA1
be13ffaca6f57c6f3f2cc32c2cfae98aecbb37e7

SHA256
55f48a9cbe9b5f2dde36b55d15d2f17701923563ddbb1f43e01e543de2483d39

SHA512
0dcc9837247d2d959859e288b5ed5dddc0009e67c3481fdb122458ca65ecd827a04a2be1885c698590ed3b8ecf55c7b75afd1afeda2efd2160899285c6e862f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8c7d42fe96795d2921a59f082bd3546

SHA1
345da2e0da90f37f216c6cfb6059ae8ea48e43c9

SHA256
193a5bca43ecbcafa22fe3f767d579561594a1c4417640c59776da983a5bcf9e

SHA512
c49693b1a586d17c491e510af81440d153ec9e9e7273f2d36f18d5faa2b9901740cb019175bb2a3429781e4a44643fd197930f04208ad99f3b796859a38e1fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f681e618b3854607e3fba8e00e765d52

SHA1
dbd4611f77bc8de8366d2b2cfc6fb6f135ee47be

SHA256
d4f3f690daade259c4c66b40b0a931b6fdd321193d49f4a4a4d99a756b6a12a9

SHA512
50169ae3f30b8e77d590daa1685c260a419ffaa2a31848fa5ac6fdc7a05ba3fd658a60a10e019ef2bbf35c70f03222dceb4dc50a40ccc811928d806494774390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a648cdeb399417216848881879bf1e95

SHA1
fef3841912d163bc29c1de0b55218bc67795c267

SHA256
be0f7ccc00e07448b77656a9dc57c992ac47ba5753a42ac6e82a14d5269f3fa8

SHA512
acd17cf6f2a0844afdd514b3607457cee6b4108da8e42ba2ebf86844f522968c4d95aed26a5f213f17815f68b6845762ebfc0387bd229fb0d5f5d5c66a15bc44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JHFV4GXP\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab90DC.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar913F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YMPVU2FI.txt

Filesize
601B

MD5
0b53119dac5d429707057ab2d8edfc24

SHA1
c4fe84c2de152f13c47e1b15bb8027f42b6a6608

SHA256
8b1d89e2b485e15a33ecbff645510716134ee9d17c86bf75bfec2f7f15ebe6e5

SHA512
e47c9f4d305d53bbab9a8b0b16a6a321a7ff22662b3bf86900d9478b097f8c371c5aea398cc48edf8265a1021e01ce63d7cd9df0cbfb71e0da7b8d5e805b1555

Download Submit