229dff2f805ee436aa067b023ee4dd9155bfd8914b575c80042193db59d3e07d

Analysis

max time kernel
144s
max time network
138s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_4.xml
Size

1KB
MD5

e8fefba6a01f6c0bf8ba2e63617d21f8
SHA1

9e65f3e23fabbb72a0a193571942b0702f475022
SHA256

196b9a9582b7a946ae749fee37b577c3454f4e8487ec568027ae5f7a949c80c8
SHA512

e65cca212fdb50e7e6f575a165da0e60ca05fdfb209e94965b8e8778f699b1196222297735440cc27a73766d628da1b704118b4a4d496c9f729399196c6757c9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c29dc726ce5b94c89351546d5dd24d4000000000200000000001066000000010000200000004eb2ca222d396b67e7a48781df5dbe93cba868519f33b1d48b660959b9ead9c8000000000e8000000002000020000000f29effff6c26640612499308ce277d56deb9cab0b48f448ed0736072505695bf900000005d4dadf50a44ee6945a9536ef312d7cb034ef6dce61f91ee00d27e52b6fea31a5890b5e7ee7d6fecc7131eeef5fbc85d5bfb36bdb2ec26c8295f4bb645c12b921cdf3ec704076e7ecf54a15f70d6e01be2a5417f6f9d3ef025f1aa5f42a7e5f6a87b478c9de98a196aacec54192b3b3e8808b4bac1e3cf5c68c682bced230a01ee33180a774bd730dd25fa86eec168e240000000cae8c45f98f27a35d50b48ed24657fed46174996bd2edc1f9ad9a01be8f78f969cc0dc63eb286b6793ecec42cc44ef1444caf71cd7782f8fe47e87171ead4abd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c29dc726ce5b94c89351546d5dd24d400000000020000000000106600000001000020000000811171240f6c3629761cd667fe3f8653bb20867ed3f7f20bd36c432b46ae1d72000000000e8000000002000020000000622afb2019d9e5b40052e7c22ee97141a6b740ff19a496fb4b496eedc6b40deb200000000cde010d95dda449db1722b8402a6509d212e95161565455740e01f21f20e1ab400000000ee34834510b7ea09317903d5c1eed4716b6a76623c0fd1d88eea553ecaa1f8f196baf94a0c319a2fc87489b073fd3d9046ce221530b8df6fd1e933141b8f49d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{296BF9B1-1A75-11EE-B025-7EF4D2542886} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395245075"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4033c3fe81aed901	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2184	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2180	2056	MSOXMLED.EXE	29
PID 2056 wrote to memory of 2180	2056	MSOXMLED.EXE	29
PID 2056 wrote to memory of 2180	2056	MSOXMLED.EXE	29
PID 2056 wrote to memory of 2180	2056	MSOXMLED.EXE	29
PID 2180 wrote to memory of 2184	2180	iexplore.exe	30
PID 2180 wrote to memory of 2184	2180	iexplore.exe	30
PID 2180 wrote to memory of 2184	2180	iexplore.exe	30
PID 2180 wrote to memory of 2184	2180	iexplore.exe	30
PID 2184 wrote to memory of 2212	2184	IEXPLORE.EXE	31
PID 2184 wrote to memory of 2212	2184	IEXPLORE.EXE	31
PID 2184 wrote to memory of 2212	2184	IEXPLORE.EXE	31
PID 2184 wrote to memory of 2212	2184	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_4.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e50cdf38aa620097f3a6baa1bec10978

SHA1
66190d940bb8a528d7dd2ba28b644e2ae746df60

SHA256
ac5f87ff89f553aeec603c633a067a55fe715a862f0887a646f10d427a2c60c4

SHA512
014e870e7f4547021426599194a794a437e51ad7181bd8eebc2b88fde783fd4ded942f84665ea291c75c345f76a358d9a23b669513206f901e432dad420b69a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d51182b0e14b6966b691bfcd2c95674

SHA1
48aebeabd285630422252ec0c9c8da682ad620de

SHA256
7afa24762fb5d67808d80df5a24e83265a568c3715407726e4a7355e3a3e24b4

SHA512
1b7210c14f14acee29e2fd9d3b29ceae9f244b67f58a2fac7a77f7f94ebceaf95d504d007dce5454a75c1d48a46b2dae8736618cc3c7ff5e03eb590dc635b81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dc3ee1bde7ca643fc9817cadb602f39

SHA1
9b7bd9c548d279dedb0140006a85a230344d2fde

SHA256
c03d5de08277c2f5d8185e005cda2037fc889be8644b66fcef046d0f3da47762

SHA512
f1a200524ee4036c27070ca021995e5c2c9c6c57c2168b68cf6b311e7882ba4ae4bcdf6cdc637aa663de6368c9fdb0850925f3f02ec347414b50362081c99568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8b7773cd00ed995a04b3f58cbbd308e

SHA1
fee02ce03c1a5ef7705f84b647e70188ae40bb8b

SHA256
ef589ee53208928b41bdb5cc1d948ed8333ff2725edf42e9d64f73f15e503831

SHA512
36af48f9d9253d6eb12590fff4873d96ed5618c54ff97d9731429dc9e677366def7211e170d3ff050128f01aceef745000d9ec5045cd2d200b811e01824bff91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61bcbd4dbb5566f4f1d4d5de729c13d5

SHA1
637e1000d83876d3b0a582acd8ec70be668ea48c

SHA256
3d8647b47c171b53800ac4f19771537ce6458b11889dd21c1682af6afc5689d3

SHA512
5c8702f98a87be403d5b29e689cc4a801b3e0e6d64a8cade1d91c44919e29cf52ceaa8a9ec45fbc72dced56206239816398401fee12242586d2ba4493407bc1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c4fbccd3ea906f9782d3abffaf778ab

SHA1
887dedfa67ddc51e4fef457c4ecf4302894dcb62

SHA256
af7c3666c7ebe53a06b258846c2a85cc84a656720ebc09c71dbedcc960d62984

SHA512
b6b38a15cb7a2623091433725ac8f3e71a139fa2f73b58fcac04f8c9f1e72e1538eac9e873f367dca3609be7131537b3e7e8693dd85246e41105add002147cf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e419a8b770924f1b9fbb1135dd11fd5c

SHA1
882d574cb7611d946d44acdf848239718f409ede

SHA256
734528c0fd788799624a990bb02bb0a27215d5e597a7c2d9dfe24e96cda050cc

SHA512
b1a150e0bccaeff7b41b926b3f2d71995acd9c223f8743389e8623e2c42507e70b086e8dcb41918e209ec4cee45f901683cb39a2acf7d2e6a61d6f065d18d895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5498f088d1f3f860420d87913aa87579

SHA1
b683d5e8170592d8dfc90185090defdc2f06cd36

SHA256
224accc017f9360a4a00aca9c7f4fb7cddf9268a9dda935c996e4a65769a7a55

SHA512
19e14cd8ec8194fbdcdb8f898f0a0d6f4f525e6d2cb4f4ca96f43330c9bdf37b1b27d9b6b5ba44ebdb660b9a9aa8f2e9a57b1cfd6bc5160060d97c72de7cca63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1c35ccf89ebceff8ec562aa3072d6b5

SHA1
57898e227e23f9eb98e84b20549f0d443ee98b46

SHA256
19e3e027dcc28413f0bdc6c3b3618527d6ad4d130feedfae68ff38bea3eee278

SHA512
15c7312790816e6869381ca18d4d77b44c740e211d98b5b3fceb75fc9a5a31bf1f0f4eab5e1527b6bdc0d709bd0b9407d1cfac273f85242e346cb7b378e1a412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ODRCOPYD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4379.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4467.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N418V7R3.txt

Filesize
601B

MD5
f20d41e91926f5dab3a5d60f13918e3a

SHA1
47302fcc6146d7a285e12fdee1d7b4d6412bf6d1

SHA256
2f359e56ec0fa5523deca160ef1801f24bd965aa8ad3ca8e3ddbe932d3b1dad5

SHA512
f7153a53a90fe0db4cbb65883e3012f2ddb1afc810e0f572ca7990b571b9342b6c52f75e23a3ec97d24363a41a85a99f9c446a0319a84ab68b6a656bdc3fad67

Download Submit