6245fa164605d119c883a056c185f3fd9c502eba4ef08290bdc053b0db68466e

Resubmissions

06-07-2023 13:22

230706-ql86rabe24 10

23-05-2023 17:55

230523-whe2dshc81 10

Analysis

max time kernel
120s
max time network
137s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_22.xml
Size

1KB
MD5

2c984aa72078254a59641ba4f07bba84
SHA1

b678fa206605d2ab07e66190666223e281d90a08
SHA256

642683939e77b6559a286a2043aa90b44a4a535e63040dee16dcb9367c65a624
SHA512

2d5d256beae6a7b4f3f85db237593cd0e5616f0989dc85ec679c249cd949be50b05114ce6f3e24ba0c831102567168a40a25158ed407e85d1e5f7de91a016443

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cacdb9c8f7e7d1478a5f6d5a6cb4c29000000000020000000000106600000001000020000000b77512bbd434428db98b03827b1b64f848563a2c98b3f0e06eef1629490e40a5000000000e8000000002000020000000563f75a6a965e46bd7a5c62a1c0ced892851b6fe2a16ee26707ba5366db7b9ee20000000665a56b5fbe7db2c514fbf8112d55da1909b5d6353baf85f2a398d5f63c985b040000000b6bd448f72adc93a4dc904020a5ce5a967f0637d95edcac61766e326baf32450f5bd746b847f42d571097ad8935ed5d0d36ed6f14cd7271543684514bee8e20a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ba260f0db0d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A0AFB41-1C00-11EE-8EFD-72C39AAF56E6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cacdb9c8f7e7d1478a5f6d5a6cb4c290000000000200000000001066000000010000200000007022d5b9257b5409873a9e6a005b43cf1173e2df307dc1a5d8d45af4fb80381f000000000e800000000200002000000062173589b7f9c49b5426e96f47909fd3641151eef6a58d7c0aff6180ca8643139000000008ed96b5c7fd61020f5d2b20366a87b9c09f2bd4962f3cba10b32d94a3ef0fd13e21aed06b152495672b9ece41ac8d35774c1a832875df6e0c8bb26dde2cd5f79bcea5cb0ba5d8a3312f426336f8f58a66fcf25ab0208fe2277109f425fa0863cb6fd828e9c6f386d85ef6b75c08fd63e43768e61a0a7806d6df60103ff7701f2acbe4b54cba70ed6f3698d2cc25be0b40000000e2744044790e8f7eaaf720efcdb81b291d0377644f80dffcea1ffbd73b21e812e05b2635c8b18855557b25d95f8b03a191ca0798fa40717efc5a5349a7d78145	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395414754"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2352	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2168 wrote to memory of 2896	2168	MSOXMLED.EXE	29
PID 2168 wrote to memory of 2896	2168	MSOXMLED.EXE	29
PID 2168 wrote to memory of 2896	2168	MSOXMLED.EXE	29
PID 2168 wrote to memory of 2896	2168	MSOXMLED.EXE	29
PID 2896 wrote to memory of 2352	2896	iexplore.exe	30
PID 2896 wrote to memory of 2352	2896	iexplore.exe	30
PID 2896 wrote to memory of 2352	2896	iexplore.exe	30
PID 2896 wrote to memory of 2352	2896	iexplore.exe	30
PID 2352 wrote to memory of 2332	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2332	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2332	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2332	2352	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_22.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d975433562cfd396c90902dac39804a

SHA1
7071caea62efec100734c23c944509b1be25963c

SHA256
2cc3ad3e22f9d7468132b4bb7d1f0b4b92cae6a149490174be5b57cdfb557378

SHA512
f5822272ad2a4b652fa57ddfa1a8ac75fb6859c6c3ba9c61766354affd9eb5f31d0a194cd02388ff306b41989bbcd18bd9cb181bac17914a01e3bbb2671082d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
598801104ad8084d750ac5df39408f5e

SHA1
d8e0f51898dee7b497a1e88931b6de50b5bd8105

SHA256
cad9753dc0ed066548960482a1524d69749abd8c61e9b2bc500c20d1ead76c3f

SHA512
51ff26eaec5a805580a275b2773f25fe46f66595c811f6e458b666ce678bd97d3ed696c1759ce8adefcaad3d292085393a4cd0208239083c727d7d6d633d07f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35f7e6b983a209feb0ad991d7d9e31e4

SHA1
57bfc429cfb9d5bc9003c8aa4178537642d0dd5f

SHA256
8fe427faaed2ee4e25ee381ab0cdabdafdce1145afe2d482d533593df4c3ee44

SHA512
2ac1a5020d2c90150cd99e82953166004a2d5010196ea333ad9c0b183a827ab1c3ca071d12c12c176ece229d220f23803f7e02dd8647b38e73a8f866bef83b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd94a520387eb720bfc2ae0ad1260e97

SHA1
b21f7efdafc1ab38310df8265ca6f7edd3b16d33

SHA256
3782453a78f620a9861229f5e08be091cc000519fc7541e4ac803c7f9c81e7c0

SHA512
3ab60a6bdf5eb4bad7982a43758ce30ec2e0e6121725c8890be0359b16dce176c351ddc77577c8193b4893f305d4b4beb79dbffdc30c8f7dca1498f68d0ed142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a6551fe065f8972f94edf38c1e4af98

SHA1
15cc63652038a3583175ea324b780c9684e93fc8

SHA256
06c709b483120f75ac80d488b3ef4ad5c1d0d15a1448b6ab3d678096f8dfa996

SHA512
e924dea6bb8061d7fa10dd8c97ace6e0a2660e73c634a1ab75325a353ea37d2e92c65ff3e1a6d3cd12ded360197fc5119b8d800751d4268c37e0caa400448fd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56ba617ee55eb8fdaf76eb3a3bbadbe1

SHA1
6f342b0a38089419346cbeb08dde4938172f0446

SHA256
924de7b4a83ad426af3854c04920119c5e83b1742fade2cbafbaf42b24a51305

SHA512
dbdd97d3b90c5cca4c9961078d2111b24b6108a24e948b9d17c1c5261e2014109aed94ad2f921adcca9a124f960173882a15ca8c2d50634cedcc9ba2ef95e620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a092a2f0400276f124d226a1627f5ee1

SHA1
19677d5ef8f26ef7e0add0028455cd7f75ee70e5

SHA256
2a0c848221ba0aaeebd8069f637f161c42c9596aa2b763c3c32041ea42225b3b

SHA512
cf0b92ed23cb48766af75af1172685074e37c5e38baf26c740210a665b2f756a334e660cf68ef17572495a841744422b385ba80415e614cd9af2801e2cd1e136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d0373a223537c8d0997efac0c6d7ffc

SHA1
72e2e632b7123d6b118934ded14783c2a70b9868

SHA256
ff0479c8a46c22cf42ee69f88a933889fba99503e52a944567c8e847ebea1d77

SHA512
f6af4ee823bfc3989999e3b5514f18497c02a6ea7c11706c28e934fc788b357e96c060ff172f16122aa56e20f7f96e84a48fa53df4814e95d775195c7729f708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12c2dd8dfb9b6db101d42283642b48df

SHA1
744184a74a474b81a58de4eb1f99249d3fd59a44

SHA256
8fdab5553dee888e9618c9b5a940e4b914ae95bb2bac1ac4829084e9ff2af1d9

SHA512
105801db25962dc55af18a8e0bfdcfea78caa9a9e1b435d2011ffec0f714706ca9ab1e38e1145ae18c3ba7c6484d8e123ccdf56a8fa85e2e1ee56087a9ae9780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
620e4365d043cc8bb533158cefc4eb91

SHA1
2bee20620b6b8e66056c7e54da2223747d27b3e9

SHA256
f1db82a6d9cc8572a05537a63f1c07d582db3712475029310c50dda2136f303e

SHA512
f4caa3ef85fbda51d7e882def795599d79bf1c644402a761b126237523361b3e889b2ba78f09d6d6ef5dd9a6db8de7bd67f8c1cdc89325831b173b547943a2cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S593MPCP\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5506.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5598.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3F0NJKU2.txt

Filesize
603B

MD5
904c59d0d72b16be4d747fcee9f816a7

SHA1
72e4c00c4c656ead5a3fb589ed831820fbeab6d4

SHA256
8c2333e89390415f39b4d01575bafcf915d1b67e7c7f532b3d80e951102fb30a

SHA512
df66558faf4b68dad36d3fa358ab23d0e2cd6f2d4e36a9ffeb1d33e41c608af392faf9bd0fafd603feceab947d3fa79a8abcd095e9b1283c05302b88d4d7f3cb

Download Submit