b3ee8c90d9038c94565785ba2eeca0362de853a6324e3c93736a22eba09b50f2

Analysis

max time kernel
134s
max time network
142s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default_shape_romb.xml
Size

552B
MD5

937cddd9c34265203047abffbccb830c
SHA1

c108ffc515239cd448e278623450df7c2375c4a1
SHA256

b7b74f49936ecf56d1d49de6b20ab0c7ac9bf128cf50224b4f8598967c9de228
SHA512

0f25e183c57ef789569e7cc28b1c74efca5efe8a675afc809864191fae3586cea5f9ac18b506591fb1471f2e0a5cbcb4e0e070230f597fea992f7ffc0a719dbc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a3f998c7b8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C46F17E1-24BA-11EE-ACEB-FA427F214E3D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396374481"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000002dcba8d2b0e4616649fab87602a67e36a7ff53a4033df79b9dcf3e4ffdc50b27000000000e80000000020000200000008e56acf150fc61319aeb6d1071567d570b140a28743c75660b6e101b882ba16a20000000554b95cfc291ecd11e3321463906207964f1cc1742384332b0b93f0163d60395400000000a9f48de3dd8db416f07a23f37f97d9f80cbce76f4b3aa6db7fd5fee65552c7006f902322ee45e613d65e0a4b1226f6b0775bc99fe273c10719ec53a339e36a9	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000003c0adb4ee9f3629c1ed087e0d7bda20bafba8801131235590644494f2e511c71000000000e8000000002000020000000df2b285c9a3c8e7f4f494aed5bf461b3ce3c23c266d9c0557bacecab838bc0f0900000002e5e250f8b550142f9f3041c9beddb845c5d2b5eb1fafa20be79f1e38ab414252a65f12cadcac7874bd9472a7f6523d2af45b16ae2cc213182d4e7ec3d48f6a5d280326a2c3ec5f1f6db45654581e3b5766dcf9264be08f95e7766b23285f5ec6ae9ba74b83eb4ae9aadc393604726f4672285d3ab59115e866d2c9c75a7375f3c42817db5156a3e3bcc981ac5eba55040000000f5aef2ed785e2dc77d35b3e4bb26ef3f738b77627e33a8db2beaa074ef803a86e67c190c45cbf51c0ff1f96f8c59b9040eac1305f2484e88ead9030f2b076503	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2424	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2424	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2452	1628	MSOXMLED.EXE	28
PID 1628 wrote to memory of 2452	1628	MSOXMLED.EXE	28
PID 1628 wrote to memory of 2452	1628	MSOXMLED.EXE	28
PID 1628 wrote to memory of 2452	1628	MSOXMLED.EXE	28
PID 2452 wrote to memory of 2424	2452	iexplore.exe	29
PID 2452 wrote to memory of 2424	2452	iexplore.exe	29
PID 2452 wrote to memory of 2424	2452	iexplore.exe	29
PID 2452 wrote to memory of 2424	2452	iexplore.exe	29
PID 2424 wrote to memory of 2972	2424	IEXPLORE.EXE	30
PID 2424 wrote to memory of 2972	2424	IEXPLORE.EXE	30
PID 2424 wrote to memory of 2972	2424	IEXPLORE.EXE	30
PID 2424 wrote to memory of 2972	2424	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\default_shape_romb.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5832916550a970963c06f96c7fa79c2f

SHA1
7cb6f72c6a58e4405dfeffedd381fa23b783abed

SHA256
33c5b7163d7b5308d67c264be785a79489c1ed37835db2318f5549a684672a2c

SHA512
415965c0b8ab0ead8ae7cc931f50279678755d8280c602bee9f475ee477056cd9cbf1eedc18121fcc199ff0d5741ce328de842122c2fda6d06bc8048d4746c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
580bf5b8b571e89b5b75f4b77d07183e

SHA1
2214aa534e7c42f9417313cf228069629ef81eac

SHA256
51ea03ee7e5a0a704c88eb0a98e600c3b17e5e5a30f5db03bff6fb4338b09939

SHA512
1f061fcfa49623bba1732c69bf8b5990c26be25d20117013e1eee7e8fc0a8c45358791dd2883f3e07a8c9838bba9cc0ea411d1b0f19e827d30e6544abcb90f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30f3fc9de2dd49213e65e576dbf35a53

SHA1
ae96b5ff428a062425de57dd15111fd0b6ed3c38

SHA256
7716b3a1f5e9e93524f01d81ab30a2796fd6fefdf62eae3734d2f40f9f4f491e

SHA512
a1440cfc7323515bd166a0763f17dd0257edbdb20b1fbda766b344bb45ffcbe25e0c639cc2b5cf6fdfe79ca72a99b5fb9af7bad4c07e16f90736ad32ba3afa06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d0fb6e25319d638163defc9b3c2483c

SHA1
30fba16fb141dda6d7042a411bfcd1ef470d00e8

SHA256
d3e16cb0d58f175564bd5e2aa886b06caa8dc4f713f3ef4f40caedfce6bdc5fa

SHA512
fa01ba88a108c2fb1d460b9afabcde1186c72c66b14abd99ff0eb4e93a7449ea0169eac466b4be880b6ef69a61e1eba2dd6da0b701047368308573cc9648d23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a143a01fa4d250438fd1c185fda75b7

SHA1
425744e879651b2532cfb05f867c1a0448275608

SHA256
3c0fc72aa2dd2a803f84c559ca6957e15513578b8c18b2a5a084fb1e33877a94

SHA512
a11a85c00580f867a711caf62898e4847abbed2a9f8b3d4427132a8331addbffa00948ce4b4227641200387380f706566fbae8acfebe892d817fdb1b4edf506d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6396aaf3ceef6b5719302500b2b989dd

SHA1
1d66708c836251951740ece49daee8cefafb086c

SHA256
cc04dd428d974cfa32d101c60ccf696c8057e8c4684e59cb0a0f7c250f1fa113

SHA512
9c4a20e04a95ab8f78d9fdda129dfac2b004acd6fc139c72b471ed71480383d7817389a0f50445b2c4b854d6ca1192ea897caadb4263aca115e406e301631441

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ac1c3fa4c9bbc9a342a756aed76ff92

SHA1
ac222faaebb0889b57d19c0511baee7591de405a

SHA256
cb1a44856c8f4940b38af3a31bba337d205d1c1b1fd5d623abec1304c1161397

SHA512
942bade65c397eb48aa0209f7a183d24610e892d93e3f4ba1deda8eca3a70ce6922e94a8dca4090ae73feb13799d7f481c11afc713e31161380c36b0e904ce67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84d3f489b85ed72278415ad05622eead

SHA1
a400886cea82c801a11f627d7283aa57ba69b00c

SHA256
71e3c72e0e99615e26b7b128c5f39344e605747e8ff1fdc5d322c5f80dc156dd

SHA512
cc6d5828d43fb611ab0ba831f0ba86a1d9c82df9c9a87a267142272683309250d176815bfe0b9783836921c3fa04bf15e583963cac68a305aabdc7d5595c91ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d741936130a1c9eebfa37ecfe8000598

SHA1
c83799a2dc6cdf904285daf4109f0516b1fda24b

SHA256
82168094cbb676a959eb281e42d561048ceeeb3f6eab2b43f8b0115574f5dea5

SHA512
60b10cd80220ff35bdb3f945fbece3b37bb6c8fabb6a6a282647490f7424e39ccd43912202411fbc31a8c7fc1fd8ab16e3a12748a4f8384395b560d369b4eb66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7475b956ed8aacbee6f940fe115f7b0e

SHA1
6e7631ddacbdb352127c87e88998481d487428d1

SHA256
d9a4fc99fa91b078c4e2ac3ac9dfd67f22a81f822d4c705863f6c45e121022c0

SHA512
8da35357f50ede53c3c9f3684cdbf7474b0a41fcfa1e981108596a3e0d23f52d4fdfe2a4b7c8329081f274175173bbbc8bfc3c9a237acaf21ad0850d4a058418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1f2b22cbecbc481c8a76de40a70d3d6

SHA1
0658ac31dd3021abd01be09dc2360e8ee0cf9aae

SHA256
b1c6a47617890dace6e98509ec8c12650cbc0cbcc91b704868588fe92c252f3d

SHA512
d369f4a56dd6ae487ddf0699b4219dae8567a163dce3b4303581d25b4ec4a5ded0e0f2bf2a9869d7c6b93cdc701dfb3b758ec40fb35ce385b0f757c3ed37eff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA381.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA403.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4MHEY3ZU.txt

Filesize
608B

MD5
f9775975d945f524f7491e5e040bc495

SHA1
a2fc713b978a5debae146ff16b60ddd37057f45b

SHA256
547d9a1d78d672176e56612228961cfd9ea8e385dd75d9626afc7147e54c4298

SHA512
cfe688a0ef0c1b9401d718de7501f04b276c16e8fb8a8afed4d79ec669f5ea40f114bf30cabc398c872541f9d8eae071a6f7c5c3271ca7abd3c5998c976289a0

Download Submit