b3ee8c90d9038c94565785ba2eeca0362de853a6324e3c93736a22eba09b50f2

Analysis

max time kernel
134s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default_shape_square.xml
Size

532B
MD5

ae0e2fda5b632161e8a4e4db3c3556bf
SHA1

176f72f664d221a8a2e7429fa34adc1a719b98c7
SHA256

dc69be436e99e3492d601f2742153ceb0956fc7e4327c74e75fff2897fe98489
SHA512

3b4d30ed9024602eda8db5c13427b12c6f451d33de4c970b0bb90bc8665ac20d992723443128541d55fb9445854d6285c644e1edeff5004b413a24bc5d9d8830

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000ee5daef0f7c6c6dd42c9ce3543d374ee6577a66989ef3d10e0c3a25cc5a9b757000000000e8000000002000020000000a9c06a23d30008bd2ee5b5d19ff234593488a2fd9597aaaec54abdcb3e46a58590000000d51c87ef82217d6332e7fbd7bb06f5d23fbb7fd0b44c63cef4de1d2427fcef3757a27e05a06c7abaee496121fb959dcef531665e7cf90870b7a62c3e9619c8bf05ae8d9027327737c34e34e81c9de91667f3e49a58a1ef1f5ac6a10e7f8a194a6bdf0d42e5feeb2a0115cd53c99e96e531811c98960eec011a7cfa510874a83ac9aee4cfc7daf43ad98060a6f629f52f4000000008e76bdbd2a174e783cc84c59ab1dbb874df8df6f3ec22a813cda0846dd767b020fe4764ad357f2f024373f78b16dba9f4f124bf31727e68e0b44c381399163a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396374477"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C1F0D941-24BA-11EE-92FB-F2F391FB7C16} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0024b296c7b8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000aa16aa01d27e2e73710af2210b4ed21b2a58911abbd054669270a7782839932d000000000e800000000200002000000074be0ff2ae29a77f0ad0777a5972bbfbce90a616be86a3b60cb1e0d002eb507020000000102262b7d5bbb1273a1dc86e16191026e8c06273dcfabcebe86965d689d6b34b40000000bd8f449ebb04b87abaf59b72dca5e51b8578b87be4cc40c852605dec4d51b61b79fe2a74513a97cac496b2313fe39ed7d681e23296f2505e20d10a3631f980e3	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2216	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2212	2564	MSOXMLED.EXE	28
PID 2564 wrote to memory of 2212	2564	MSOXMLED.EXE	28
PID 2564 wrote to memory of 2212	2564	MSOXMLED.EXE	28
PID 2564 wrote to memory of 2212	2564	MSOXMLED.EXE	28
PID 2212 wrote to memory of 2216	2212	iexplore.exe	29
PID 2212 wrote to memory of 2216	2212	iexplore.exe	29
PID 2212 wrote to memory of 2216	2212	iexplore.exe	29
PID 2212 wrote to memory of 2216	2212	iexplore.exe	29
PID 2216 wrote to memory of 2836	2216	IEXPLORE.EXE	30
PID 2216 wrote to memory of 2836	2216	IEXPLORE.EXE	30
PID 2216 wrote to memory of 2836	2216	IEXPLORE.EXE	30
PID 2216 wrote to memory of 2836	2216	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\default_shape_square.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4565b16b49186bc1c45880bb525f198

SHA1
9981eaf3fb501cd1736ae65895ffbc60bdb2d44a

SHA256
81baa9cddceaddda0841d49635a1c686f82d0f442a33e3454f6dbba58b24e6ff

SHA512
55086b5bd9f6d77ba3ba491047f9e274d57361e855a025fdab57893be0c63fc41e3ee190efbac6e1e828ea2c5633820fe618b415ba42c2d468a300b9c8084549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
951c18d538ad4c9fa651183339b0b76c

SHA1
ed7525edae464c7ef0906e33b180afe41f23b91e

SHA256
071ef08964cfa816fc89ac1fa9e42a5f85c1e41881b2a80d044eda596ed43abc

SHA512
a507bbeee99ce5bf0929375e5f308ae20462f31e80fdf80ad45076caf7376f38bffff7c57fd5c385bc11f27bb7446aed75f41a75905032296452fdd7fdf7cddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d524007806c2674f0379ef385cbe018

SHA1
641f835bb4d4d6081046503e9a2b30cfb26085df

SHA256
3b071d133a6a702dee64f299923da9ed179448908113f4aa86906e1144485193

SHA512
eb2e4a92f2f7aa1c74c360efab83d487c0f97c8ecf8b1e926ba89d019961871300177eca18fa13d4893b3d5665afb6572decb01a10609a2f789aa85ed5fe9061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
057f9c3d2783d6f97748d93dad201a4a

SHA1
7189521703ac7d26debc88325f0f86e6757d9dee

SHA256
4add07442805bd1adb0253d40275ec8725718516b31e4c2d42bbf1a46d2bba90

SHA512
18c88e45dc81f0b8b59e5e83d86b44fa1a3fc54327261d2324d5b5e07eef050a3da375754b5d7c849242bc7c0db07fbbe2105ed2d45f3267f71c86dc291e4251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61b1c26a8d0388266504a0b10b5ab05c

SHA1
77cec289a9e43def9d50c3daa49ffb3d03161f03

SHA256
9152bca6b01a1a5ea7f47a9ed056412fe3135ad958a183f69fd03724f0c60e29

SHA512
0f6d5d6a103841c0fd1be2ccb7ceaabf8bfd297eb8ac0070dfdf36766daf3e5df0e32793f801a926439c05361d8f74616e75dbe2cc798dad7441ca4e03307e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a62690f18a85ca30e675584dbb4126d7

SHA1
e42c95e9e3d93b22388cc4df83398ed9d9c374ef

SHA256
a1dfabdd958ebc54c83d72f1ea926a2520a868f9b83f20ad771340c63b4688b6

SHA512
661de1a669078dcc7c66a309ba1b1c853adb8fde4b85f158ddc18fc3a9c3f154cbeed28e04a256ea131c07e51712a41844de7a50cde544c008ba2330bcb01c7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8192f55e054306840bd6e4cfcc490b5a

SHA1
ef4c39118b66c8ffe036d884df19e1bc085e3063

SHA256
fbbdff39df98c812336296e44898bc9749226f2292097b5720dd34121f89ed6b

SHA512
ec4139382399839c29755170f6ac0d53e6672cf60f40a1c90b4378de8e488576451b4e69838dae4d1e19be4936e23735987509f5b18ff6c23dc5b8c0b1116c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e741e73ac733dafbb71e764c7b01158c

SHA1
6dfff44aad9de2ae29f9553a3cc82f9a026301e1

SHA256
c8a9ba116f8b86ab1a7d729b70334b0e0d0e12d0e939e47c29e51d2d34a4c629

SHA512
71f36914364200f0fc10e470b18298f28e61040683f2827d2f5e197e68ca3dc5ba6dd976d3041a9cfddfb4bc3e1bdf089a01596ff86183c933fc9aa40cb28fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
388be5d9d35bb6c5726a6b15872028c7

SHA1
7dcb3947d6bc63fced054ed7831897ad0be0be55

SHA256
d5bf2c88433627d2994618285076b836b2863796624d447211a948422dd1119e

SHA512
bf446155c5f6d3ca7198712aeb285bc56caa1dcbce6b5bfb4e79eb2eee53a78ffecd6189e082da2e083aa669f4ffc4e0cbe1d0dbbfdc1d617bb2bb4f22bf907e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b58022212b0961067a824e092b4cb5b7

SHA1
da5709b0f9cb4b6a2915d72789bc09b829a30827

SHA256
b84723e7d61aed3979a6d83d5ade5989f98e1b4096b820f907b24ec3e227bab1

SHA512
d319a2f72fe4ec0c375fc775c906a7f5c2580e1c6ce60b2b0e80d89aa22ef1176cb468abde11da99e937eb6634bb545b4d0ff4334e2daec20e752554a6f54b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3VKWFGCX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A7D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9AEE.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DS0AJI2X.txt

Filesize
606B

MD5
c409caa660bb70f6516f2f8ae3bd4d6e

SHA1
4cbcfc995074501bebcbe7165be7827a4b4d2b76

SHA256
849a8af0f55d776c84279f2f15d4a18c2cb7982eb30ddd32f25775e95c20120f

SHA512
0ff96e7c133b625c348f1754124095a744407ef2544801ceb18c8781239866caa9d9c4a4a4e8b726e67568c323cd2a98a4ec48e3faeedb564b03d59a54a7bf10

Download Submit