b3ee8c90d9038c94565785ba2eeca0362de853a6324e3c93736a22eba09b50f2

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default_shape_x.xml
Size

641B
MD5

2c4cda2ea8fdd5e6b9ae73f74ba1c947
SHA1

b9e94e7e7e7702ae39dcf5fbae881c37ebed6f6f
SHA256

f40e3c6bbb8cde06b326f01b057caa646cbbf8b935447dfb45b4d2c00f385a96
SHA512

474593d18d483ef32b73504acefdc4ecb12e3a220dfc5020850f0d319104f6148d32ee3255681134590bd9356e6a362633ed1c3ff9b16ca80bae849be176d529

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a021af97c7b8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C2532551-24BA-11EE-A5DB-D2B7D0620653} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396374478"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000001a6aa9d42a2066abee337a628a0a206d7601d21cc2a1ec98c81441e14f534532000000000e8000000002000020000000df5ff8c8038b33bd2a390a740a6ba9a1ceea8fadcb82263045828ef62385f481200000009c5f34f9c4f4c0cf1bae719f2620fb2d75b68a80343daf3f8bb2178f93886e4f400000000de7277ccdee777a6bc065e29724e18b0c260aef32483359194cd7a9d3c822ad694806cd122ed5e7d9d82db2e6c0e53ed7f01e184a06d13306037299c14732ba	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000005579c69a18bc3e1a9378b0df00117d13f5d7d91ffc3de2420f580aa883724c84000000000e800000000200002000000082ce4e869c2df7dc5a40045a64c1f2119557eb91fb114a765d24dc05fc5be15490000000fe0eb7671b69a21fedb0224af36a33e5c7465a4c2f5e146a5aefcec7510cb5dbc9ca8aa31736245ad80c6ca0321fe3bc63d964afa651ff0b5e2a281c50ae9460e9453a55c73a6da5e488d2445bc0ca7e7a1c8c93f49419fa838f5ad6145bdb8fce8f7d81247e2d5bc7a24142ce0f9ce81f567093ab2fd14c9f5f38e57acf9534c846aa6fd123cdce936c52c0593955f3400000005bdf6a69e33ee87efe14e26146a08fca8a7c817046df9511050c416123c1bef43a4474beaff8225ad010aac2db917637141469d1652f80458a3655b00de20ce3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2600	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 2524	932	MSOXMLED.EXE	28
PID 932 wrote to memory of 2524	932	MSOXMLED.EXE	28
PID 932 wrote to memory of 2524	932	MSOXMLED.EXE	28
PID 932 wrote to memory of 2524	932	MSOXMLED.EXE	28
PID 2524 wrote to memory of 2600	2524	iexplore.exe	29
PID 2524 wrote to memory of 2600	2524	iexplore.exe	29
PID 2524 wrote to memory of 2600	2524	iexplore.exe	29
PID 2524 wrote to memory of 2600	2524	iexplore.exe	29
PID 2600 wrote to memory of 1384	2600	IEXPLORE.EXE	30
PID 2600 wrote to memory of 1384	2600	IEXPLORE.EXE	30
PID 2600 wrote to memory of 1384	2600	IEXPLORE.EXE	30
PID 2600 wrote to memory of 1384	2600	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\default_shape_x.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:932
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f366e896fbe4399eac39fa46e9fc4b8

SHA1
1bcfa8b9aa9a791d955955042a0d1c365a626c06

SHA256
ea7fd534c8efb495ed27b729af3041141880fbef53e13ad37cd85d98edc53ea5

SHA512
21064425a256ee0c42601718b8dcd5d1aebead9d00ee1dc9fb1f89208f84659bab297d002080f2169918fa14736b3d38aa5c89366c21770b29d300e9e39814d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73a1261b7f75597fd4e4447113a96ba0

SHA1
e0858a230d2769d11b312dcbe7ce5dbb1f00d5cd

SHA256
4ea610e345642d1b9691838b60f4f0b39f12f6c91c6bef46a27b465056e632aa

SHA512
826c35f5f0255b8fc422257edb159927c35a86c88c95c4882670d7df82e1d56e92babd89bd8b2ddc772bfc45b287304d4f394ee6fde3a156267d21ae3390bdee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a019fd97b229ceb3730dfa2fd0799549

SHA1
073870f1f7743990ac1947804eca5513da6be6be

SHA256
202fe5876ecf98540e89312ae91959fdd0fefb429d1217bfa6e281288e8d9851

SHA512
081fa7741994b6bc75377538c7c66b3476b8ea1144889fc5a6c7ee9a2e04ead3dae26eb156d8cdc37dd37a282ce9724cc53498038ef781191bf5a30a3dbecbc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3884faf3f1428004903ded2454f9ff1

SHA1
4dfd398e36bac8619186cfbd73e14b12698d23ac

SHA256
eacf59f7de7d45dbab5f4e9a04b5fa59d80c5ef50620aa7b3f296cc9bc7224c6

SHA512
bf4a7588d14cc15cf68ba20c91507ebc4c8c2656efcfcc6769f1472ff92d733dfc35c2d1c6f7341cb3081218503969fd50fe8481bd8e703d54912384bdef9e63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da269efbea342b468a0f34f971c0de16

SHA1
69b9004b206b0f606a16bda4a6592aa44744f991

SHA256
6f5b408ac231f8909df7f2113773b130363f8d338438a36e5dbb847316c002d3

SHA512
7f3d72364b467fd26fd2f267b65330c028c9e8c92bc7961bbcf71d49e3bd9675c4a1aa4257ea20c092e642f071820c3431a38b96da48291ab22e8594cdbd07c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9209fad2ac07ce2a4550759e57579c86

SHA1
0b164b25434bfb9bf17db0f5ca993d8d0b016ba9

SHA256
b60a97abdbddf6dac2829ad9d469a7d5fc12a12afdd0db3ab43a5280502573b8

SHA512
14a15938283f29aa7c259d1965e62adcdb74ce68a31bc2398d6632f0cd358df9fb89da410d385f05f7438c629c863efadba188413a1a49bbf6d413919ebfe5e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35a334f84e1474b4db8a8de7ab7e023a

SHA1
0235fbc9d07f144fb557ca86e8856ad4bd524d69

SHA256
ec583ff31ca0d25811886eabf7c691196d972720bfb7767d384ad420ca0bcde0

SHA512
64d886eedb0570e6d4c5053ee7dfd890306b1cf76bd1e9032baf6550f6f48d177a3b028015be6286593d9d55a6f20d5d3f64b63cbaeaa2c5bf7ec1b23751a7b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81391d46f0105fe2c56bf7a4b7969f2b

SHA1
780d0940313a45b6def726923b1a91caec073ec5

SHA256
9bbb86d738ec42a1601a8a037d1d6d1b7f0d6a20007b254ee02f5602f4858e45

SHA512
970ea475de000742987debf6c3782aba2f8dbcc7dcd9ad454bff3b00281cfc393d70333ad7d725dfbd06064bdd00143740b3cb3126a318e0ff449dc6c5ae8a96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f633cee5f854304844488fc777db3a24

SHA1
4e2561de323459c9db947ad983655779e65f2ffe

SHA256
1d595d9fb118359d2c1991123a95ebb6b9fa603d4b55714ef99c4d66b9fcb079

SHA512
1a6810799ba318634251f68131b7be0cda2af6f496a00818c795fde09d70a9cdb7dc183b332332348c9afcb030b97641d523004306d8a6109d274ae0758f0652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB03.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCFB.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M2CA59BL.txt

Filesize
606B

MD5
073949b92faef894e56fbf51ea14cb89

SHA1
b71bb09b4c491d707d1a82cab304a449bf63af6b

SHA256
f96bc9d81624d96b186a73153ffe5acadc5260d7bf7df073dcc10a63e796e19a

SHA512
1753efbdcb63f1b082111933112f362c89456fdf0667fe64aad2348e97d248368c42803d5c786bc2a93747c8725a08e554131f294ce8ca965add0c738eb13897

Download Submit