bbe7f3bc15429196cc01935295ff6a7867b2fc501d1896b01afe62fbce2ed314

Analysis

max time kernel
136s
max time network
137s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-07-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_11.xml
Size

3KB
MD5

e41a669c3e6eb43159445b88bfa1a7b1
SHA1

ff4e96f609a5c54a7862cecf34c2a79b04201d84
SHA256

793f5fb7b34460a778bf61729997379c1d5aa95d86c8a54150b667d4ca4ff695
SHA512

5e2839dee1a1e3c317582bb168c4cdf9a149f4a6185d2bdc631ca4f1f0fd5749540198c58b14bc48fb167e457501d0b5ab068118c1f341628c17547a84c6b81b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397594447"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3040e60be0c3d901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000060bb321a086d9b5bade8e43dde640860fe298ec9d0ad310bc9a72be9a526ad53000000000e8000000002000020000000cc0dee0a2cc61f9c77782d8bdc3612b100d14a930dea1dff960c2a5bede348fa90000000f2f27d8d173f4abcbb7f21f7c510360296a33ac3611ce31161072827c3d1db5a305e04a9b48f53c4c437aed5c9f85ff6e0a31719b663a3b7a54fc4996d5e9036efba51c3a32fb5049bf1532c191ba0c4facaade700b6ddd8840c56374de389484adcc190f8b76600e16728c4038b46ebf15dc8552d2a4dfe6f3b7b6281e56727543c98f25dcb83c29c8e7a7f90c92977400000000409b240eb3bb09ac2dfecdd18a1b33a65a287fde40bc4535e828275735c9d2a401a91a79114c9760a4c7764f3defa295d5981f860f58efb28ab36dd3b130288	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36E4A0B1-2FD3-11EE-9B45-CEC9BBFEAAA3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000f8f62a8dce5d2780c2713efef08359455d73091fed470e4fe45db3586ee106c1000000000e8000000002000020000000b9f7cd9f0aca600f11901947ec26f4d0686d9aad48da18e522f027879fb76b9f2000000024e54c8066fd82e787ea081a3defedc54511177360368f2e1e071d16d13fafd4400000006095ac2c05ab485b11e9c107aa3295e7ef45de76f1441bab1734bd3e9413aca5394d657036ee7473a62de67a4c31510fdb706564176f75096dbc4456b287dbb3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2988 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2988 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2988 IEXPLORE.EXE
2988 IEXPLORE.EXE
2888 IEXPLORE.EXE
2888 IEXPLORE.EXE
2888 IEXPLORE.EXE
2888 IEXPLORE.EXE

pid	process
2988	IEXPLORE.EXE

pid	process
2988	IEXPLORE.EXE

pid	process
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1208 wrote to memory of 2588	1208	MSOXMLED.EXE	iexplore.exe
PID 1208 wrote to memory of 2588	1208	MSOXMLED.EXE	iexplore.exe
PID 1208 wrote to memory of 2588	1208	MSOXMLED.EXE	iexplore.exe
PID 1208 wrote to memory of 2588	1208	MSOXMLED.EXE	iexplore.exe
PID 2588 wrote to memory of 2988	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2988	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2988	2588	iexplore.exe	IEXPLORE.EXE
PID 2588 wrote to memory of 2988	2588	iexplore.exe	IEXPLORE.EXE
PID 2988 wrote to memory of 2888	2988	IEXPLORE.EXE	IEXPLORE.EXE
PID 2988 wrote to memory of 2888	2988	IEXPLORE.EXE	IEXPLORE.EXE
PID 2988 wrote to memory of 2888	2988	IEXPLORE.EXE	IEXPLORE.EXE
PID 2988 wrote to memory of 2888	2988	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_11.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4215cc13281d46a9e6824f36dc9caf35

SHA1
09244f718504d09bbbfff2e0b3fd6d668c7d01de

SHA256
a6b27e010eea47464b8eb6aac39df42be0f23af9cce4fb0acc29f098dc341d99

SHA512
77c43364fca7686b72d87a56c391349a7dbdbb1403eaf8d8b7bf7d4aa9eb01aa520c0c74c1bfca0a8d190035d9fed26a9311a4f6c45230c9e3f8bf75a180a2b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e599720b2c0667b0896afe18deb31a3

SHA1
a3142e1a9d191ba57f7f2fffdd5811cc2e3c3bce

SHA256
c3bfce869326af7316fa0a720a2a52083b0f5d8b7d56fbda9aa3e559cd8fe738

SHA512
c916305d35e01051fc06cd8df45ede2f42591f4bda634fe372aa23fd19c59d359939eab2b15819d5cf51e78d1cfbf30b53572a88d5d36087b5ce27136dbf9dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cc5ad08db451d0438af0b4ba9aa1650

SHA1
de7a33a9217855b78e9b82d491886983b2eef299

SHA256
8c9f390fd3607565f78d324fa8ad11f70048f40b823b23d70286bff4ac2e2b92

SHA512
058c5b6256686c66997beb0ea05abc1e746023bf6e88ec8b26623eb7797913f4778e77ecdeb82e1cb25c33e1c0b1b1fd6771e5d163bce7f030f42e03c2a1689f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bcc3d91b2b44e80d00ec6d0228a4783

SHA1
58df92b3c5f24e0a45b20eba0a1348a7bb5784bc

SHA256
5215800e980c98292119e218a63c18002ce34ae6f16d31f82ec24928f5d00632

SHA512
79b7d6d65df0a59b72c71155198456ea8bdc8f60019475f1e20a060fd1e06017054e8a2d11c94a637af7ed5f94f63c0673e803073c599fd44ee0d9364aaf1ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3188296a77872fc06db8470ab62eb832

SHA1
2cfb1fed4a1a5e21350d0b62babe4f3177cd702d

SHA256
0c75422fab35646ce2662d56b50ab1f3a714514d2cbc589953dc25574a23fcab

SHA512
44794eba3f5d7e278f8ff9e178c05ae07b65e7d7a59b0f50b7fff2ac30625724ebaddb0df929358cf153a48761e0dd4de0ac5bd491451c7dbabffd7fa676927e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72740877093c3c24a1d36e86a89eccfc

SHA1
2d1815dede1ca26e50418b2c7858e4d1546f5d6d

SHA256
caf92321979ff5891919f97447091e91fb5012ee2fab98780b235d503f6f508c

SHA512
e61f7b0f3587c80c9aae77b186d94d60bc5a26fbbe464789d3ebca9cdabb80a0171e46f98e5a92fea6545c7aedcd7e7b6f6804a6777d64b7d94ea2d9e58cf41b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7a66dc2db4a031b3a56de752461489b

SHA1
d1ae133838ff6f9c4a41a92834adc8fa44a697ea

SHA256
f61f5bf2c0097480737946659465393612808fce2b3b28b0812ed6ae2bcdf75c

SHA512
4f3b706b884e19f42083922fdbc7a36a9a7812e64f4367dba57abe08cc9f234d0849e0a6bcaa6d3b41bfd6cb8eaa3398837a68ddb2ea35cf5dd0c584458457df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64WRFCMO\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB40.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarABDF.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9PGCSQXG.txt

Filesize
601B

MD5
1e9f242f361ba160f218ea631a8f6279

SHA1
085922a7f6dd09e282a7ba28a11c5436c5997409

SHA256
5c21839d2a74ccdd3f2e10909c95b9e061791d145226f504148cbb5ea00e599f

SHA512
d0977d5d5fe998388cca87bed62bb8dc77640b262fcf769f1c44919027160966ae9103082ba78bbf73adf6f5da3dacd2c3567f38a5ff63838346ac5868ae6a9b

Download Submit