bbe7f3bc15429196cc01935295ff6a7867b2fc501d1896b01afe62fbce2ed314

Analysis

max time kernel
134s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-07-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_13.xml
Size

1KB
MD5

3d0fd8a7b5d1aef37b6b2e20a27d8d94
SHA1

7ee637b68488986b51407cc319712116448ad06d
SHA256

5320b7999caaaa9e05d79c74863410ddb380bae762fb8772e27c16faecfeae60
SHA512

40bfea038ee934be19cf30360e2f6474386a9e7a4a84d4c363376ff73d661a22d54385bdbaddebf912c7dc35e4cef4ce03bbf3b7aca9e5bf30f91e658ed16313

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4112EBA1-2FD3-11EE-B986-76CD9FE4BCE3} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000009619ed05e2de829c92907cbec0655d1055ab58f937a37df81683c2acae35bb76000000000e800000000200002000000060abe5f0b98be94e580ae1bb37ef799e10e31d2a30ebe3add7746072b025454090000000d50a541c89dcf48bca0d8b2c4f81eb7c2f0bae7469aa95e5c00889acba0909d514a96bb57fb97392b1b5703ba4a0bbeca991249459dece9611c5f6311f3309e316a97badf42412c5c5e0a0e0608c56009faf4ea5635d730e87177a4e3942dc2ca3820b9b6289f967c7cb1fc2d3d9f8c1e531440381a3d3a0e7a5dcadea52cad344d5799ba2efb85449df96c4255b9c9540000000b4e446deeea9c64b5a4fccc3da67674c6840f9e0aaaec2db10e2e0120935a6c83a0243de9e72a7ee933ce349de88b5ec6feb8c1b429ff5a903195ba22873b01d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a7d615e0c3d901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000770e5d9acdda53a861272a09457be66f035b975d1019306fc2938a949df47619000000000e80000000020000200000009a92aa45ca887f21744508f20fb792a124c54407f785df6f7d4fe666be6a10bc2000000042abb89508bfd221b073e8c114577b9811b467becee948a6fc7923a5f4f17e3a40000000c42f218e4031198ae64bde23ca8a46c9fafb87edfa7372e513255d0a01d28517b0c25be2d5f80ee525a374696f944cfd78ecfd1f8ea4c37bc343d5572d07caa6	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397594461"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1200 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1200 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1200 IEXPLORE.EXE
1200 IEXPLORE.EXE
484 IEXPLORE.EXE
484 IEXPLORE.EXE
484 IEXPLORE.EXE
484 IEXPLORE.EXE

pid	process
1200	IEXPLORE.EXE

pid	process
1200	IEXPLORE.EXE

pid	process
1200	IEXPLORE.EXE
1200	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2208 wrote to memory of 2312	2208	MSOXMLED.EXE	iexplore.exe
PID 2208 wrote to memory of 2312	2208	MSOXMLED.EXE	iexplore.exe
PID 2208 wrote to memory of 2312	2208	MSOXMLED.EXE	iexplore.exe
PID 2208 wrote to memory of 2312	2208	MSOXMLED.EXE	iexplore.exe
PID 2312 wrote to memory of 1200	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1200	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1200	2312	iexplore.exe	IEXPLORE.EXE
PID 2312 wrote to memory of 1200	2312	iexplore.exe	IEXPLORE.EXE
PID 1200 wrote to memory of 484	1200	IEXPLORE.EXE	IEXPLORE.EXE
PID 1200 wrote to memory of 484	1200	IEXPLORE.EXE	IEXPLORE.EXE
PID 1200 wrote to memory of 484	1200	IEXPLORE.EXE	IEXPLORE.EXE
PID 1200 wrote to memory of 484	1200	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_13.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8aca306f191468bc4d912d98159091b1

SHA1
b356846cf47b2e272bda7140ac15c2a01181d365

SHA256
cee05c43742140c79d516cb703dd85fae0e657a9e7ad8cfc4a8fdfd13397f3fd

SHA512
25f634c0fe647fc49123971babc0a614fd0c67d12fb5d12413984a81739adf198ffacd6df98b38292cc2f362f42c3bf1069e2c4d3b534f5235d404614e161fdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c143d96ce31cda96a3bfa050a2680a1

SHA1
0036e8cf53559b404a8e1c5d7b744a2076bb16cb

SHA256
83ccb289b489a8f43b7a4314c4ce5d05192d957c8f24957d09cf5b58730071f0

SHA512
6ccb5c653babeefd21cda57ceb9db4c6bc23ccb0afa8dbf28d0ecb854f921635d7b19dbef96ed22358cac6e352a9cd5ab9ee88ffd6da5e892af0bde7cc1fa92e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae6f122418d922a6c5e7b9c0d208aa5a

SHA1
39b3ffaa2978cb1474641c7bd03e7859c826a6f8

SHA256
c2e8b7c6e4aed6003549165c808933205341f839bd4ea4dec3ab22c20421ed59

SHA512
7fccb46754f236fe896140878f802ad1128f2f8b53e0720a52f11093abb8958c5a8b89935a1fcd706745c5fee0693b9515f461d15fbf89b40375b6fefcffdc6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
661cb2a19fcefc4ca425b50f14dce993

SHA1
badd9fc5742812d2dafeb3db5b25a55092d14404

SHA256
a9e738feb066fbf17d47a15b3107cc9cfd64a04a9034e8ec2fc762e458a986a8

SHA512
341c51a3f2f57d85000c09ec991e6216bc0159784c0b3392251b4f165e61832e5d74a0f90613902fab0c289d77c40421a863adfd12c1f3ead740c7027353c867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6087aa4fdd747681514ac7f843dd2453

SHA1
3bafce4f541f1f26a7842fadedc1f142aab94fc7

SHA256
172722e5768ea5c4e24bb0e033ed009e9e8f75fa36c97d80a051bfde885e6030

SHA512
a7cc2761a1bc7b94ab90819805262356178c184d49d34de1e371d85afc1daa19262c25f588e2fedc5b8140c33de753d58773746ddd6a75279390b57c1f49b516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b24b3e9423922608c177dd32d6aa9114

SHA1
32667cd018fe76f2fe8fd2faa65f630c6f8877b0

SHA256
ff21c9c511c0b58ecdf51b85209c0e2ad6e64fd6ad5ce3ddd780c2ae575328ef

SHA512
87968858ced3c7324501540be24b0740cb72c723a1441278db8380472d9f92db684105ff23cad065919e4d08bca95efef987831ba584bce72cc4863ad76fd612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cd54db459abba69aaf1c61760d2e736

SHA1
7117c1818a9f64ad68425ee232de111543ec959a

SHA256
9a4fde6595cf08cdcdedfacb2c1f6d7020880c40d592ebff23d9a5c6545648a1

SHA512
5aeea151c6ab461b8df8448a32868d15e40d99fb4c33113b53148ff993bef3eaba78da811fe880aee02b689fa7d94aa490c01be1270eccbc7129558e1c3ebe1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba3e040337eb00950bd8b21792d61eed

SHA1
a0bd2f16a9ed66f6b077b4b802a8b2884e81ba49

SHA256
e591d2c9fd61a54538e8f082407b0e872cd91611e07d08fdbf4d20c6f33dfc13

SHA512
cd463d30a82c17e3ffc361631a641013b56e8fbf9351c24633d90802318cb511a0a391209d35b5eb23c22ecd35417168b75b90e17158cc1c338d77f09e9242e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c186386fc80d5224af33d5a6ed1d7a7

SHA1
5cbe5e5e85f4a786a7e2d721d0bade91b435ffd0

SHA256
16f754bb8d59f8e3524a39593ee2ddc1a4b9f734fb52c3b388e52ba813e10221

SHA512
ace100c1234a50547f7f4f0b50b45a04e02ade87832eaf50452515af7fde8094e9af6225d43e39f5d6e387610c702945783e56f9bd1077f24588da0a1c56716c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB1E4.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB274.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SS3A4XR7.txt

Filesize
603B

MD5
cbb4ca9bdf1a5c79e5647aba2a34995d

SHA1
f2a804a23480f5fbce901c3aa162af760178701f

SHA256
41e717f338552c83152a78f61f744fda828e713d964aafc52bcd703a67fd6cd6

SHA512
b37f685e6e124d580e77250c7b614474412d9bf1e97a7ce3c0ccfc3b137ce584a19bb4864b5d00e0ce5630ba089c533bddbfb0195fa8f0c047c41ee9735b03ae

Download Submit