bbe7f3bc15429196cc01935295ff6a7867b2fc501d1896b01afe62fbce2ed314

Analysis

max time kernel
134s
max time network
137s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31-07-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_15.xml
Size

818B
MD5

a9146c399e0bf45c006eef5326d5e2b7
SHA1

f7a9111db0c8aae6632d9bd80f07b1669bf12389
SHA256

ee03c61de487becbb8c3288728e4a35fce048b1f8aec4ba3bb65dd61e92693b6
SHA512

ab12870b53f66af028fb71b234274c924aabc0349637bcb5c37681a3d8dcb06ff8aec627650cf1671b7e808d11987107832a5b3fda19d46ab8a2d9459c2351f4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397594449"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a043840ee0c3d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000450379e67fba08329d0ac7f51f56c4519ed6084c3729769b6325446b0440e417000000000e8000000002000020000000fe29c246973d8777be8ec52508a576900c3beef740902f5552a277286ee58337200000001ce00071d2db65726f7560d975c0d8d84194d98ba7d87ecb83ebeaf800cc73ba4000000019fb711b30b354c196a681385bf317db8b65a661fafd813ff7e57b7882a822a09fba9b55ac40f4a521b92f3b362d168056eff25d1ca50fe009ea168fdc65a89f	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000a0fc27c540ee7a0edb6a5be14eabc402d67573e71ce053dd8f8888be4f2e3cf5000000000e8000000002000020000000a680b525bef3240fc13cf3a73dea354b4463592534bd484ff92fdef0899ec088900000002d7f328bc9364ea92d446281bf1314b6dd39db2744b2e7aa939a617f48a1abe1518fa845c688a94d0c5d552d9e256d22078172abd35ed81a2f5dc9d919672364204ec7b10438fd9bb96222d41c40b6ebcb344594dc67853b7e2146dc0cf205e4a2b3dcbe699aa78e6daedf1374080dd1d7bc86ec71cfb05bab9b313fb44b8fe80616a2b4115ea07436859f5579f3ca874000000017facab8dabe8109373406c7d58ba7560d4abcd117458745ba4da50d615fd771ce7c6bddbdaa367cdf36189e0b5a5aef617e21979b7a9004d86b0129fac5bc6f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39A8C1F1-2FD3-11EE-A5BF-724B81B1CE5D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2120 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2120 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2120 IEXPLORE.EXE
2120 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE

pid	process
2120	IEXPLORE.EXE

pid	process
2120	IEXPLORE.EXE

pid	process
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1632 wrote to memory of 2800	1632	MSOXMLED.EXE	iexplore.exe
PID 1632 wrote to memory of 2800	1632	MSOXMLED.EXE	iexplore.exe
PID 1632 wrote to memory of 2800	1632	MSOXMLED.EXE	iexplore.exe
PID 1632 wrote to memory of 2800	1632	MSOXMLED.EXE	iexplore.exe
PID 2800 wrote to memory of 2120	2800	iexplore.exe	IEXPLORE.EXE
PID 2800 wrote to memory of 2120	2800	iexplore.exe	IEXPLORE.EXE
PID 2800 wrote to memory of 2120	2800	iexplore.exe	IEXPLORE.EXE
PID 2800 wrote to memory of 2120	2800	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2920	2120	IEXPLORE.EXE	IEXPLORE.EXE
PID 2120 wrote to memory of 2920	2120	IEXPLORE.EXE	IEXPLORE.EXE
PID 2120 wrote to memory of 2920	2120	IEXPLORE.EXE	IEXPLORE.EXE
PID 2120 wrote to memory of 2920	2120	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_15.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4ffd097a9f770c6bb791cff898b39da

SHA1
4d7cf1f7ec45dec7a05baeba9453723494267ba2

SHA256
10ea9b91d6dfd5b9802d81eef73d71b0fe8158d53c11fa753fd925242cd80ef9

SHA512
28b0426c8f14806822458aa0ef907cfb91d083a493d96213b3a0295032259381176d952b80c58b64e819f4b66005569b9967bdea487f7df5df4869b2dd32ec86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52bf3ab10ed35bc2d880f80ddd7e9b92

SHA1
31b59ccc951364152cacdce229db41bbea62c3a1

SHA256
8ea42c2664ff165849322f38679c3f7fca5ac1fa62969af4171b96fd307692d2

SHA512
8f882e521f5deddd94065ba2f8817020e7cb8aec52454303f754b05c627f9b596feca3c77ff73f2a5ddfc70c279dc40912cabe3d4d920bb062d9309f849ae448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b951784004712f837131ddced43a855b

SHA1
3376d2724857c444e3e7243f5fadbe2be45fdd38

SHA256
3d388057dba7b99b3ec40245d3e647e6b1acb13589454ff3b06716cd2f97fb94

SHA512
cebe91d4bbf87388650fcdfac0220e9c451482575e672559e9c53c643f8429707527ee904d3474dc9aef7f35fc64e3f0af2d76c85638ffa1ba5b355bc971ed9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1977532ab82f58185cdab3e8d945f7b1

SHA1
5e58a068db2cec785d322c54b7493e504b759cc7

SHA256
5c3924320d667afa33867e15eae23c4c78502f6a5548b4477889d886ce6d2c1c

SHA512
e548cd6f90ce4501d22f63925773b88a72a5714d38b5a196ec2e1993baa31a603408dbcc28837fb9dc78955a920931bdb594b98f0d289b4d9fcbfb88fc840b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95d4abc3e065bf2294787be19f0ab134

SHA1
95b80640aafe1c66f3004fdbe24b6253df1ea526

SHA256
bc3a4c2efb02264d06ff1938dea360f639a333251c19061539e84940362021d8

SHA512
6fab483fa3c56b64c94e5f2c69422efea32ea65cb59f43f0ce25b7ac7938f2db183e1b3907605b8d2a8086381cce4eb3b68752a5a40e8acc175ad9374345f449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f73b20c4db2ae361fb97430457dec557

SHA1
8bb75658930228f5d79789fc7883f1bb8a5d87fa

SHA256
8a2cf8c9632befa4339fc9640d42979230cea649ade8fae9faf33cb9679aeebd

SHA512
d084b4cb7572c95a27152e7c3a97883cda58fe7e03473d0cc0cbdaa390a5601dd882117bf44f878eb9bb4bb57cf136d17812e597feb27e77194a376e6a17c8d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9027840e974cf9e1c6a3a45d08b671c2

SHA1
bc6286c22b07ca229adff93ed91a825fa779013d

SHA256
04f943b587949877104441e0caf6e5268fde781d04996f2f60a2fe3d2203b81c

SHA512
ce7815b604456820221141dc6153ecaae403e74c7c9273879e658ec30e90f543a479ec188e2b16f97cb79edab753426bb0cbbdf99b26e5bfc8af81b90d2b6a8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ec8fedb2828c13b5fd7c910acc21449

SHA1
342ac4a5d8e5d6b23a7d4f2b8798de9ffa5ce561

SHA256
6c1b6995c6584f193a3f415cacec8e84be2fb46492de3f6d7a9bab8f9ed5311a

SHA512
3c233d5576d49222ef930024d16007755f097f3218cd01e506c645035e0564c733ca461e09ac76c62d0f573edae4cbd8a6aa9d2bbb6f8729739a321d2ea35538

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bf6ee1ba481ca3eeddc2bef3eacd78e

SHA1
cf5fd987700d80910ed43df84a5e29e5acbe3124

SHA256
8df2db54964ba88fe94c7710eab3ed125092bdc600cac6fe7349313ddd3c406a

SHA512
f85639a50f0f6ee0f7dc73df349108f192fe5ff098ce7b97402da71ba8044c0cfb912488412b64602e2b938e075f9a7c3f047ff3e6f98e8b6bd0ca9dbc4e094b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c09a4e093bd3fd742429cbdcd7768775

SHA1
3e52a1cac3ee22752e599d4ac5faebcd3c15bb73

SHA256
0cd04809e842c6c76492d668246eb21b6a6225ae7613b3a8c732a7b5e8abceae

SHA512
f5c545a5fe4512148c162476a631b212e7301308f299232c4b02cf86a827b6a99831154f28163f058c0035d689851778029e394dc4772d61ecadda704b12116a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O5N1CMJ9\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab961B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar96E9.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\360CQVF2.txt

Filesize
603B

MD5
c60453c6fa460d221ed2a8d8dd3f6e86

SHA1
7d88cee5578bd92409053ccd8f9a0bafa34e0ff1

SHA256
fef71a6b6eeb3c5430e8d568ab6a54f42bbe9397f66949d760411d7917938536

SHA512
63665178dd8dce9eb459a5007d14ed7ef70f41ce111db7dc7485de02e11755bb7877b061d90e7a5d391de5183dc6937bcdaae1d5516c0b0d4f83656776c85d1d

Download Submit