b6b59a54d67199717390a8f67751019b65be5aa791c2a605a564c897e21fe90e

Analysis

max time kernel
135s
max time network
138s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_2.xml
Size

4KB
MD5

6dc1e0aa43dd2a582b24b6487605fb76
SHA1

c403b4c464908b8d740d03775742fdc72a6e8327
SHA256

f6ec4c71c9e3ebfc1d23691364cc5736a12c3180ad35e55f4f9dc0fa3ce03669
SHA512

3cced4fb52552f26f35eac6eacf8fc408b6f5e251984f486e203777b0889261db83ea127a97b5e53c246456c819b23b6d6209fec1bb3a6df5f173e66de370ce2
SSDEEP

96:7OKfvMkrs4v9rTicBaUTnpI5kS0nvVfiYPl9Cb7dMM/SAWicJPjiBwlH:SoT44Vp3hrnvVqY99CR/SAWicgwN

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000004109b204be18c3cd6a0873b6d90148c41ae4deac5395ed863e82914898dfae8b000000000e80000000020000200000003d6f7a4d0fc55b722905fc4cf33d93e624f06096a6a37da57702e12d61a0a57190000000d6849db44415097a0fbc6965b88c3953435fc86a38ad455d0b43ea4ed220907dfea16bed6885817d92f9e87b1f63ebc828271761b5f2631e44e4e8c59bff1247c5316a44102ccbbb0e1669e2ddbf259cc4c983bdbaaa24d4569bfb94a1e25f94dcc1c747ae5ef7afff5376681b95948c6290395169f81df34e04524e6c50c926f5137fee11d5a10cc857b3d398d08a40400000000e4b4e4135d31806a7be6655f284d86536c7e5559a7300a642b7b73ff1db14e93d72f6e2e7cdb9d3e42d0e754cbd911bc7564789a203ce76edeff7b00a056d42	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb00000000020000000000106600000001000020000000c988a05fa2e2a80b10a8bec8b896469f5437c4b3c5d6fa57df96ca4d2077120d000000000e80000000020000200000004443b6e4a239fc50ee1f0452a2e22899f0b5508bb0ca634cc79353f2a28c44162000000016afbd9509e3de82b65bbe223883ed21adb07d0188a9c653ed48e96381ae3a4b40000000073c97c246daa28fdcdf75faa3b86729cba5189122e2b3b482526bedbf3ab4177af61e0315491427ba8ceb9749534b9738ca7a90d2c8df1e55565ddf39d31c0a	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602240"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{940B7231-3561-11EE-9DE8-5E587CD0922C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a095b2686ec9d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2784 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2784 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2784 IEXPLORE.EXE
2784 IEXPLORE.EXE
2060 IEXPLORE.EXE
2060 IEXPLORE.EXE
2060 IEXPLORE.EXE
2060 IEXPLORE.EXE

pid	process
2784	IEXPLORE.EXE

pid	process
2784	IEXPLORE.EXE

pid	process
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2060	IEXPLORE.EXE
2060	IEXPLORE.EXE
2060	IEXPLORE.EXE
2060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1616 wrote to memory of 2616	1616	MSOXMLED.EXE	iexplore.exe
PID 1616 wrote to memory of 2616	1616	MSOXMLED.EXE	iexplore.exe
PID 1616 wrote to memory of 2616	1616	MSOXMLED.EXE	iexplore.exe
PID 1616 wrote to memory of 2616	1616	MSOXMLED.EXE	iexplore.exe
PID 2616 wrote to memory of 2784	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2784	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2784	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2784	2616	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2060	2784	IEXPLORE.EXE	IEXPLORE.EXE
PID 2784 wrote to memory of 2060	2784	IEXPLORE.EXE	IEXPLORE.EXE
PID 2784 wrote to memory of 2060	2784	IEXPLORE.EXE	IEXPLORE.EXE
PID 2784 wrote to memory of 2060	2784	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a4d0496d2e614d1eff8c3bc2048c5568

SHA1
af8ac0bb3e4857a06eb9fdff867184022bbe9f6c

SHA256
503bd968f4d106b00d1d0d6e1ec7f65dbc52322c86d095037ae43864535e9dc8

SHA512
842dccb893753949db06030a5972cc479157ffdad7ecff8acf1abebe3797bbaf4c1179c9b072731c7b9194d8d2cf438e73e1e120fee5582e26cf28c20cc0bd17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5329a52762a2c500382c1ea61ef6243d

SHA1
34b0bc4ba66b0f4134ebfc9078943710abad1761

SHA256
9ca05b4c71614e8a9f0eb63bbe960b01701e29a1ce56b89a0cd8f0c87ad62b81

SHA512
28a21e136998669f238189e1f93078e3230dd59767a889cbfde52d9de2ce7bdaea379dfebd55ccc57857f451a21a6c62a0546cc6a4930bb7d5397000ea38d00b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
77fe1003d5902592c19093dd78055af1

SHA1
cab8f82bf139dab9668f8f70998919e98a4a63ca

SHA256
bebde641c62ce30893effd17b523401381781eb1017ff01835a1a261b1c2eea6

SHA512
51b169b89e4b5691f37c06ba2af08e0dfa120652c4bf6ee7f0025155eacb31b3305fb74fa9f0149a93bb5309bc5941e5ee67cb384df728cca294a60190369c9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
62c8dc105533e8e315681421d13628e5

SHA1
e382486434d80f9d0f1eaf9128c797678236db4e

SHA256
7f62004edf5bdf05b5c5de70a0f8d56c5f5461be05fc5b9432762c1f1269603d

SHA512
3629fb3a3266aedf33fbe24365ba3c0900f6d028e7f04a16702e94ca91cbd1cdde80f5a0a78024bae8a77a1d264d402368b5c8a55de2e07fad882c0186d8f3e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
58dceb3f82edb92b51515ad4c29b276b

SHA1
080ae43afd2eb7ea1dea6a99711a8e9df70b3122

SHA256
1c6634194ec770029c37ebaeeb25fd8809cb5f4c0f9bed3366ef1809534c273d

SHA512
28c500999cf7dceff6cd8a99726be6beb33dff59a42f7efb0b5b14eba0b276383f2e29433605eb989ff5c1fd4aa8a7cca59d702ebde61862b3acba74bc45180a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2e1f30d5f492922c6f717c7127ca5c7a

SHA1
ad3af6392dcbb5df7aa677da8a9d33b3a1fc5526

SHA256
60796764396132ff8ab4aec17f43ff6abdb65f5e7769d454332620c3c0c4f06f

SHA512
e72ed56c6623ee5bb36a6ca17318a55edb971ec0a0a27de9c966565f13fba226ec6d5d9630590922c5e0bc0375e88d327a485970ff836e74a19c663e9f00515c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f9942158ec55aef8b9f0353e4cd6135e

SHA1
c81cee1298b356ae7e445457cd9d7afa1790d9e3

SHA256
89bb5119be91cb189014590eadca30e71114fe637b47413e9e9ea9227a0020da

SHA512
0d46d2a4f5c5407df6ac1a4dec6c7c86e516c6a962aaf8e9acf2b308b7f7cce4d06282c37b2f78580b1efb9b3f36354976a13152794c9562fa1ca6bea4933835

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9a7276e26b519561edbfa91f5a10997f

SHA1
fffd18444131258b93f50da081cf414cb833d048

SHA256
811bec8ec6a07c5ecd49e1ec1c2a2430720bf6e82250ac7a265ed70f865f1558

SHA512
12a96110e54dce69ef7051804bf85e34a1342624ca0c74f3bea9ea8869165028b769e17c45db81db8236b9e8f83bc2759314195bac993c0645430e604f74638d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bfc24620143a051e712ed6753a8d30fc

SHA1
78081b218f6cdce19e4e6d39d69e8b93f93ba239

SHA256
244e2161671c2f82d02b25f937d770c207e34fb503dab4e67def615fab16ff34

SHA512
c26a797f3b3732215140a4a09de95cb0b2b919f2b352657fe3581c050599f46e10369e638ab73c7d4429c0e10139678dafa034d3d97e8950437502bf3229a9d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0049c775f4c62fbb354d48383b66276a

SHA1
588d734df2d25953b98fef899231b9e604087e4d

SHA256
f168323735fa796ee60f1a7e830d8c2ec3a9b7961dfa57151dd0cf839d1ea8fe

SHA512
4d086fafc31c35163e18caebbe09582366e53936c2097be67f444bead507c1ee023d21f5354e489528359c74d48a0b2e1982c445f26ae8e8fce3c5708f5e17d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F7D.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9FAF.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit