b6b59a54d67199717390a8f67751019b65be5aa791c2a605a564c897e21fe90e

Analysis

max time kernel
135s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_4.xml
Size

1KB
MD5

828a7ba18fb29733210cccea82833faf
SHA1

0eab9f3bb7bb221a0d54a0da3379edfa80a713ed
SHA256

fad97a809483b5b59a783e811aea993048047ae6efee1f861233a63067b7a815
SHA512

ee5fea4dce25d0bc8ea471641e4bfaa3da2305b9be2c494ae8f444e44c65494764180b5412fa7192198280b2aff420c2a76eda41f036ee87a9eb246d2a067944

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000006df36bcdaa42767a5b7ea0ac7f38cc2f1c31ee0da47fabefeae50e8a5e2552a2000000000e8000000002000020000000760a465ce0c7c0ef5ab61e52fb73fa737b4c2ccce20f613b625a5ee70551af6290000000736328662bf1e408d79f22c6b96f0bd777041cd138d9b18c95092c5cd484a265cb00f2cd509d1ad4ab19d7bf86bbefec4989cefe22d1800a5b3e39fc740e18f8ec14dbff5b5b73560f00665df02fd9625b2d263ea8cd4768cdc665f7e2c8f90c90fecf109a43e408aad5e76fdf66c88ada021b13427a7922a5b4a8c6f90c7e178c1c12b9ff30ecd44259c747ae8b99db400000002aecd32fecafba7790d267452454ef54c982acf9f8d4f93487b7ba1d4e42812b5b218787ca878566e68272ee680b8e30a5d76b524de31ba8fb2b1e6621c7b55c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f50b686ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602238"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9351D691-3561-11EE-ACEB-FA427F214E3D} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000007467eba6e4c991d29fbfc1534cb19ae862a882008200aeec8022c3a909c8e326000000000e80000000020000200000001a035e3a45c941b1ca8929b5a82f702299939dbde203c4cbc56babb57216de87200000005e2b784d3edc9466726970645937a3f63fc6f1ea2021ce0d70f773395dc2bc81400000005b66ece6cecc144ede62c54dc01ff9972c97775f5f66c6d4f1ec4fe8fa1d154f91d826d6808f7bd734d8461a7d6ba61fda55ca9705c6ae719889d29e007786cd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2452	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2452	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE
2960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2404	2316	MSOXMLED.EXE	28
PID 2316 wrote to memory of 2404	2316	MSOXMLED.EXE	28
PID 2316 wrote to memory of 2404	2316	MSOXMLED.EXE	28
PID 2316 wrote to memory of 2404	2316	MSOXMLED.EXE	28
PID 2404 wrote to memory of 2452	2404	iexplore.exe	29
PID 2404 wrote to memory of 2452	2404	iexplore.exe	29
PID 2404 wrote to memory of 2452	2404	iexplore.exe	29
PID 2404 wrote to memory of 2452	2404	iexplore.exe	29
PID 2452 wrote to memory of 2960	2452	IEXPLORE.EXE	30
PID 2452 wrote to memory of 2960	2452	IEXPLORE.EXE	30
PID 2452 wrote to memory of 2960	2452	IEXPLORE.EXE	30
PID 2452 wrote to memory of 2960	2452	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_4.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5718d8039fa43a19e30a693da6969db

SHA1
e9c28ad2a431b99a771085774baa1e645219e579

SHA256
d32c9679bec7e4e9582f627f5e4df4a99a631195fcc68772e453eedd46e2aa08

SHA512
c35e8b0b5c31e0c2a8439289f2eecd32b4512c55fea71a51b85a42e9a9c344244e5705a213981a6c2e0fe055644d94c2d77008e470700a83d6a4411166aa7c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d59e6e7787084ada6142a7015ad87f5

SHA1
4155f096784b09779b44fa9b4a1e75c849e4c6ac

SHA256
e84da1645bbaf60b3ba6af3769bee16beb31f1e9a66cc096bec5c55c0f29182e

SHA512
bc8567993a37dcf5357c3bcc3b84d9585c7f354ea81d7b6ef234c1b041a461d74fcc52c718006c57fae701f15e06f7b81ad787bde21137db3297f7d861cadf36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa3a0d45eee1fae8d4015bb188328fca

SHA1
aa9bd1269f8ff61b6fedb0ef8e7823f0192b3a23

SHA256
658a556f4d18ae736a5baf7d3ca98804e7fcba92c5def2186a28deb8786ef9a7

SHA512
22de233f5b0ccfd9ff907c9120d6792b59d9f2e63b4dfce5f6948ad213ea926d94067aec19613fbb95835e9549ea009eddbc71117766bcd24da363a50785d50a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bad7c787478083552f1a642399a638ee

SHA1
885a4dcb800ec630328e25304a60c71b29e824e2

SHA256
d65d098a569c06c89a4bdd7e703f7a67157023e0747555c7915492ff13c51dc9

SHA512
644052ffa050b769e7ae7d21cd05d4f74a64fdb12dbac4b1995f5e4550ad4c63b5f040dcde14d98454241479ee8b2ac827c3dc1e052d4aadb078b6b5b2e13b88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7594d189faa0260eeebdd599147e5520

SHA1
b66b6794afdabc875e3d1f036f7af46c9de42143

SHA256
496fcf970ae8888c63ab0818c11bc287ecc2c448d5fbb455f093f824c85b93a4

SHA512
6114a6ec03d76e3a7765ce705a6e91ddf3583c1f466e82498012f9b9bf5baadc01619a0f55ea1c8bfdbc70758819b0cdd44221979c19925adcdd23c497a88e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a134025a199c0c9e6ca71f07c2b44177

SHA1
3c4a53cb25ff1a9bfac35919a8393b264fb3038e

SHA256
08a49b2d6da8b8f13e479300e6c47fbcdab9ee6e25421291b53085c9cf210f53

SHA512
089609396c4229578948c25d011f076483e499a5d2c9825e2735e910a659552d3bb82bb8be11da19f56a731739a21fcd0e954c69d53639ed1d41481388576793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82b1a8068b874f56f77f4a6fe3d01e3b

SHA1
921e9e62f25df7407353e84e9bf30c98932f5606

SHA256
a426b341d00a3e1860f3a81056192eae69a58546e1d58d26da3f2ed608b65b5c

SHA512
0bd9cc2f82d07fbff238e324af7ec497f6f69267d0b7d6209491c874e335a250ca33251384d8d4f8703d1fffd6c4a9c0f6f75dff0b3720b9c13b0c57b37475a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4189be0f5c3ed9c28fa70b72e3c51a9

SHA1
eb0e68e8204d3acf523a61014d1d9e4d019fead3

SHA256
729735cac81ac65b211b34c351df15af059126d8bb974996955a2c132ff17e22

SHA512
6be45adf5c9d1d6b1fafbddf5328bf387d42379df9945071926448709e182fce717579e1ab008880baebaf309dc78b27a487ddceb87312e2f5c2438c3e64737f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8575a92b51a445f4efb0e6e8a96bf322

SHA1
a6160c9f3384eae5e2fd358b1569d1ac74c6572a

SHA256
3ede769414d42360851326431410705c8f09f7a64a434372faf1e8791159b23e

SHA512
6ba36a83a466e222c484bdfec7c7347edf7a92efff294f37d0bc606250f04cae0efbe55303386058f2e1836b0ef3dbca5b31e341d4d9452cf99adf4a7457fd03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8708bc7a3c79340d3fc0e728a4c39f75

SHA1
7049a706ba3c3a05d7aacdd0642fc9298da590af

SHA256
bc175d8d1a1f9512f5cb4f0e76f75049aeff66fb4521ef850e00510c325ddd1e

SHA512
13d761723d4ffeb6f10a3d4f888609a688777d9102ff33bd98659a7637547835e40968106a5f5d9d457bd0d34616a91b12ff0c1124a2105f85f27a79a70a7412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e72f976abac4a6c550532598845b9b9

SHA1
7cd32f92817f9e46bee99ed0dbe8befac944204d

SHA256
0711f3dd8f31bf6f2b08b26020eeda95d9ba717ae59698e98df0cc5ddb5391ce

SHA512
f478b18108b45aa9b08b416361a7d66c3e2003d496c95573b484532599c75f251956783ec052749f781c4668b38d7487e8d248f5eb8cbddc4e5fe72ff7ec6e6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a8f3bca5f2d680fff59471ffb717fae

SHA1
4478e7d93cfefe1207879271c49dec57ddbb9e1f

SHA256
2f120e5ddbbe1a5cf96483e778273575d873e3f4a4362360356b893d44f834fc

SHA512
54bfa1651033e333b9a38cd02559fe3021d0dad826b24e64c8ff1d12e91b33a96b84e48edcd51aa1ed0390dce83ca57c62f8deb6ab01a96764f1fda3894decdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9649.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar96BA.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit