b6b59a54d67199717390a8f67751019b65be5aa791c2a605a564c897e21fe90e

Analysis

max time kernel
135s
max time network
134s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_11_shadow.xml
Size

2KB
MD5

a43eaf2037b2a882b41912e5bf68e3f4
SHA1

b1b73e482269c1c5370f7a6e4ab5a3b47d2c6373
SHA256

354cbc8433a0fb42c500fa7039f4c7254db20eb9f589f8866846f142c45d94c2
SHA512

5aa4640b5cc83376ae6f61c80bfe6e1aedd2e6eec2337f9478f4a5544cba6b1a09fd46cb4c93a8313d4843a7c42b498f610bf51ca90d476819088e8fd52b2c69

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{91DD9D81-3561-11EE-AF27-F612EC4A90C2} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602235"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002f8e666ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000d5fa482937dcb5563ead8588d1f819cac152b3f036636d01ccda736ec9137618000000000e8000000002000020000000a800bee71cb0fae5c939bbf134ee4a12479863f0801646b1fe0e28f56b6935fd900000001e780c4881bfedef3e86c5ac17f500185db24f1783a36496be37c1371227401e2ba5bd86871316c5ed07e14e02aa509dde60bddfb21947cfae62b61f0b8b50c8b3447a3b93353ddc6954712cca61373cc2c78e95753b15757980ceb72a0ef51f106ad2fa265bf54488c12399554fde4523f5fa4dff7d28c446ba0ddb62688d84d9b96552c85cfe96556ba05d844d69f7400000001e743c6773f186b15556f15f0e189536d8b7e212ff7bdc78b9154155914ee201acb32bc060d203d5c59df858e15d66f7b85742ee85a89a9dfc7eab484eff8acb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000a3aef10f6d19b7149c339c299e6a40749d75de36f3a51d624db40f40328d85a4000000000e800000000200002000000051fd2a306b8746be683fc007c4243f7d44b155e60e98ba5d222748fe003ffa14200000003fc19b420cd9aacba9ef8e975e5e714ed6cf4a15215a4bcd56bea71c3a532743400000001b77610e51b92a8ce8f78ec7b381ddcbec00b3c8b917cf47483d833ad638ec776c60659f7407cd10beb4545fa4b6919f92d1bd85163ea8e0b08023a044d46cbb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2464	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1012	1060	MSOXMLED.EXE	28
PID 1060 wrote to memory of 1012	1060	MSOXMLED.EXE	28
PID 1060 wrote to memory of 1012	1060	MSOXMLED.EXE	28
PID 1060 wrote to memory of 1012	1060	MSOXMLED.EXE	28
PID 1012 wrote to memory of 2464	1012	iexplore.exe	29
PID 1012 wrote to memory of 2464	1012	iexplore.exe	29
PID 1012 wrote to memory of 2464	1012	iexplore.exe	29
PID 1012 wrote to memory of 2464	1012	iexplore.exe	29
PID 2464 wrote to memory of 2996	2464	IEXPLORE.EXE	30
PID 2464 wrote to memory of 2996	2464	IEXPLORE.EXE	30
PID 2464 wrote to memory of 2996	2464	IEXPLORE.EXE	30
PID 2464 wrote to memory of 2996	2464	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_11_shadow.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af7fb74353a430a95344c4cc06706a13

SHA1
79fe573c3832d65ac2e25013d7185049e133308d

SHA256
2be0f5c071752309024899bbfb301db32dd5539295e1583b547fda08b77abed9

SHA512
3f8514368b3af85d2e34dfb990b05f89845b85af64cdaa66df0f3cc46f1cbff3fa095b2a67010511a24d081c1fccc25bb4765615caa5656b1dd90eedb8aa7443

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8e640c3223a9ff20073d15789379670

SHA1
eac7843f1ac6caed561b812811df4152339c2a4f

SHA256
150435c7d107f1a09dc43017a34e8e692fc68ea85069bd59905cb9ea69716a5e

SHA512
11340c66ea8abe51aad84deba0ea595b72128b2f011e0f2f5ecd20c73051128dafdf17fffd71f325eaedf89aa19842e5fe3223e5f79998cbb57ef2740325128c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a528a05c30d42e133825c6d8bec3ec1

SHA1
7cf3c73e726953838895a33478d00b44d5d9237e

SHA256
3c32c2179129dc4fe4a4e89a044c774e6daa0f60b1b3a41da16ec0e62e8e900f

SHA512
22c96eb30788853f3980763f49c8ef6cfc12349ea744999c633935edb251dec0ab67c3725a6356fc05e8d08b5c5ac4bd0de7a001375d1148c8e6df2d86b8ac96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5e76729e2bdaf8fdd5e81dbc9b28c9c

SHA1
444bd3c64f3996fa58c2c52780b31bd21d5a185a

SHA256
26f5c950a3232e94c003903cca2e131d1c8bd6b33ba71d86c5083318fbb9091f

SHA512
341bcaba7df2c253004646728a0b8176bb7154760182cb77466341063d2c8a60d0295261d6a4f3a1d85873bf7164cfc6785ce3172d2db4c45cce9f8edb3d2e92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bfc496c49dd18f9ac31355a5295116e

SHA1
6d116aa5a9e5837f892863a8adc3685e376bb437

SHA256
b55da720330ea04408c661e45688b4c2eaae94f08bb8de6b1d73d51efa17d579

SHA512
d9dfa386cc484286792be60882ba8d282f9b50dd7712317923fc5522cc7199e3a277f5a3a142aad6b2cd99399e25d73c1df9590db6623f78d04357a8d063bfc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08ecef87168f4622ee5b9db145573168

SHA1
6000319b53c39add28742f9be3fc55a9737e231b

SHA256
b1f9dbcd577cbe1b470b4f023fbd34a6249df2afc864d8a00335f694c461a65d

SHA512
cb83bdddb909630799528037de457b5046ad241da3810b1574db820b43728f2440a2635b154abd57a5b1f36b401c2288005c46e70503b4e618ece799e61db00f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d012224f7b53bc3c213f4695fcc1785

SHA1
791f01b729a7c6b3a6643db461f579a6f4d4e26d

SHA256
05b7a51b6d4b7ff680b7a7bb7e65a21a58969d8051a14cd8a4e24e9ec1a31ad9

SHA512
5161caa6549e60d627d32b9270a080ae2c14ab82db0f7aa71bb581150d411abfe664333254f8ad50ae84aad251a2c263904620a4d709b7d49d0076cd3c3214b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
677e6eae028af0f55d82a0762ef1aa1a

SHA1
d7cd90391420bea7fb452fdd8444ff7636861d6a

SHA256
6a6c6386ef69c20389d59bc234b0d63c04861c5b0a78d20cf416cde61afd7d52

SHA512
4a37d887b2bd4788869bf93520fa7876956ab1a4a8b093a55fd3a9651ebb2bb346912994c33d08525da546e27ca1ae8a230577e47af4aae304dab85b855c5667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6bfad4a6bf5bbe10437c367a27eff52

SHA1
881f545e029f41b2ede4f3b27281489d42079f40

SHA256
9dd356ae2834ec67aab7e490c1e9098b7ef08111103e24e407c99494510ff7d9

SHA512
775c4ac71fcdc09cd82628bc236ac7783c839923924813ca243395c66b4cbd4b245c02f220b61eb74d3f2c0667725fbc63b7b1d371180b965700a33f8699f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDDB5.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE25.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit