a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec

Analysis

max time kernel
135s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_02.xml
Size

871B
MD5

b1f4cc6d1c954e73cc6e7d8b47c4db8f
SHA1

986ea9addedb45a0d3c8c6c70a636e870959b79d
SHA256

0b0c35ce63044f7756cf201f5978f44c439805e524c365ae9949994347487b79
SHA512

77d46d25ddf91c010f69ebad82800575b4cb0be4bc5e8199bd5d877a2e6a624e0f455268d8f26aaae2f5180a3c2b6dbe8bb782017c6e342960c1e7a26ae43d64

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602273"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A926FAE1-3561-11EE-8C62-6AF15B915EED} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000009498df6d0a88b0fc575e6ddf79c2d170839a5ddeb13afd109c92f90ae6b94e7000000000e80000000020000200000007cf8738384214f0f3b826b8cc6972dbf7d901b5bf8b50abb74d1abbe988c3bf320000000c52dcfb5fdb8537f591eb1eb6f3e53902737b97a5a7294525e6a3b3996cc506040000000dc698f3890ebc0eeb98790b7c93feb6c5a15990c1be89767a4c7091002a2244084052a124a4b069ca809f91551f382e543b8254750dd682728115d3b381d5e34	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802cf47d6ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000002552d12bee6a8c65734ba3a23bb136ddb1acbae06ba45dff8f268d5f29379bc9000000000e80000000020000200000007e4f9d7c8a298a9334f191856e1a46bba2d0bc7a092104fa69b7179b7306d86a9000000010ed94699e4ce84a8499de6a95eb5504220b9c78503a166dca206f30263cd799236fda767cbb2f91aa06c5b7416e77ee5535fea64737b39e8245958db8907e901b8d6dcee5f8aed76cdfd9d3517e45ef98ee6c6e2db593358c18f23ab8026c2001cfd4f2c04bc534ff06c107245284fcb514afbed9a555ae5adc2b3512f6ed1ad2f94a0c2cda4de5784bd391d0110fb340000000271cb77fd5c2d4913d9687e26fd73a48bfca19c263363a50f5f0c712db21ecce51654281951e453414646a09b4a3a2eb6ef869eca1ea0e87020121037e1cd538	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2988	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2876	2468	MSOXMLED.EXE	28
PID 2468 wrote to memory of 2876	2468	MSOXMLED.EXE	28
PID 2468 wrote to memory of 2876	2468	MSOXMLED.EXE	28
PID 2468 wrote to memory of 2876	2468	MSOXMLED.EXE	28
PID 2876 wrote to memory of 2988	2876	iexplore.exe	29
PID 2876 wrote to memory of 2988	2876	iexplore.exe	29
PID 2876 wrote to memory of 2988	2876	iexplore.exe	29
PID 2876 wrote to memory of 2988	2876	iexplore.exe	29
PID 2988 wrote to memory of 2952	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2952	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2952	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2952	2988	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_02.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be6f53f2a38a4d551ff120011cd87f4f

SHA1
961b6a2c0f26a505005d1730bba367b20741c6c9

SHA256
5b963ebd47a10065ddef62198d034170068b1f3d762d333110eec6627835c69a

SHA512
cf11d16e0deab26120dd1b17b865f84e5556aa35cae58b199c48faba93a06efdc71e72105a3f8250452e9cd93a9f11996df70dbf032de07ebfdce178a6b04827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dd0cdfac72b31b6a02fa55745c8dfbe

SHA1
8e1d3971e644d9f1caffbbb5911d266a60eda5be

SHA256
1fc91d2586d23ad399587c45a9d5d748d6c60ba32e6c60f064a7e4a675dd953c

SHA512
c4601a2431cafc467a2cd4f4138cb933662f631396587f298a39a3416c30ccc3f2a22e2033d7e5c4cb48e7fb85b9f10efb80f6c6cade3ebfb6c951b602e6debe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbd1a578f57f61ae8f7df20f43f90bfc

SHA1
5cf1a55e51ab22d4a4715511468a33129bbbf70f

SHA256
a28c870de4d91712b906c5432b822ef961b88ad3517fb4115c4d7a1f39d0aa91

SHA512
7a1d9f1c88fe2482b183edf5206e9c0c76e9bd25aa02eab32190a4a1bd8e171d07c1a4a03119c1902014b823c629f6eb0eb6285d1cb35b3282484c4c7b25c60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c0a9ed16152114f358b74112be3324b

SHA1
45817a82d88e42f7069d7c6a0105b658aaeefa8e

SHA256
7e01dde148573d2975247bb7b1e2f7babca02f500643459d9cc101c65568c59d

SHA512
da7984fb4407a3b8e242a656be701c6037c75acfe8bc2bbf0d683b5f84d7ce8c603c23d8885fdb280580a2fb57a0a3887daf57a500dda8345321076fa1862b7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
076e371f0f4df2d984a1c035e7afc06e

SHA1
46f27f2e0eb0b680d11ea964feec81bb842807a9

SHA256
a56f0fd9fb73c40dc08a9713878ccff551f1e1f040c5e305665ab9977e4fdb4f

SHA512
2035cfbb2896871c2e3e8b885b623035f5f7462607e88a7c46cdabcb3e6fb9f688d4a2493b96dfb785e9b3c66f9f2e1b2c6e8838573acd31c37f8825a51c0b68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c42aef61ca55461e0ff57dca969a0ac

SHA1
eb8c2dcee1d9da4631b4df9a7c8d41a254d67480

SHA256
cd3de60a01fe6a2115a933d453f084f71521e980026d4768f455dfec47ca4204

SHA512
c4218edd7b2b160e46fbe40e43e5b22e06b15656145562857d73cad82e5096857c0e88caea6ab017da251f6a3fd0e09c65c1e51cc72107767923027887adee0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d8f6342dfc3bba32e6635834e3603d6

SHA1
5a00083f4cd0e0ece127f49726883ec84fd6139b

SHA256
405c07629c731e64c60ce8172a0c7987e4c47f63b6b6a5154b84d3463aea0402

SHA512
37f6ce28dbaadbeee358ab3cf35ca52a5061c0f1860d4b856b1f69c9573a2444758c348e9262abece1828954961720825986e6a698741bff063087ec1c09e53b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03c48c241a4ba2680cf08738d3668dbd

SHA1
9c630b242221558cdae15b5dbe06d1575d9fd5ac

SHA256
7660a09c9bdfbd7c1d472cd240fde21d9fa64d77bd2fd20bc137d73516792031

SHA512
7e6419712dec10d8b85038154585f283028f055c329add21eb2f3178a371d8e37e7894c78f4d15473dd0b60d3389d4f74f8aba26221b71f7ec0d3339ecc5ada3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b4b2dbbb35203f90e6de54a6e463c0e

SHA1
038388f77c23a75773d044b9a2bee2882f5a19eb

SHA256
63b1bd68233e7671c62f40cf576d3a960e4fb7616b445f94c06576e5b9a37cc3

SHA512
d6265ee575fd7604d6d0c0afdf01dbb20c0f4d794aaf81e592f9d420ceb5d3d4255b5e1abc8f0e3c51344378949d2dd17688363eac3d5c3646e75320f027db91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
160f8cfa469f82d46c5ca55892270773

SHA1
87fc062e5870e695e0bbb5c1f5a42249f4ef5492

SHA256
691d93bc07da93a1c1fb013954b61ed0d76b16ab78a732cdb954ce709ce5fc6c

SHA512
95867cbc3cf885893ee313d2dcd40670c1d2a74311a76e8a62edac25a41a3fa5b02bd28e61b8c18745abdb211b5fea1aee25c380867a489858c3da243f190ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd05dd557bbd853662970e13f5285fe2

SHA1
39b3f1436451192f9365962008f58a80d89cabb2

SHA256
237e7cc02b1dda532b949f746a06389db07bc5d16d2d8d4371ef2e186bb7fd5c

SHA512
38b341669f574ca2f96d7d9347f87855cd37a293d51b0d4ebacff66a73108e283121227db5ee3646f3419899df095c8d492122360a7d1fb223ab4658febeba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
733b0a21dc213cf167a40e0f9799c248

SHA1
117c2137a17ef754d115ac6a6ecd57f477fb81ca

SHA256
07cdbd770113b15b7f51cc13778af575d4ce6555cbb50927bfa26f3baa4ae88c

SHA512
3f628346caa46526caa452d23b6db21da6d6acfc2b5e7cb95af9fba9fe86cbf9593372a523a2c5574e6034f6af48c820da28d37880156899469cb24a07c1badd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef2fba2b448cf68b75604f2849e21797

SHA1
9b229881268cd31bf876eb6463280d6f0aa9598b

SHA256
2439382dbb6eca3955940d7948d884b92664ceb9ecda39e94844d58751c34212

SHA512
d27f1606842062795b97b92f2e95d5da1c29bf90c9c382cf9144f0ddb538b86d5b08bd5d93deca3be417d4d7c8c9a8c1eee8965431b04ebdbaa83359fe684634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54df96be5528028c6ab86f7b682a123e

SHA1
3d9605dac270515e97f0c29872d88b71a22bf2a1

SHA256
bbf053a632670bddfb2bbb1e88a4df66f71aa9bc276a9f64e46427defb32483e

SHA512
740f2a45e535bcb240e1f57a027a2d485b0da036beb328de450be2da04cecaa2e42bc5725ed6e245d16e09bf957f13f6bb8c0d2b6beaefe284578ec2e358dc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9446.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar94A7.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit