a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec

Analysis

max time kernel
135s
max time network
135s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_04.xml
Size

828B
MD5

07377bd1a13bbec7af35e95af89b4245
SHA1

d2059d04e0072ba94d4267e8c220e56662422fec
SHA256

8a2ef1ac06c3071986fdc48a0e16934acc6cbbe73b8196d33d3c17d15798ef29
SHA512

8860e198ca78c09d135afc0852dc995ddfa9fa104c2dcfa55de4f20a31f134ebcc6af285d2112e8db7c0934607917dff62349806c62f29cf755b8ed3f63ddb51

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000e0519f81792ef14a226bf1135831a01dff8890b673c2d4251ef3912af3d12182000000000e800000000200002000000052e99f1691ee6428ad186e2bb0b07db72617f1721c19066ffab31eadb77273f020000000db2e42c1faf875cb3e0abbe0fced23cb25388c3143404bef9472044059b87dba400000004a8070b1099eee5e1732414e68e5bb19a4ca0c55687406ee190488908b91b5257540b3fd5f9f90541a50b13372b31482b56a04a052df58acf15e4a0d22f54a7a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000007ded694423a81d95b013ac7450ad8de5e66a071c31bf378d6d59e40c01b352fe000000000e8000000002000020000000a0c58b08d158d2914a9414cceeb8db01bd6285f61c4e015eb0a43b2e3bc50f599000000031a56793d8c0312405b3c52bc520fc5c8130f2f16e6ca9dc4b2035696b5d2dc631dceb6ba85751c3850687f19400baab5b624985aa07ffc050da130519455719a8ebe414cd350d536d12658fcfac617e55dcedc18157ef5fcdf5c84f2fb2c6accdefd0d9513076f42cbf09e14ffc42d080f278e411f1c34ee408d5cb2e075c11cf40b398ebc6f4dd079d92428febeb9640000000c2c4d1dc1363cdc551cbf2fdaed56a017c6099e12f9091555c1129bd94fcfd96e02a1fc769b4c31c26b3f89e205d0045e06ec34f375e675f32f6b1c9d90457d5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{960780B1-3561-11EE-943E-76CD9FE4BCE3} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003bf16a6ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602242"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1340 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1340 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1340 IEXPLORE.EXE
1340 IEXPLORE.EXE
1904 IEXPLORE.EXE
1904 IEXPLORE.EXE
1904 IEXPLORE.EXE
1904 IEXPLORE.EXE

pid	process
1340	IEXPLORE.EXE

pid	process
1340	IEXPLORE.EXE

pid	process
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE
1904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2336 wrote to memory of 2804	2336	MSOXMLED.EXE	iexplore.exe
PID 2336 wrote to memory of 2804	2336	MSOXMLED.EXE	iexplore.exe
PID 2336 wrote to memory of 2804	2336	MSOXMLED.EXE	iexplore.exe
PID 2336 wrote to memory of 2804	2336	MSOXMLED.EXE	iexplore.exe
PID 2804 wrote to memory of 1340	2804	iexplore.exe	IEXPLORE.EXE
PID 2804 wrote to memory of 1340	2804	iexplore.exe	IEXPLORE.EXE
PID 2804 wrote to memory of 1340	2804	iexplore.exe	IEXPLORE.EXE
PID 2804 wrote to memory of 1340	2804	iexplore.exe	IEXPLORE.EXE
PID 1340 wrote to memory of 1904	1340	IEXPLORE.EXE	IEXPLORE.EXE
PID 1340 wrote to memory of 1904	1340	IEXPLORE.EXE	IEXPLORE.EXE
PID 1340 wrote to memory of 1904	1340	IEXPLORE.EXE	IEXPLORE.EXE
PID 1340 wrote to memory of 1904	1340	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_04.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8d0a8e2ba743d9c1ebe403e24ccd2f8

SHA1
7bd2cd80464a3ec2cfa0729345e67cd5d78a1d52

SHA256
3a10fb5e9201c4521754addc581e445d5270cc1e635a54c65adc922aed40b570

SHA512
26aca3dade825224f93550a2d30c8fd71473480ba6343e344047c09608b8667fc094eae49c73e1330a55470ddf70d2ed1b6a9e26ee6c15445df547cef123ea3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89502abbfce11d26854e91707e8eb8d6

SHA1
0a1a90801ad81ec94e151d6078e398123e1dd073

SHA256
2b62ec8fdd05e576fb52bd85cce71fb96a3a8c352b78ccb5013362a95ce541d4

SHA512
45725de85c820bcbbd6b8ba43d5ce28d9a8303afe387c54498e5d8e97eae118a17651fbc754c0c395387d95c2bf6c75a70406c48a0c342a431df3e8bbf637802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11ba9afe0464d4ad8c0582b346c140a5

SHA1
336733cf1b0a5e0173d8cbe693345584ae5337c8

SHA256
54a5331adab771ba021796d340742f5e417b850c79a9375e376656f7745190c3

SHA512
2a53a526202b361fb144cd5126154e35be3355c8e5aa24e88608ff3a6a9d6896971a9646e7f0217056b22a624a7712afa31b9a1041e0fb785bc4c20c7ceffb67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
516581768186d99cc5873744b63fe30b

SHA1
5adcce0bb32374fdcae18bc5c553218692bc5fac

SHA256
5c6dae1243e7a2351b47e5714ec6935bc64b627b00767de8a4577e9d7c6fae65

SHA512
0bb3d4cd0efa5857f2cede4d799c86a35ab828807381c1e606ff4377b8e654d1334e92827c42f4dcb550161b61691e2cb1e0b4487b8183d392178179322d190d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8b57c36773b69ef129d7558199bdfbe

SHA1
122e17424357566337c770d3a08ce0231c08ae3d

SHA256
7d24e14b2c98a55c8d1f969ae4c18b9a9c45776a1f54a7c88f46470730147d14

SHA512
5170027cd6ec6a523116c7aca979a25f2b04467b2055da5b53e34a24abb1303c7e250db745d91a3eec56d9b264e789b84e4b7536ee24625127aef094a20b2c6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74a1fb55faa72b6871e0f25491d4de4d

SHA1
8f147410e693e8576317635fd3f5bb2ec9662201

SHA256
92fefdb0620986137affc3ad8779177102f2edb9f1881ac852fa66266057f8a6

SHA512
8163f9a2bde3b6c63c448cefbf22c5185c1aee7a35fcb84558e15a414e02b15411c86e2a30a06dfb0303623c9518cf28167f47780b7b329a922ca0c65572f0cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8405837a6e5d6a861aa5a2969aa824f

SHA1
4f21a559088e03dafbca4774e4a830f06792a510

SHA256
5df169bd4826038eb407eeaa4f04b87d1c10235ea6ecc2465390f066c6615424

SHA512
b6a0596acad22bc7e984596dae0ee6927299d001ebc3d492c852657083213a982ed306e8e479a6299e3ff8266705f28f487590c967f0a13eff9cde2ebc01b9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17861b3d1c7769466c275f6ae115df37

SHA1
e31adebe913e569e4523c1787db342572080c514

SHA256
d5b3837c2e21dbbb593115d0b85fffe15871bdd89206bf8202ff067e6f2e3be7

SHA512
5a8c83c58a7cdf814b28931e21b7d9f7fcef740b866765073cb9a90c8844a5b964dda2d089cfab008833616ae31f1fb9f37e7351f4ad0cf1740cafef7576914d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38dffa57957be4ba373b5b7f089b2c87

SHA1
16869cfc38a815f2c9f70b814f9de670653bed6b

SHA256
36d4ccf63c14b4c9b86598cb3df432c85255a62a0c3afb74036bf3c9936c9156

SHA512
e3c5653a3f1488fcec37792908975e8c167bd65171c58243a780238d0d4654141b82b9800bc7e3af06481094d6d46a6d3d4ccba53b937a8746f1719c94837c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA54.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE0F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit