a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_05.xml
Size

471B
MD5

d088bfa4b1e206c8c5ed88405855f767
SHA1

1cc0925ff6a38384f466560cc86b1afcadbeb15c
SHA256

2f7924e1f2537622b8617a051765bd4fe57272e9f14a37f4bbe127269c522434
SHA512

d1ceda7c098a5934f1808d9b89bcb7fa8809a1f084e915ea0c12ee9070b854ae9d625eaccee3af3db5d50a07438eeb346b01ea73463fe5e34b988a7663321b79

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000009bec8019eb7235be62da75918d2317e2cec262fbce92d5667aee8a725fd063b5000000000e8000000002000020000000e9dde430341482e2a6d3eb7833d8d5c969f9e67bc3d378e359d871bf2c84c09f900000006fd516483d68cbdf21728bbc9e608dbf1abe9e45852f7076b9a6534bff6bc0bed58366a9d3afca4606dfa2fe402435d0f7a94dedf48681fdad54e0e2d8a5c6c76cace7472272f8bc5441e92112ee47a9a633d2d28c14e4483bcba793bda8af821b52a199de3c7e026fe9a6da6434ec96f2aaff4031c4d99ca7a9827764dc60e9dd92c9eb35cf3583ae4708380b32086640000000be0af3e801f2c30a191832f7623f8d0397ad2d73f2676524717b45beb6665adcc68fe55bdf29709f9cebdc61c335c43b33d627aa2e21a2612d16490705dd0318	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602252"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c0cb6f6ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AB4CC81-3561-11EE-90CA-FA28F6AD3DBC} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000079da39297189567df07e42feebc3d8d568d341ec441526defab3c1c9c6ba54c000000000e800000000200002000000029171121abda105416719f9f4fef62f8f84ad10930e2d8ea21cb31a8efd0dcb020000000fdcbfffa03a6067450b836a71cfa107343d3a944cacecc541650a255d16d7bb64000000081b4a7bc1c0374f4587d267418df8bd6ae312a53874289d3dbb31361da18076322e7a957a9b30d63ac24ab9d2135aca3b80dcfe1735aef1ab8d0b8a5c05d3caf	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2140	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2584	2636	MSOXMLED.EXE	28
PID 2636 wrote to memory of 2584	2636	MSOXMLED.EXE	28
PID 2636 wrote to memory of 2584	2636	MSOXMLED.EXE	28
PID 2636 wrote to memory of 2584	2636	MSOXMLED.EXE	28
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2584 wrote to memory of 2140	2584	iexplore.exe	29
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30
PID 2140 wrote to memory of 2372	2140	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_05.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5915c83050337ce4626364295704e1f

SHA1
1e578b64e9a5265fa2e86fd11e36ec23935dbe50

SHA256
12987704344581d72e3c5479328fcf727b3414cd73ecc6f388b26f05cf8a8720

SHA512
016dc7f272b335996f03982fec6a09e06e7765f79e7420cf5bb5237a0198192739355258ebec5ba80e6349a80bb4751b482b3215175ffd041570c04a54032ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1e96eabc5ba75d4df58caaf9d79121f

SHA1
573c8f197bd09a23071c653d238295f79a26e0eb

SHA256
afe88f31c012505bc5ff5357390a8b27b3a4b1bb3a8bfa3f034785480a25e469

SHA512
dae57340afb41760eee3863368b6cad61172dd19db16ce01eb0643de603298434a3823338e2730095aefe126c455063bda247a19109c038e642c325a2b105224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab1449754b30d08e8ac36122b604f5b6

SHA1
719cb850b7ffd3fb01692efa2bfeec225e994cf2

SHA256
4a58c794c19d07eb3001242ee498bd3396bac69c4b756566dd9973dbd46dfaca

SHA512
4e5fa4ae958dfd002562b220ec133d87dca0c82081cd935def14d3da6bc46aaf514c17cb75aa96a062622e713ade27d4421055fda59d8189b1a40987bbbeca64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccd2e67de47a4e8190b7590cd5aed21f

SHA1
91e37324977e21f72ad5716e591d30f677aee828

SHA256
1cf7c8fc503f4d05b314f926cea5d2d406bc25b4aabb704c94305b3f459448e5

SHA512
2c4c81adf2d918d5e910b09938b07484b67b5519cf421631295257db1277e0876d218696f450d9cf87985ecf7c9d4d5270541195b9154d5e49d31c17cad5c5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b724d52612ac84ce06f626ad8880d13c

SHA1
b65ad68e78780e39f1e9b8f3c6f1ab0e6ccc5dba

SHA256
3f37dfa6db14a505f5818c458c3d994745d9698fc4c36824c37340c917b1785e

SHA512
316b6dc4bafbd2caedd82fd48a847ac3f06e673baa60108e0ad25cd6f81bdca1d8aa453eaa78832fc20cb825d0828a42d251f8d812c23da1d830bc52fc1ab207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d92e4e361c40c59f61671aebd6e7849

SHA1
f43da804a502a93fe378c641ff1f8e422e8a96a8

SHA256
3c54eb62c8ba5e61130c48583e75a30df998d4229ff080b6a63be48f37821790

SHA512
99ce16b900badcf679753ae565d0adb14f37ef167a7add84817bf4058a94d3ea99230bc31382747478b7bad74a912d40b4b800b1cf85601f6a402c805993196d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4acb4b7b62a49f913526523698b09436

SHA1
f75d0fe65235cf89188a2ca83fc33fbfaa27594c

SHA256
0ea0c00f3145ca7119649b029d1908e4e7c35a414c0eb1ddd61679cf574c0a50

SHA512
ea00bb6dddd109311374cdc0281da4c1a19446a5021b14c6e7f52a59725474771590aec37310ce27b1b8398a8b69479a86f5d9fce3782203ce1fd4283397977a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
014753df41b43275f3c7b32e5b307b80

SHA1
2cf0263c006534b691c2faf7b59106e05f7d96f9

SHA256
b952d1d0d60e4752df9ad1f2cd967fb5a02b19b947fd6dd41a4d0eff673c2852

SHA512
e21110eb0419612033c2976590aba3686cf154f482635eb47e54746ccd4ee4f8294eb15abd321b055b377452cffefee8c4a02a49b651e65cab0943f2f05144a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cca7551d09102d7319d1de3293bda309

SHA1
52408eea7d27c839cf91b77bc8126db80ed3c6d6

SHA256
f7c6b8aed49bc59501e963f658b80faabc6885e7b9071c8a6765d9d1b06188e8

SHA512
6001c3334107abd385744045cf9eeb52069f89cd2e0a7ee2300bd91fa10ccaa274333c1639849a196a4dbf9fcb950ce231322f1fcb40fd5c392a0a6b28a48154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8ce593ae8c4da31e3fe1a0f4270cbc1

SHA1
0b3b10b00d8e773de7d24651c5a46beea5a1ef53

SHA256
a16b2dddae58fc1a41e403dcb582f5e9e9c057e50858bac0926c06f9c9043630

SHA512
5841ddfb2dcdebed377807890ae40c26a95127538fac778543481b7687b84a3817e0216553c09c2c80d5d2ef564bc5efb0c9fc43ad78fbb47133bfc3a1997c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7f2a98a5b6a9f4bed3e7148f47761a8

SHA1
962bb2c3487e58817c9a20b93fb36a5615e1736f

SHA256
d42f59cf4ab5a664b1037e9f181935b849b5bedd72b8cf997a5b07add8a90c7a

SHA512
7620d69e82c3d2dc38e6e8501702a5d429a217dd262c691db862ed44e8abcc5f225455091292b1dd79ed0aa56e3ccdaddc60012d26a8f61ac12c6989fde1aacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA6CC.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA73D.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit