a5ca7aaf8b5324b1414760517bef1517527f952cd1c2fac907c2f83d2e3e4bec

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_07.xml
Size

784B
MD5

d1bee0d28e01bd093c9ee30578b7fe78
SHA1

2a8fcb49d4d3db9bba638b7d28b4c4832f4b9509
SHA256

ac0512690b503d3ffeedada617e823d6406f3376b06f7b8f1f5db2abbc9a3686
SHA512

ccd64fadcfaa5ea02c586aeeac45e3169a685b4087e23f1fda26522b1286bba434b4431b337349ecfb1f3233aaf054aa8940ba9f03e973718d7a796da53d12c6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000059414db6c63fd40da7882c44b0a51a4d6a4728d2209e610d54d12a9210fef7e0000000000e800000000200002000000082fbbc32826781629bf04e231bb1ce85c3856d1ad53a1f10961b550dd056ee7420000000f7050161594cc9c3f04590d00af1220e11e8ca75e580bae07d3fb5545d6136bf40000000db74459d2457f387c8cb196621464b7689d36ee1ecb048c23ab70be86287e73f70e1f34c46d8dc11159d426a8222d6066aa0a766b12530a836ab0e7ee1e722f5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000000e458884064b7e98922a30a553ef2d79857e1ba32b42b9a9c2f955bfdceb0dd8000000000e80000000020000200000002d52a464e01071fc5742f2fa33350aef175c8c386947da2fbd3fe25d3a894e679000000043353393f89d4c6d5955bb85246099330c2c2d63a29cc334a1d013ef6d156137d5a8a74f4aa4a3c4699f73cfc627edf51e17136c45bfd0531671cea82e7c182bdbdb635169c17996c4d1151ad0b4d6e48de3fee5f881d0e3ce8de9b9cd303dc3ec6d6af472632a63a5e72a93eeeaa504dae898f49dedd91b39221480de52802e788e3a36dfc5c3c5f1413520f436c1aa40000000cfe9e6071d46b21f60c277c993e38eb764a1cca080b1324b53c1201705c1ce6c6f1aec9c4f51a02816049fafa62ae974723ec2f8a61ff439836007744c97a4ca	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602292"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3BA1A51-3561-11EE-9242-76E02A742FF7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906e6f886ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2908 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2908 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2908 IEXPLORE.EXE
2908 IEXPLORE.EXE
2864 IEXPLORE.EXE
2864 IEXPLORE.EXE
2864 IEXPLORE.EXE
2864 IEXPLORE.EXE

pid	process
2908	IEXPLORE.EXE

pid	process
2908	IEXPLORE.EXE

pid	process
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2372 wrote to memory of 2616	2372	MSOXMLED.EXE	iexplore.exe
PID 2372 wrote to memory of 2616	2372	MSOXMLED.EXE	iexplore.exe
PID 2372 wrote to memory of 2616	2372	MSOXMLED.EXE	iexplore.exe
PID 2372 wrote to memory of 2616	2372	MSOXMLED.EXE	iexplore.exe
PID 2616 wrote to memory of 2908	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2908	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2908	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2908	2616	iexplore.exe	IEXPLORE.EXE
PID 2908 wrote to memory of 2864	2908	IEXPLORE.EXE	IEXPLORE.EXE
PID 2908 wrote to memory of 2864	2908	IEXPLORE.EXE	IEXPLORE.EXE
PID 2908 wrote to memory of 2864	2908	IEXPLORE.EXE	IEXPLORE.EXE
PID 2908 wrote to memory of 2864	2908	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_07.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bc4580187c93267b4b352f7cb94d9686

SHA1
70c995665df944ed510a4d706ff9fc57fb67a970

SHA256
1c3fe6aaaaa2d7b38e4e45b8d16f976b9f3ec0fd33a4cc1c165c5ab0797a1bcd

SHA512
a0ab902fb18d2ba198e2d95bf0783ad9b27b34a9889a0fe1ac338f85710a9499f83108ba1a2c803961a357f682ab8c7003493191c06bb3fa4d199105186eb49a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fddc12678b5064e34d6bebbfcbd96ae7

SHA1
ddf6f059f0d7fd08ac26488362f3dce8a22be0e3

SHA256
bc370c85e8479351bb438bd2491cb6dd09162d37d047cd1a749d4bc861080b1f

SHA512
688b7c7b67956fb672ce0368ce69089850bc3ae8b9034673136532867c441ead9f4b17620e6053b5aa5141d176f8a40926c0134bc13867b8e2bcc88d0cfbe263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c11758faea0be4ee1af03055741cddaf

SHA1
7420735d3b189ded7a6c918bff51d4c3b1796f51

SHA256
a17db974fad9a9640940150ce22b077d3fb3da4ba9ad88716c6fb84ed3ca0483

SHA512
4430acbae6d754880a3d7282900fb4ed40b6dfd68044e2d2edf5bff905b9cd9da8c70a3c6e4c224e44145bca15ecafb7589e9791f54d26631aa3bddc5afdcd05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8af943c2078bb910419a8bc4ef02e727

SHA1
d2e9a17eb59d9498d875caba43b94b25548f4ca5

SHA256
f19f1459fdbf20074e7a2e23e015d3ae2c84835621dec97637eb7be91297d346

SHA512
f135c80d504ad25274182e9ea44145150d3ffbb4eadfcf67c84141e91952f115cf5e2cc0448b0d7fa800c3a251ea8a97a7db2586df2346053903f0fd7c68d419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c6be985fea117684ddcd4fedb82e1362

SHA1
8747d2d5707ee108cf82df8663c9b2b2ceb9617f

SHA256
d2fb93af063683b7299025d57f230f6035bda6c156c7beefca1146a40b96697a

SHA512
3851333ea5c0a6411518b637553cc0a966fd79d7de49c0bb806728f9dd4dfb236172acd9147659910b0f1cd71809b2a131284c2ec5f53c7e24360308de2c2674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
975455b0d4318dcc422e12990fadffb7

SHA1
fa38f9e6ab58c48afe2b2d75172395fa7d003d76

SHA256
9fa95147b926af79bcca2aac543930efde16d679a1ed36ca70d8b3c601b9aac1

SHA512
ef1f74be0b14de26ddfc0f6e4076ab39187d07bb0f6a775bc23050871f135dc8621e97e697f8441c6503782f732cde53440926618932c4baa265107fea5519cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2d8ee04bedff56fc5952910e15ce7cc8

SHA1
913872ddf54d38d2e8c57e5f2d1c34339c34c455

SHA256
f43c2d3721f3acfd181b234ecd2dec815c81d535a52705de7da389811492aade

SHA512
933509cf18da56dc2e93702a2138e2a3cb8e37cbcf28175225cc8927fdd94dc77c20c8696c15b34e12f0e7cf4493c5cc4acf8710834eb681a165399e4d40ee08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a375aecd33f417f52c743a271e64582a

SHA1
625de281baef99f2d98cb4ae4e5fa6ab3f5975e4

SHA256
f0c8204033cf765ef11b20f03053d432c5764ab26c8d92b22be400be7d3f4519

SHA512
38d6fb149bc9cf0aaa951e67a0427992b540986d30276e387af126ea7907a40e482f2016ca9a017fc96702490507bb1e6bcc6d82ef650451d40be5fdbcfdae16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8227849b0e743ce111f5c0a546888528

SHA1
69e0facf7ea6edd5d3fbcce802083ee8708c75b9

SHA256
d387ebca2d5b4fd90e8efee7a78bd7d61d0426514acbf81e5cb3360c54d925f7

SHA512
8d7c20bf2a472b617074047f30b1575ba4464276ce4d38140788e599c9616e8b6c41a631753b5986165308c14296227b17145a0251f82fc63e538bccca68812f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d510b8d21ecac2250c6c69632657d57f

SHA1
ee33584b8af152a2a035b12d212e7d95d396e517

SHA256
0b1bfee1b80dd2a7ae89dacdf88a0541d4937b66d3d1b8c44d10ab122cf229e3

SHA512
62fbf93752f2ad709ee30964694374c2a8e5852d7bed815fb4b55a644b48eeadb66ea7b8bd42e652b5ca05e18127a9a275b855d24d0d7b77f0e6c61720711e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E07.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E48.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit