f1bcf62ae8af19e38cfa19809e5a65cddd9b638cce72598f053774dda76bf398

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_11.xml
Size

3KB
MD5

e41a669c3e6eb43159445b88bfa1a7b1
SHA1

ff4e96f609a5c54a7862cecf34c2a79b04201d84
SHA256

793f5fb7b34460a778bf61729997379c1d5aa95d86c8a54150b667d4ca4ff695
SHA512

5e2839dee1a1e3c317582bb168c4cdf9a149f4a6185d2bdc631ca4f1f0fd5749540198c58b14bc48fb167e457501d0b5ab068118c1f341628c17547a84c6b81b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409e41bd6ec9d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602380"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E857DC21-3561-11EE-BC1B-D63E05CE97E8} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd8279400000000020000000000106600000001000020000000baa434ea92610f0526df0014b1116db7921a1281ea06f474fefd33594bdf2384000000000e8000000002000020000000798909b6c33a7a1075d9d53f9db3ead2d683ab075df30541b1fc9462b400e91f200000003a32cd27dc7aeb3d9052888012eb06c46e7c1a2fdebaf530ef859a6be48935f5400000008a1e18a1356978c2c9c086040124e71516f4b45c33712f337c0b0095085acf8275681ecfcddcab2ebb21035176a2e41f9804f0f5d3614c905242c95dc3628621	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000dfff1b3a562844db5bcdd926cd82794000000000200000000001066000000010000200000002e00b896586cb592e23b696f343d524fdbc674d83952b3b7c7ea49048cf86691000000000e80000000020000200000003880d63b5711ece2f3354ddce21eebf535e2162c12d02dc14b6dcd1934550199900000003a9a381c367c622e6a550fa4ce32a32472e58593effda6e2d04197fc5f142bdc01ead68bd36d4b6faeba0439a9b409c65779fe6f73355c864562cc239b017bbd24cbd16032bb989550a5eadf4b20ea26761f1716f805b199186e9c482459e5efa08e0eb6c8ac02c5ad4be346a92fccc40ae03d065fa3b816aa40a429685e7d1804ba5fb3f1559f028a6a74420240e4cd40000000f1b2fbd89f51abb270382dc90ea25c8cc539c5033926912ad36a978ceef6d7272308949b67fdae8cd108e1269fc10c7843957d89114ed459850b0c7ee8f5cc77	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1632 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1632 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1632 IEXPLORE.EXE
1632 IEXPLORE.EXE
2400 IEXPLORE.EXE
2400 IEXPLORE.EXE
2400 IEXPLORE.EXE
2400 IEXPLORE.EXE

pid	process
1632	IEXPLORE.EXE

pid	process
1632	IEXPLORE.EXE

pid	process
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1772 wrote to memory of 2684	1772	MSOXMLED.EXE	iexplore.exe
PID 1772 wrote to memory of 2684	1772	MSOXMLED.EXE	iexplore.exe
PID 1772 wrote to memory of 2684	1772	MSOXMLED.EXE	iexplore.exe
PID 1772 wrote to memory of 2684	1772	MSOXMLED.EXE	iexplore.exe
PID 2684 wrote to memory of 1632	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 1632	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 1632	2684	iexplore.exe	IEXPLORE.EXE
PID 2684 wrote to memory of 1632	2684	iexplore.exe	IEXPLORE.EXE
PID 1632 wrote to memory of 2400	1632	IEXPLORE.EXE	IEXPLORE.EXE
PID 1632 wrote to memory of 2400	1632	IEXPLORE.EXE	IEXPLORE.EXE
PID 1632 wrote to memory of 2400	1632	IEXPLORE.EXE	IEXPLORE.EXE
PID 1632 wrote to memory of 2400	1632	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_11.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4c20889740eec5af6726115e31dc4dc

SHA1
4ccfe588cdd04c186154dc46ac34b31900dc87d5

SHA256
75a9043236cd8d11afafd246cbe41efc542806ee193a57cbd60c0c6f77b211b0

SHA512
649488f60bc11f79dbc4aa0b85705b4cfa1f5b86d98701260b2966de50ecbeec9d90e77be0324f98cbbc62660e052feacf0c66e29777a090e3c425fb0a4e2268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d99fedf5e8e9c13c85bd33c3f9b3e52

SHA1
3dee03c4a05dd641022a73cd5853e455013ba07e

SHA256
f937695f6a5a68aca742de98d8bbe67b43d04a6f72f65027404132acfa30d7d1

SHA512
7a4971ade928d38cde6f4d2f6cf1a258ed8bbcafb6a1cd0b7aed31765a2c5b88cc05ad21ddd8465bdf1eacb9576fc2c53a9309bca791f998b1bbe37dfd849489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1fdeefb21d05fec8f9aeffbd982fd284

SHA1
b6ef6e5256d71094eda2350aa0348d8270097063

SHA256
83d91e770b4168ea36d06bbdc8b06665fbcbe8b6dc6514e4063f2413cee1feb1

SHA512
abb1874bf650803d28f56212a081ee418419c87ad01b13bd2ca393560de7c02873cb1a7ef10c8811fe11f54226492e7d61cf35214a6d9294aa366383c3a1e179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8205b1fbbf6a83ad20aaef80be24cd5

SHA1
a879eb892a7126ae29ce38e2ede77c2898d4854a

SHA256
ff604fec343548ad58a85c09cc5a153ca10e046651e1605282be5b1042838147

SHA512
92a6600dbef02e9b2f5220980367b6babd7aadc614132fea6db65b6a0b488a5f169d7f37cd2c217fe4c59fa12129823a0a68b8d39999a0e383bb3ada16c58bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e89edf6489090731b5a0ac8be486709d

SHA1
96c6c5c55e35c1ef77b6c121824df4bf1e1c28c2

SHA256
f1c23066eec98d7c3a3c1919bd4a80dcd820653554137a2ef2397dfe0acbc7bc

SHA512
431820132ea201534f7b43cdd5b7b32dd2895117bc21be13cc61fe88056499632bb52f0af58e9aedd82ddf39243e483db359624c2d02a958bc19daa6d313b548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58e7e83d9327100fc68d63392e3912be

SHA1
af0efd7c643255557afdc79e566872e9dcfab138

SHA256
fca381ea3b0b4e7ec6eca8f7398a8212856f9763f40f787e95382762fb1e9946

SHA512
6dfdf41e0270a8446abe1bef4c8b63ce10c1872862632192aed6bca200125e96ac4db38717cb1b7aacc3172f9ba902399c8c7e9e8468f80359d2363fa4811f6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d9692aa07d17b8bfb9611f29942a0a2

SHA1
dd8fc01ae9d37a36aefa3488b74eba9cd0072858

SHA256
0c54d73724e3c56a3b6982263888860281f890b2bfbffe8938299532a5f43f9c

SHA512
862a1c5651fb6ef47d930f14304096725959e30e5774c5b7a5be54d1aa18fbe83952858a78aad839eab01e8ed7c2ed370dd6b42bd2fcb2aeb0a04043f0a577c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57af365f26469d4897ebedf47aa8d01f

SHA1
573b9a28cff330d7553e179f74b31bbe0167eac0

SHA256
ae55f561ced860fd2b33c24be12fd64945fa50a4ff3fba88b24aa269046ce91e

SHA512
283b00b4be1561d467d276dc590fee2b98767c18a4467192e77868337165c8c23964bf5167b5f32002db80e9ea6e09a4e493666351e808fdf3ab4fcfc80f4acd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b4724b89015d943ebe34a1b5101cb2a

SHA1
7756e986249344cc7fe95336f876e4fad2b798de

SHA256
1c518b5b64f1b37003c17cb42778cbbe6fa84d5b4ffc99f4569a0ac25edff867

SHA512
f393fe156a18628255d7eb96fd19fcd88238358960b596d60c1c486c0f81db5068b44967bd873d5e09e52b75fd0d1567be63cd38569073064533f01da8b355f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd5455c9feee3f882b5ac929c502b737

SHA1
44af7768193273d7a6d4622e8683fdd92cb8034d

SHA256
4ecc25b077d840f8b35225c8695835bb5e9fbd647787dbfadd506526b220eaad

SHA512
c87f802ba1dd96901efcc4e093583f15901b0bcbe879b62b6ffae7204dba3f355cb5fc9018a8dede152dc801da1ae2fc40855f7fe7dc7ccb78cf6b7bdcfa8760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80cf9abab2ee5cdff0806ea8d40d9872

SHA1
3176adc61091e7896ade44368db0ca72b1cdaedf

SHA256
466d7643f7cc0ef670ace905709eab3fec8fe239e1c5c8f6980bcfb6d8b52416

SHA512
d70e059f1d556840ec9a5e2f7c401ff60641099ecaf60cea1f9c5fb845afeb4091d1f311c992dc7cc595f2f8bb05fa61f51ca531efc60600c6ee6ad1309b8f11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db0f90a56e380e4753dbba67165bd64f

SHA1
45ee33f378da42a60009359c0cd14494d44b8ee0

SHA256
bd3792f6909d0932b861e4ddcf7b163860e19a71f019a6f4ae7fdbbfa043f8c1

SHA512
a214095d092a0b91be828289a4ac35da257fea40a9e9925134f65c171f336b75acfab325e0b57be1c829f427d76da6856dd6ce3285ab45d8979fbe46a4c27b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55ce4ed2c794ef669329b7042bfede22

SHA1
3bf10d5c0b11e5498e10b90b90b0cdc3ee1fd1be

SHA256
e4b1fe0bcd047b763ead03e0a254dd73b7cbc69abfdc1f57fe27da7be75d8588

SHA512
ee66a4c11a6fb7261a52c298e6a52c10f07c46023020226aed02ef8f34f410cc4a5414edfb16964efcc2ee39dee641dd33fb71be1ab6095377a72573484ade1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB7B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarECA6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit