f1bcf62ae8af19e38cfa19809e5a65cddd9b638cce72598f053774dda76bf398

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_14.xml
Size

1KB
MD5

033e166967c07c7cccb48d0275999169
SHA1

196dcf6448debc7d07953ea135dc0355688b1f52
SHA256

9676be618dc9a87f88e46a92014e554c4153b1f9ad97d185ec9e3dbec92ecb78
SHA512

933685c1ea659cad93e0c6c5cceffb6a1f05d201302b35e0aadfa714a4870c16d05ff4732b22d4499cb0885ee8aef263fa7ea0eefebcc6fc79c529f494eb484a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000002542d97ebace3538727c69d8dd8258c6bdb5a9bc70f9859d3cdf81ae0ac0b591000000000e800000000200002000000058f80b4e74bcf276b3fe6bebe56c5a7e99da7d2004fa74050944e0eb2511b2fc900000009e76e1b67d14840c095425fbf148d7879fa2b8d6f5c1025550380d50c9dafc895d3f689bcb7dc51e7afe147aeaa399649c9af60dde488fa497aa7cfee359251e7b235e9df81a0443d981232efc66738a2b2491ad7d55126116a72d077c49836bc502425b1ce7bc229d3e010cf5af4a2f2edcb73e2b775c013b70f528775a0ad5c9d1c82550849c71974cc8c2c161e07c4000000026a2d0a2fbbf43409053e81f5563d856193052a8d99b6ca67e57ed70ce92af08daa0c313ee65c042cf6fa540cba8b7c076d5d2ef4688f9a85f5291fe028215af	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D2B9D531-3561-11EE-92F4-CEA1BEF6F4E2} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000007e73969c6634370d9e78556b6c9419402e02ffb9610ec821663689e6e37b5008000000000e800000000200002000000053cf67f593289e1cfc28ab5ab3991300d506c9035aaa80645fc7f37a398d8602200000005b6063a20d09f04da72d9764f75b83aea775798ef4fe10a8a01cb2878b397f7640000000519187c981c3234eb2be497f057b0c481240c60875041e470a1ee43f20e795287d81fc869164151e3b286a366c26e5efbba7130cb2c9920f37d8f1df1a1f551e	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602345"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207e6aa76ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1744 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1744 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1744 IEXPLORE.EXE
1744 IEXPLORE.EXE
2476 IEXPLORE.EXE
2476 IEXPLORE.EXE
2476 IEXPLORE.EXE
2476 IEXPLORE.EXE

pid	process
1744	IEXPLORE.EXE

pid	process
1744	IEXPLORE.EXE

pid	process
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2168 wrote to memory of 1552	2168	MSOXMLED.EXE	iexplore.exe
PID 2168 wrote to memory of 1552	2168	MSOXMLED.EXE	iexplore.exe
PID 2168 wrote to memory of 1552	2168	MSOXMLED.EXE	iexplore.exe
PID 2168 wrote to memory of 1552	2168	MSOXMLED.EXE	iexplore.exe
PID 1552 wrote to memory of 1744	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 1744	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 1744	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 1744	1552	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 2476	1744	IEXPLORE.EXE	IEXPLORE.EXE
PID 1744 wrote to memory of 2476	1744	IEXPLORE.EXE	IEXPLORE.EXE
PID 1744 wrote to memory of 2476	1744	IEXPLORE.EXE	IEXPLORE.EXE
PID 1744 wrote to memory of 2476	1744	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_14.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58f48cec8ff505927bfad4e3ffa30bec

SHA1
d565a1abcaa7ea12c4719f1fb4ece806b064a9cb

SHA256
1d77292756a32e1464f46bcb66a57c0bd56f9a0e7584f3f593e70c597cc83c7e

SHA512
3e58d93d1ad78acec72e696cac4428be3ebdf38115275cea897a4e5913bb753aa571983e47b43a96e450e780059b6623294d35d9e98dfd5aacbfd84944c92b84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed8decab0c8570be2fc6388efa68c7a7

SHA1
2db84d4478abc6f6bf9d46b028b3cd3f8e14fd87

SHA256
c8c951b8d67608e295f2a5db2becb9f1e43e21027f644a8b340dff099ae827a6

SHA512
8dc4c7b8799577dd0259f1501536bb7f3f6ad40a97df5beab50bd30e67a8a66b7cb88902e716e64261bb21cea58ddaefc0e272dd28f9ae142d88500269e5cf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a27796b7b03e3c01f7bd69ddfc8c18c6

SHA1
ed1f73019cc2e5c3f69eb7a2fadda75d67b9ec43

SHA256
35545212e8b1d30d2e7a124fd6c6bfc12a9978c0515a954380ef050c016e3aa8

SHA512
6af420bbc9f89945cc69f8abb7540c5230d4f51649e15440934ba721d886ea8d66b52c0298db2559c76b022238c1dc49eff1bc25c12550cfe1d447367ab934de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
887f8fa29a20674ca440bc6c8c1a16b5

SHA1
abbe7ad1a01ad3b9784a6c23c6f5dcb261b125eb

SHA256
4100caaacdad9e14e73a46555c49115c541305ac32c274063f9bf32e8d7ba570

SHA512
5c9159bf1a674ce1a0cfc501ed3918e3513302f4098dd6b1f51e1e1e200b0c019742dda3574f888e4f19b6295e3580b7720f6d0f9374ea7514e82fa2ceab8f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73d7cce424b6e0eab39f81050f6675c0

SHA1
f260889483fe7fff8ccffd2b644d7f76888a8837

SHA256
6ad36a9d9076cf4b7230ea4030894ce42c975e9c214aeb3743c4b66b99685fa1

SHA512
9bccff71ae453ee680d5b023b0c7abe4fd81c3169afc11f10a8c57a76dadcca6df56a711d30716aac030552b38efb1f33ec2605253ff8e27d5ea39736155a55e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4b13abee9939148c8292b64f21cfa4b

SHA1
8fa6f82b8434660d07fd67007d0a667ab2fcee1d

SHA256
25a539c709f2837602a48179e82212449bf9701c2eac45a48faf2b9f1c9514fe

SHA512
19f9cfcc9ecfccae16316831031105ccce6778f0c67201ad91055a51e0cb37e2713e71abde415bda7a013df3c41187febb7709f84e3e3e27cb28e5e0f0174aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32e1bd36b58db20b3fca4e58e5af01d8

SHA1
8f67b444abab41bbcdd9587c09c5ae52354627f3

SHA256
d4b2840926be57a2860ead6a0308575eca94bde78c8fb6398a4490b8cc7b8a2e

SHA512
dcf175f0ecd5f1ef954c78773e1c9f0ad057e990dda630d406832a162ecc0097a92b66e0f6fc0efaa9c17fb1437d8712a377e85a1bcd1cdeeb8017151b0a71ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68fb263f9cba0e0e2f17019efc1633ed

SHA1
30088fda02cc2cfc861cdfd7bee41cb4bb035df7

SHA256
151136f8bf954f666e02910c43840444e153c46f269e119096807632d7fb4ade

SHA512
d1ea0aeb3345c269f15ef87fea8c52a6ff4e4f659f14c26fb85bf1abee874c7927c306fa580bcf395e078c646184bc9a657c8d2225f41ac9d1c577de7a8ceaf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ae12d3d724f56fa6c4c9e3905f8a848

SHA1
a746f5a41fc11b8b08220135f4e4006644dcb9ed

SHA256
e249e2a80ef23a9fce64abd1080c0eae613e109364a7fae17930aa65b2706b24

SHA512
19277d87b496872d6c6ac1b096ac6d92117c19077fac8b9afe3bb8c4295d1d15b174dd5100184c8ef989dfda9279a590b36a240c2b458a2cd0352bfebaf27b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8de4af4a741f2151ec9b455b6b994188

SHA1
8af807955a5bc7e2b089f00b574cd562eaa8e8bd

SHA256
291ea77ae7c7ddb458aa8ae505bb1d3d9c27125094dda97c6a4494f37f56eab1

SHA512
3e1b25f924d4201ba9ad9dc1356f2021a1686ef1ddc187bc06f0dfdd91166f342766d772c5e7fc4694e3dda0aace88cd781b31a009808eb8e0535ae99a5e4e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB6F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarABEF.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit