f1bcf62ae8af19e38cfa19809e5a65cddd9b638cce72598f053774dda76bf398

Analysis

max time kernel
134s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_2.xml
Size

1KB
MD5

f804c3c0fc87fae049b25a827c8af161
SHA1

445ad3b8c8d54a5ef32b25289d76907b4d32c9a2
SHA256

f51e36583711e18097f4526a3303cec7efa3609f96c8051a5eb4ad0c003abdab
SHA512

bdded52d78a6dfd4dd37327a752aef85cb9235a03702fec858696643b5d884970e3896b737dc1f894888ae6bc4e5b8ea2bfb7822b3ecfa87e34a7f25ffb33cc7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602328"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9294911-3561-11EE-8A66-C20AF10CBE7D} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000d0b09a65928a2b5a083d0e0f4d7dcfb3c82185536e48258256a016991eeb4b25000000000e800000000200002000000081bc14d84cfd52611d01acc8d75f8e520ba574a53e1dcf83e58e97dc3ceccab0900000007c29fc8ccf521ccd1ce24e11bfd8b3325cc9441618d229b6260850ff54dbbb00ed2ce84c2c8e1b1a8cd1191f5fbf5b736976a48a56fbaa0d0563d14e4414b80263007ea6a98d1a8dd72606a0e902d24c7eba057b7f814194f7a9be868cec2ff9256bb942df327d0a9ddb70846b59b1bbf72bf082a74921a0e0264459dd0a8ba70a8acc850c9d5dbd97dec309c20f23954000000000a733747eaf22bcba4a95779909f41f9f1d34e2e11b8057d6084c41f0c902edb5514f04e1aad72cd636be18bb02afc9c9738419946098e5ebb97b291a002188	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09efd9d6ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b021000000000200000000001066000000010000200000006cbb7485ebf728f7c95ac022f22df0f02c623ce925dd6663d6f6088ff8f13440000000000e8000000002000020000000148fa4eb8133449bd48625971cbc5da50bff55d5b4c6e3c907f20186d036ecca20000000404aebf1f2252160b1943ad2e5ecc4a0c5b098f298ab3b52c32e976c0ed0f9de40000000692b231929f4c0a5d5d08d2fb3a1a1bf3fdd53d29ec01bf21e62ed83dc114c93f76c1d493b48c962b3d3090db360f1829592efb8e5a8aa8cff9a662e5e782109	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2068 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2068 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2068 IEXPLORE.EXE
2068 IEXPLORE.EXE
3000 IEXPLORE.EXE
3000 IEXPLORE.EXE
3000 IEXPLORE.EXE
3000 IEXPLORE.EXE

pid	process
2068	IEXPLORE.EXE

pid	process
2068	IEXPLORE.EXE

pid	process
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2468 wrote to memory of 1660	2468	MSOXMLED.EXE	iexplore.exe
PID 2468 wrote to memory of 1660	2468	MSOXMLED.EXE	iexplore.exe
PID 2468 wrote to memory of 1660	2468	MSOXMLED.EXE	iexplore.exe
PID 2468 wrote to memory of 1660	2468	MSOXMLED.EXE	iexplore.exe
PID 1660 wrote to memory of 2068	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2068	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2068	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2068	1660	iexplore.exe	IEXPLORE.EXE
PID 2068 wrote to memory of 3000	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 3000	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 3000	2068	IEXPLORE.EXE	IEXPLORE.EXE
PID 2068 wrote to memory of 3000	2068	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8edd7c99e5dd2a5bdfadf85a839f9899

SHA1
0a3c5d0a1c8265a965df13bb4a262c452ceb3956

SHA256
4f416c7c44c17a036134882b3127165b16ac7c0e7f80c9249a40a9eb3a11f4ae

SHA512
1237664a1ea557aac7927132a3c9afa0cc0ab836b038509465a41ad94cb5d7c63bfb1e24250d60311f406f59f55ce5324bf73cbbb2f65b2c3f54742b59d0598b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
282ee9da871671ae33da784a6af4a8bd

SHA1
c7c1236f8a54d23187f1fd41127897ecba9d15c5

SHA256
215eb285a0b3a3fd43b701eae72a752737f21a74181d51906c12e42e02a6c3df

SHA512
b4cc8ab017459c92a9f09ff0dd78b0e82e965d37848b0bd5d8d1e7019335876d43072e66a56120d0888fed60152d363504277b766088df5a57abbd8a6837c27c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f2ea880a25c5603580c1e2c4945b4c2

SHA1
1ad7c01f29ebb510c55b522c1d53dbdc966ed8da

SHA256
142299b792e4d19d9184c40dba9d937c9d95af7134211b16914ede9fe13a1e17

SHA512
a825c8793cfbb6071a3b1f7914a4dfd0fcc1ab56189f71d168972367cf2a75d1a72578fa5bc24e73a4df008375a9c67002d363caa6a539f54037e40e98e86130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54773fe57366544dd70cd2c07db85ae7

SHA1
63e989cb45eb5cc212e87c824cfadb7edb7b53e8

SHA256
5e79b50f937001fb4b0d275fe8d62185c253104ed011a4742ff85763ecba4f14

SHA512
5233a47d087d789d48009911af0c9308f58ab1c1e28183f28c7236af0393975cd93d32a59f7cc5051062fef02bf0646263adc5d9afa679876ababd673ca9f23c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2fde758c1f8b2f1ac61e8624e1e62ccc

SHA1
ca2fcc86ca886c6eb1e5c765946be703f4fdfeb6

SHA256
d64d5b59beeb36d4dd7bdeadc8634dd284e960b7ed3db7487c5623c0614189ee

SHA512
783efea76210cae1127be77614d83d8fd8bae4fb8bc8f6f30c6c6984139966c9e8f4fdc28f3205fc491f3f6c8479966a951a3f4f0c0914ada9c947cde0bfa73a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab5da95b88c2fa4304f6db63b1b6b8cf

SHA1
2aa965f0bc0aa534dfcca3d783bc5cb19d1a1bef

SHA256
f9cfbd36c15ed0cd047bbfab66a99f6fb1c953e34c1f2a14f4cfd3219b9934cb

SHA512
e2ed7e70b2c24b52f9942c2acbd09fc0a5c5f125f47dd1471ac190014b26951812a498d37473b51965dc7abbd5b0e642e9dde56f56cb186b4e48adfcc8ac01ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d55ecf44c47b6a191cd659e30186e1a8

SHA1
bcfb024d653b6d7e72815b39f888b5f9145e8dcd

SHA256
78abbe4ae6efd91e74c51159e82077608253e83f06c798b32b129df46afa17a8

SHA512
6cb337ea766f3de4fe565ce0a3c391d27b49ce9c288d0ba8c6df6c51d98d5cdd6d1dfc29570d6c9f1a22e758708312255aa69c5d5044aed13b56d42bc2bbe707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9112eeb5d478c51b0b76c78db1a3354

SHA1
2f52b7b248eccdab930e555d549cf36ce845b2f3

SHA256
fd3b5f1720a7c0eb91b02f7d6b56968ae4401ce7f4da95afe53641be463f751b

SHA512
3890eea18e912db2ac0be919703a35b07f660d99b7661145a63a38b53af5a321ada11e827eace1bfbdb14479d03672779540d804a8976ffcd35c8bea88ac6999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1410468970dc0cf12f914e3fa22419c7

SHA1
0907a82700d3749dd38199fdc28db4f57bb52c14

SHA256
3e0253a2f19e3c834338f02958918d90d9adedc815fb9cc95d43faab7e2091a9

SHA512
628032643d12a5313daa5bd5e3159265bc3aaed98dfff4a4e30912951ae48f6c202a1eae6763d5b282e57a7de0b7512aaabacd72fbb18a42df4919cd9ba00600

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cbfaa3a244b8068fdc941979d7c4456

SHA1
d1e061d7c6228e2441810caa69c66f1f639d3e17

SHA256
288aecc2c67cbd74eec262ef58bff3890ea82f4d93980cfd0c76b6a31bf690d9

SHA512
df21cccce9506147a53e900e64d6c89ccd151813bb8c837e5ed10bea660b7aaf1e9fefb9d129a97caba4ece1fd1461ed67f76233caf06ee33f7e17a185d42519

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2eee55f694d41dd145193e679e2d4ffb

SHA1
b71b71cc066e4ad21d1ef6521fd2aaedacaf054f

SHA256
dda75e27d512e44cbaba0bd49b892f1a3b36eecb2d2722fb016d53a78b3a0398

SHA512
614014e7ce0ffda95dfdfe7c99009f4c4fbcbaac0c54f005879ea6c153541a45eb526ac0db2fa6e93f3a76e14be2a8fb6a14f1f39d0c4a61852474222ff9b29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab92FE.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar93FC.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit