f1bcf62ae8af19e38cfa19809e5a65cddd9b638cce72598f053774dda76bf398

Analysis

max time kernel
135s
max time network
134s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shape_10.xml
Size

930B
MD5

5c7ef87056ccf6f4d25c2f3a6e1af143
SHA1

8537d7a037046679fad99e67289c5685d4038aed
SHA256

910edd6d58c0eeebc562a7c6834735d9ede684a8f2b21505245a56d1bf783d92
SHA512

ef40e245883ac049e6ffa3338bee672921d266f332e919cfe2de7d002174ad1f93da0081f226df787a88db7fea9ed0660785a2e495c08871b9a9592c5cc2bfce

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000006136eea808494cef28250c96f791c80f5e855b67da71588528dd1f8389895931000000000e8000000002000020000000fb63df18d1aba143be349eaf379359e210f7eedaeab79fb0d02afbd1ea0d256790000000c9630708b8fb48ad7730831b6f29ae56f6e281ebc6c87e0b418d9444c951160ff0f2cc28c82af161d7eb4b05acf218c25495cc71c73f7c450ecb7d968d3cb9ba0d4ed121474fa3807f27ccbae72e49d30b9eccc8a1996c4e67683a7aa83ae54bbb90ed0115fb388eefaca66964cc27c052619f8ea4f81845a63182b01e66e416f2673b04b80b9bad168be145c20365fa400000007ccc4804c223e3ca9df807157c2867e9599fca22d9e64f225079435d4b0638c08d200e1cea6151e20648181225e08a5090543e439229a11257672bfaf80f2e9a	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397602313"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a31a35914bcf84cb1db54e391e8cdcb000000000200000000001066000000010000200000001c869c001ac6624493c9749c0fedd27b065f5e6f75549d64a120a82b7a0c3491000000000e8000000002000020000000fc72ff9c95342633227b691a0a7b9f6e658401a0e1d1db7896810c7203c11c0320000000a4ea3d4a0e3a40f89f2f0b5ba4b457557b48c7786c8487c45586cd9b4a8195f640000000125615bdd2c2715931be3cef029dccc76cd07ed739e6073c7b44621d690b5bef5dff06be3c7d17c7ab01ff9e66d2ee746cc3255421269c470778f304b1b47624	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80cec6956ec9d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C0CEBC51-3561-11EE-89A6-6AF15B915EED} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2440 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2440 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2440 IEXPLORE.EXE
2440 IEXPLORE.EXE
2916 IEXPLORE.EXE
2916 IEXPLORE.EXE
2916 IEXPLORE.EXE
2916 IEXPLORE.EXE

pid	process
2440	IEXPLORE.EXE

pid	process
2440	IEXPLORE.EXE

pid	process
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2784 wrote to memory of 2380	2784	MSOXMLED.EXE	iexplore.exe
PID 2784 wrote to memory of 2380	2784	MSOXMLED.EXE	iexplore.exe
PID 2784 wrote to memory of 2380	2784	MSOXMLED.EXE	iexplore.exe
PID 2784 wrote to memory of 2380	2784	MSOXMLED.EXE	iexplore.exe
PID 2380 wrote to memory of 2440	2380	iexplore.exe	IEXPLORE.EXE
PID 2380 wrote to memory of 2440	2380	iexplore.exe	IEXPLORE.EXE
PID 2380 wrote to memory of 2440	2380	iexplore.exe	IEXPLORE.EXE
PID 2380 wrote to memory of 2440	2380	iexplore.exe	IEXPLORE.EXE
PID 2440 wrote to memory of 2916	2440	IEXPLORE.EXE	IEXPLORE.EXE
PID 2440 wrote to memory of 2916	2440	IEXPLORE.EXE	IEXPLORE.EXE
PID 2440 wrote to memory of 2916	2440	IEXPLORE.EXE	IEXPLORE.EXE
PID 2440 wrote to memory of 2916	2440	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\shape_10.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c91cfd1b6b88450f1c6b45b48af66b9a

SHA1
1e48252809b23d1917a6eb4be36fa1336114c510

SHA256
c1c7c48161509fb4b9c9657feb9f90fe2f387e3291032f91e3aa7d22c3a6431e

SHA512
10f8a10654e08fb319b496ea314a905320e3ceb52fb744c37889dcc42d28f46585031a703889d16f9be9ca88db7a5e050d50d2d40f5a9753c16ef1b3a8214cc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a539e61b9edc50fe2fdef6353d7152a9

SHA1
4e83f7f22128b861f517701c515492d4bf70a3bd

SHA256
194167e3f4cb7e0d782646412f0608945eab52063f2c62f957dd9d35b28918b0

SHA512
ccebd810151623a254667127598e52802561956cc17b234b33166bc99a6f11bfb51af816d567cd28f4a0aa238607fd3fd4f95a67f1428e67db671d1f35f3c09a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86ae0103af8aa7742a9fa704cf2d3542

SHA1
b35e245f8106615a2e4c0b63f733f174deaefec3

SHA256
7022ec8fcc29941d2592b5511bf9493c2049515000bab9a7df9e23390a058287

SHA512
d502509f03b1f7188f6337403e4016bac1b81167b1bd68431e687560957b6fedc3c4955b107ff645653772ca423bd4fde6aeb6f4519d2528e404ed48a0fa5089

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bffe8daafe54d2fbb96191f01cf219de

SHA1
aadb8f6196cebac3730b4362528c25a6a4143c50

SHA256
3600fbdf8170b639177cae60707f78637e7c2ae084571f067a9dc2f6b58f784d

SHA512
62b96962de5c81b5bbf8a7ebafda7f39205a9bfa4b17b6e4565e582c83c557c87ad28a93c9c53980506b77faed39f367390797ef44ece80fbe8f499d99795459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0b73f854f92be3252f8f9b5e483d5b5

SHA1
ed6143b1e960f12cd4cdada44d5ff92ad7134276

SHA256
72ddee80a021a624ea880163c786242cebe9b3af088a68018dd56fdd4486a317

SHA512
89113862fcaa36680e4a10efba9c6395f1ea70cb29c42e05d6836a247ef0be551b53f8f7f6c26f96a718b138e5382f8cbf2ad3a6705646a6c9e325c0c0a8ad61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afca4d760ddc7f460c4218ffdae89f18

SHA1
070e8d9d9641ec93fc77c8824e66ebf93e8b9822

SHA256
7f4f1c6aa7950e79ce38cd69b2ca3acb04bf868a7a09b8c6e234eceec6cc76ce

SHA512
585a111ba2c8a6a954a8ec876ebfd5b6659ec628372bb454b61ed6281e642d7cbeaef8be9e81139c15369bc9e4750548fc12fd757811109a2a201855bba1bfb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3a2438f01ccc8355d972875353f015f

SHA1
bc17d1ff87f8898f33f98c3b5041c1b6f6cb84b0

SHA256
d517c914453d29eecb65caaf4b09ca64b8d034a6470772d91655bbd66c41cae5

SHA512
66857248d602661fcfb1ba44409f811a2b920578651d44871994ab4c7a201151cb9002f08be37e1a93b9d1ac2f9c3c4ed17f8caa8ed1bb5d5b76770331b45fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ec13d386769a783e22c908e0a805002

SHA1
b922969402cb7599285b51835dd7c5b70db08f1d

SHA256
7521c788cee52ab931e16ae1246c856af2a5ba279a20dd2dcd6b69256ae678b9

SHA512
d01e9cd9b997f8357e511dd11d7f50f17f9fa8a6aebc98cd04f19f26b45c34165e6881ecf9502d5365a3449fe23af0fa0b26fdf8ef95071a404edbe15f33ee55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45c04a6fa14311b3f18ba655673fef81

SHA1
cd6db11e16ed24582979774d48d0c7e618148552

SHA256
f148bfecf2fa9b7a8d69323a08e6f194f2ffac4a40902c6565b70fb40284ea36

SHA512
f80bf172168d627e01dddf0af734a898a02ef08315dee8e0b7c14d4d2cf054924a63bf39900ec93886e14c3b1b114788f5617d7e3dee7766595d8c9c90632e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC777.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC799.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit