332231ca3fb405b7621611bd22e7016cc73c32d90318753424ca598833775d76

Analysis

max time kernel
119s
max time network
150s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_2.xml
Size

4KB
MD5

6dc1e0aa43dd2a582b24b6487605fb76
SHA1

c403b4c464908b8d740d03775742fdc72a6e8327
SHA256

f6ec4c71c9e3ebfc1d23691364cc5736a12c3180ad35e55f4f9dc0fa3ce03669
SHA512

3cced4fb52552f26f35eac6eacf8fc408b6f5e251984f486e203777b0889261db83ea127a97b5e53c246456c819b23b6d6209fec1bb3a6df5f173e66de370ce2
SSDEEP

96:7OKfvMkrs4v9rTicBaUTnpI5kS0nvVfiYPl9Cb7dMM/SAWicJPjiBwlH:SoT44Vp3hrnvVqY99CR/SAWicgwN

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694439"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60af841245cad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000e2186eb869e96d0bf4ff5e7ccffd7467ceb013b934698b5b915075ae53baa606000000000e8000000002000020000000a7d70dc86e975d2af99e8cbd5bba535297eabb887749ce7a60b79f7758025a799000000002f21d4832b066af7348f6ba0ac964ae2a6b245b003bfa59612678a697262b6dbdd9732bfca21bb3df42df558e5becc89d0ba8fffb8f2c522ec2aec638e609154f47ef2a31f88e99aa349995e37c3f1c6b8ccafabfaa53e63d3aea4734d65596b223899db9019c6b0f0c03562e82f980079790c896b7799e0b1bc20c0a4d0e5371d79cba8786be85c81f503e63bf1ba8400000008f5e078ebc1ef3bc7b3dfcf2ce07c4b24a0d37251e609daae19c4a354793da1a4838d4dab672b39fece6e5b0f720a3e61d55e810c73ab88f92c5d517da8c7f3d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc6300000000020000000000106600000001000020000000944bbd0ffeb11541d2bec6afbd68665bf8bbd7fae7808a302d5333b42ed8ff46000000000e8000000002000020000000f9b9ed51eed0ed20431656c477142427970ead87d5e703d0f3ac3311e4c350ec20000000773b4a0527376652f52be3e94fb930d3013be50aba973b7655a51ca76fdf88d5400000006488220f7f4e915d4d224cfd16874e183fb96d904573993d11cf167ec6f5f4ed2b64a117bfd93717da9179c409c86ebbb95d86cdc65315eb06b0a85c1f7c2255	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DDB2A91-3638-11EE-BAAA-EA84BFBCA582} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2208 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2208 IEXPLORE.EXE
2208 IEXPLORE.EXE
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE

pid	process
2208	IEXPLORE.EXE

pid	process
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 3068 wrote to memory of 3000	3068	MSOXMLED.EXE	iexplore.exe
PID 3068 wrote to memory of 3000	3068	MSOXMLED.EXE	iexplore.exe
PID 3068 wrote to memory of 3000	3068	MSOXMLED.EXE	iexplore.exe
PID 3068 wrote to memory of 3000	3068	MSOXMLED.EXE	iexplore.exe
PID 3000 wrote to memory of 2208	3000	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 2208	3000	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 2208	3000	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 2208	3000	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 2852	2208	IEXPLORE.EXE	IEXPLORE.EXE
PID 2208 wrote to memory of 2852	2208	IEXPLORE.EXE	IEXPLORE.EXE
PID 2208 wrote to memory of 2852	2208	IEXPLORE.EXE	IEXPLORE.EXE
PID 2208 wrote to memory of 2852	2208	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc2da30f7571313a8dadaaba62bcdb2f

SHA1
25411ac6437826adf1d685b5eede59769a1558ec

SHA256
d0ec84c9cf2de1dd5607a4601b9f56f537806307420a068d780982425b5cdae3

SHA512
c6fd2fa9b59cb3ea375801528ca0cf922f5d0d5dd11357ad1f73cfc7792f22e68b85d0dd5f4eaaa76bb73fe1eb7ef28e90526b394de89198651f495334b771fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92d1f873624cdd097b571b5a96ed484f

SHA1
1d2b470f63199758794de6bde0288638faf3fe5a

SHA256
f92af1e596f127fd37d720ff05a0083035d7093323de302bc237e8c365a500d8

SHA512
77aab8e86e3a054be8e7752e69c5932e8a312b6a089bd3b610a8a3811d7d04b1dd36b25120b06ad44e866355f130e075f2856b45e73047974231ecf66ee7c3c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ff6cbccbaac9c91663c8249d4bbc8b6

SHA1
fdc0325b12ed90e1cb2389b483823d2fd5e20bca

SHA256
d5f7ee8fec86e9356b741bad366598dc8fb7179b4eeb70585e87c4bcfe1e1798

SHA512
4522294ab4a75160d6d0f471a3b7d2f09bb3d55e3e62de7fbf5ab7cdeacbc153f93a53655d7af82c6f5799b9f726fc4b16596a4a144d44df84697cb09d828d98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b44145034ed27aeb1a5219f78e55548

SHA1
ae24b709a22ca82feba102d615e82f1ba1e872a2

SHA256
9ba64d9f8df680a3779ce3b1e4e020eed46908edf586401891d2b837c333d4d6

SHA512
7c251772a63d8dd6ab123f4dc348233754b655a72d2b8c3920149f5e7d1afd9e5f11c3420e13111e727bb2a3921363ba24cf1b0a4e8a9498a9cadebc7b0cc8f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50dee53ef5907fa910d974c3a743fb1e

SHA1
2417d2504f06744747bdba1a0564f378eec2f16b

SHA256
f6fd859751c847c3f7361837ba68f9b50ae1f2945a0ccc28dd880479bf0ea1f2

SHA512
4e29c96a0a62007782b9836cfb393fa7e1589dae7c664558ceefaf7b4306634a7507cf8aab21d91f4c15c19bd60f119e4a45de91267d6e465695d90486f9f619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a32cadc554124258cc2be26ffd8178f2

SHA1
c22095bed47e586dc45ee26d7718f2ac53b2c651

SHA256
237e90843ddf0f9e21a27e07d77ee43b1008dd62cf6bdf9da5d09b358857d886

SHA512
d34b37205f13ad417a938a0037df85b09d448592d2f37e8c2c6afaf027713a8faf1e04a6cca577ca33e71494b0fc72210c1ab85293e0cb8f711f489ac2141d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58a3a34d4a01656cad86657df689b4aa

SHA1
b87a545331043dcd8032f715e1f9d74e9cb3d8ae

SHA256
ba0ec1cc6dbfd868a7401cb7f66cfdb5d4c1bca9bdbfb8b430d8434d36580ebf

SHA512
3f2ef7687794e00354787b38296770641619c60e6e8d0e8575c12295f4f38a9f5d42ce3d4dfe1771d5d52f43e91e5655d518d1312c0b722da17cf135227d4f22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f35ff19857a4626694e8174496cf2dd7

SHA1
436441f5f17d7348a41342b45bf4567fe9ba6fe0

SHA256
39895ed96b7e67b037e1613833e6ff49a65d7e9bc43dd23f185c29a1e71db2dc

SHA512
635accc6e03b08abfbf90fd0b52aaacc7fe1283c543b97f190a395d05264db1bec70c43f69c55ec92c7d509914db70bd92cc5fad20b290e5a1c95e24b9df468d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e63e9275cec1fc515c8ffc1df9fe148

SHA1
534020a1db4f3cc9148589e8fa271e9a663cf38b

SHA256
ccdeb72d9acb2f439348d4e77fe292efefed02de5fab37ed7468edbbb99b422b

SHA512
4f5ec84b2936b25c14bbebb2784d1396e03863978ec5399b95de5550540f188d96622f845ddc144c68de7c50be99aa1ad0e1d88792672eea0a883bcfb82d9d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64b3f1180ca70f903e7691ee58e48b45

SHA1
643e0807a8a7f2b8789b6636f4a69bf6cc53e70a

SHA256
04800cb6031b5bced5c0c22535a160e2ee2fdf4f349a8e51c59d3f130a262927

SHA512
cbfd823e430527c8ba7fbf7c13265197492d4b4259cd6806283d5124235de0d497e26779b19810aa10a8076d5e310173a4ea87c3421a3553b4e370623e326265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a1e5ec4d19905eac24179b206d0ba06

SHA1
f087a0a769d0db468e8e62c5611b196e41e49cf7

SHA256
fb1872980ec5f6634c55c2bd9248ad4b7b158ce97efed5aee904d4c354eb9a42

SHA512
a1b473cee2348ae324e5a1fe8d7f28637a84284284097b47a4af38e4713786819d7fd49702b82dbea7119326dca069d12999e543f0dbaef374156f4cb1220f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBBA4.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE27.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit