749d18b3f9c65379e96a28db1af0a52a4196749682a7b4e1c00cf3fd37498171

Analysis

max time kernel
134s
max time network
137s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_shape_2.xml
Size

4KB
MD5

6dc1e0aa43dd2a582b24b6487605fb76
SHA1

c403b4c464908b8d740d03775742fdc72a6e8327
SHA256

f6ec4c71c9e3ebfc1d23691364cc5736a12c3180ad35e55f4f9dc0fa3ce03669
SHA512

3cced4fb52552f26f35eac6eacf8fc408b6f5e251984f486e203777b0889261db83ea127a97b5e53c246456c819b23b6d6209fec1bb3a6df5f173e66de370ce2
SSDEEP

96:7OKfvMkrs4v9rTicBaUTnpI5kS0nvVfiYPl9Cb7dMM/SAWicJPjiBwlH:SoT44Vp3hrnvVqY99CR/SAWicgwN

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9DBE5F1-3637-11EE-A8C8-6E9AB37CAD16} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1071667e44cad901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "397694191"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000d49619eaaf494786787423ecd176622d6e8fd226f9f47eff074e7883aff5fc9c000000000e8000000002000020000000f60745030ea3fe48d6be13c9a592db2986be6031849b3baf14e873a67ee4ce2e90000000393d0ab0fadf53be9be2569e09d88808ed5c2a9c841952d580beacfdf97bb50a4e9349a819d5cd951c8316ed515843ebd22091574f562f1483598d0f8daee8c214efd51a6e91c7222879963e48be3d7845a1a823a49f9218577c6778ca0662a6f3a8f898300d928477eecc488cd03ce583c67760fdcfe479f0ff82e5036355f2b8bc28ed7e600b391e06f330e451ddbb40000000a6a688c021e4c32efe6e62032f4c4790b9f3f263e3ea0053145933f49a3fcfe454950badde138355de8dbe21696026617d464cec0388de03deeb712e11d82093	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000cd18c9f1421d4bf0d169d7dee791a6c176cfba459b1453752d51a5e951252cb0000000000e8000000002000020000000e75fae82a7631083790bf96d433673b90996caa51c88962f0c74b5edf30a5cf120000000e18e3ffd9cfb85d9c77e9d8f4c5d83d57470f93b79bf6d96d32267b8feb15030400000008ad4fc67c0e4961f139920719d5451801897e7af099902cfde7a69d5a0f561bbf1689d2a554bc633e6f9a1f69659013c833b934630f47ac93a31a91aeec0e255	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
320	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
320	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
320	IEXPLORE.EXE
320	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2380 wrote to memory of 2600	2380	MSOXMLED.EXE	28
PID 2380 wrote to memory of 2600	2380	MSOXMLED.EXE	28
PID 2380 wrote to memory of 2600	2380	MSOXMLED.EXE	28
PID 2380 wrote to memory of 2600	2380	MSOXMLED.EXE	28
PID 2600 wrote to memory of 320	2600	iexplore.exe	29
PID 2600 wrote to memory of 320	2600	iexplore.exe	29
PID 2600 wrote to memory of 320	2600	iexplore.exe	29
PID 2600 wrote to memory of 320	2600	iexplore.exe	29
PID 320 wrote to memory of 2804	320	IEXPLORE.EXE	30
PID 320 wrote to memory of 2804	320	IEXPLORE.EXE	30
PID 320 wrote to memory of 2804	320	IEXPLORE.EXE	30
PID 320 wrote to memory of 2804	320	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_shape_2.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61ba5802cbbd53c1b4964b023ee1dfba

SHA1
d52a30afcd46618187d2285fba38bdb4b16d465d

SHA256
c4f9508eaaad9f58b698b3ae593e07160182ac48f64c35553d190f86a7c0b79c

SHA512
e13d2d99d7cf4d1b88c6f06d22a359cde6b6bb1d8007e75d638a5f06d78a5fb3f99b5a9c639f74a93ca69bdd4d55a4b8838e965df9a389eab78710e08d25184e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7150e2d8ae1fd43a18c405ad1345f8ba

SHA1
affb08192e44e64fb463c79f05100853fa6cf44a

SHA256
88582b99cd3534ee05c020552ad3ef6b00b1c86d4da95754c212ca615229adf6

SHA512
48d345ce63595d208f796f143a42fd291ee7828a4c3169432d015578e4d312529a4ce1c7bb5c9f5bff7cb6f3708ec5f31044a61498d79a1ca0a1674b238dc81e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92a95ee28ca7eb98e99b35e8d5b0c0a2

SHA1
e491ff4f46e756469322ab2c9d55b0b82186287d

SHA256
8d8c58f001356090dcb72f6e340ea94447659bb8a9f20874bfc19700e493a6b4

SHA512
dcf78e423fb781ba1965f4c7cad23fe5dbfe12ff71d4206cee88a92a4f7caee42bba4c33463c7c76f91f8a9d5f0dbd858a9c4c0921e2e646ad81cbf40b9544ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef6f0f8a603b64c8f2b78353006bd773

SHA1
6b27793e6ed4f6b1fa27e136bde501df62f034e2

SHA256
2acf0bb2b11ef18e078156ee2ed985315ab8e64073a4f057f8301264ffea7a7e

SHA512
bbeda2454e4c97d27a68ee882a12674a07056aa555517fc4a6533be2fb5d8877d54d4caed20d8e84efe13fbcabd1624c10bd7ae4d3051c52a9406f88c61e6a44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd25967bf4c3fa671fa7f150e0842737

SHA1
09e8db74a0a4a7dd50e99f5995135c44fb2736a4

SHA256
44d1a1c414817790c655dc3315139f8bf3fe64262b67107978dc7564e685fc3d

SHA512
35335b8530844eeadba797b54b7f62359b655a1732fcaa36b74acd3ae4ddaf4a8a5a42925ebfb7bdc36803f1abd40c4259c20ff70ac6a579994045dec3fe454e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7893cd61b66d70414fbc6eb851cbc831

SHA1
e388ade4c5b5b5ccefe35a86dddee17ab929de9a

SHA256
868aa68b2642e639ed33803a7298995b35cefb4f90cc7c66cf2cfba78f0fe2e6

SHA512
732e52ebd6a50f176c1f259c9c69b78e9b1abcc845a0767d63e8a6825dcf7ebc16415b7b4fd8d4cee56065649a89b29fdd79bbc4855c8facf87f1e4e0fbca646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6322d8db81113f846a319cf05aa27860

SHA1
eb0bf455e853b1c08b8451495e28aa8d7e1fbd41

SHA256
7ec1e32a0dcb25552c39515465640db45739bddcb44babf6ee386402471c6221

SHA512
06c4b4b2ec8ae9552c1410c7bff6b994fd20abf5dd48fba79fa915f0fc4e7d5222326909077d9ee7b1aca3b9543445715654f2c9910b964e74a4161d507482f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72d093b45acc8e02b6e3ddcdc73930d1

SHA1
96682e2f6680bcd9a21a03b688ee73414dbfadb2

SHA256
0999dd60fa042f6240dc0ffac9e3f2caccf4d47ad64d167437a95cdf53aca862

SHA512
6705869d6298608a9b2e496983a05a19c5654f62f28a41a5909fa30631000e3d93af1f5913d51ecfdf636578e1055e73f0fbaa5fb159737533b1a8e3cb268090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98da81bf7757e32b120d49ccb4ff5836

SHA1
04aaf036792d35f0b399125ae72fd6f61a030765

SHA256
e8dc92d0db007dbced6b5ee51751d4b7aa29ecbdbe92ca085f85fe2e9ced3f4a

SHA512
ad5a0bbf6ef2ecac74af25a62d6ff6bcc38521faf9245fd40df21758b38051d2532fd5612876cf337bd597952b2f75e5a25357a298359f71eeaaef076288b09c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64fd514ce864893885fe8b0c5b529e49

SHA1
a1372835ae5c14f31af6982836947044a8abb7b9

SHA256
9bfb5203a39b4362aa7381e8d0ed3e7256840b37f2b6efc25ed13d18b0947b9d

SHA512
9434ff4504c4fde76fd129c2035ffdf70d824de3a14005e1640f09d63a914728312a79b33a778fed8c783aa097a8320b7e029da1af3eb5355816083129c85d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce9de54b827c6c84590e3537f06475ba

SHA1
0b0cbaa62077254b1289752635b89541ea2f8815

SHA256
5fe55874530dc4eb620273e5ced9fa423a18f500b098be0f81f576b503fc8607

SHA512
27ef0f216da1e6b287ae9745c73f968c676acb2182343f2a7ba460dc701fe57fb8dd46d1c0bb12994b2a5ddfd98dd3829fd27d97da08cf0cad8973a2b791f672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1162.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11C2.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit