fd72038524f82d299b58d0b9de0da0cfa10f19eb746ed863fec62345b1044f51

Analysis

max time kernel
134s
max time network
139s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_11_shadow.xml
Size

2KB
MD5

a43eaf2037b2a882b41912e5bf68e3f4
SHA1

b1b73e482269c1c5370f7a6e4ab5a3b47d2c6373
SHA256

354cbc8433a0fb42c500fa7039f4c7254db20eb9f589f8866846f142c45d94c2
SHA512

5aa4640b5cc83376ae6f61c80bfe6e1aedd2e6eec2337f9478f4a5544cba6b1a09fd46cb4c93a8313d4843a7c42b498f610bf51ca90d476819088e8fd52b2c69

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000008ef501413a35b62bbc50590646bec6044a9a7b729d9a29f7b9ba7d72b56d1217000000000e800000000200002000000020a38f15285949fae08bb7bfb1991fb75e3629b746c078a4cc7383b2921cf97c90000000e9bb195f73208a9accbd19e626f28f4bb750427c42f200277a8b9703d96dd9fcff31935d8212c6d3805b1d73a8bcbea318ce53418be3a3d6970118d2e507212528d398eb0ae4d7cb62264868ae2d0475e69a26483d3f0875d2e1152f1ce4a5616030e736c1d769d596e75bc09346e93706c07bba04a51474cc7a0dad9232cf5f3b1df61f31256b2419c20f8a6e66f58b4000000045b9e65aea1019dc26acf6bbf5efe880921165cf403854b4ea80d0d0686f7a3fdfe3af02df5fea8667952ead10895ea2158279e3b2b568956466adbfd471ced4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50bb01b769d8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "399249493"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d000000000200000000001066000000010000200000006cfae66ed23505d9fd1a15aa817fd90b58dec07c7ce27434fe0bb08d0c03f90c000000000e8000000002000020000000de78fefb07d0b0ea8f9de9c5d34b368355d720d36d8c8539cf454c8e873571d52000000068394ff21153ca3c2d976f3548965df812a322dfe869bc8602fddc84479f73da40000000a086650c0d33fee8ee6fcc306772142261ff1984635862d28f0125c8dec03a883131b9ad6a3ef4b0bdc4f5e9813cb567a6513cecbbd8f9a3385b0e530ed5552e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E21326D1-445C-11EE-852D-724B81B1CE5D} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2864 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2864 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2864 IEXPLORE.EXE
2864 IEXPLORE.EXE
2832 IEXPLORE.EXE
2832 IEXPLORE.EXE
2832 IEXPLORE.EXE
2832 IEXPLORE.EXE

pid	process
2864	IEXPLORE.EXE

pid	process
2864	IEXPLORE.EXE

pid	process
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2060 wrote to memory of 2836	2060	MSOXMLED.EXE	iexplore.exe
PID 2060 wrote to memory of 2836	2060	MSOXMLED.EXE	iexplore.exe
PID 2060 wrote to memory of 2836	2060	MSOXMLED.EXE	iexplore.exe
PID 2060 wrote to memory of 2836	2060	MSOXMLED.EXE	iexplore.exe
PID 2836 wrote to memory of 2864	2836	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 2864	2836	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 2864	2836	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 2864	2836	iexplore.exe	IEXPLORE.EXE
PID 2864 wrote to memory of 2832	2864	IEXPLORE.EXE	IEXPLORE.EXE
PID 2864 wrote to memory of 2832	2864	IEXPLORE.EXE	IEXPLORE.EXE
PID 2864 wrote to memory of 2832	2864	IEXPLORE.EXE	IEXPLORE.EXE
PID 2864 wrote to memory of 2832	2864	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_11_shadow.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa0488afe12b61ecf0f2b83cceefb54d

SHA1
61696cf9d907fedf8e3470f42221fc04ff257e62

SHA256
57591d524b5fa4d2e4ad3c04a34e2903eb5842244c49d6d0915a766d863615a8

SHA512
69c7b4a844a4f33cfdfba160afd0b9300dea048e5d8bc5285b8b975189755ae5930adec6cb28e25213ba156ce3bc0a350df97fb78da1ba6c3c8166b7d3c728d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
456fcbd4985059ec95fed7e973303360

SHA1
ccd2ec320786376cbb131b7ad5688db459aa58db

SHA256
9ac6734796735138b7cdc6733bd7a0424719041b60b85c89bea53c5d24c4741e

SHA512
55cba088e01fd526e3092af1b8afbb98e6fbc14b375db6b508baade0b469789ebb86c3d6516ecdf1f59aa6dcf5396c96984f66b98f37207dcd751975f8d5a684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a64bed9211e88cf1a588d057b6b51045

SHA1
c4d4e7cd9f54d4ab6da79a423f95099dcda664e7

SHA256
c3143305c1cd95dcd311b6984778f3ffb94a645c24bb56001ee6b94a56431a1c

SHA512
938773be6ebd54b6d3b9dcf422749739b1dd3c665e5c63945859899e0a35b0e289ae847719d82140731f4e1756a0f95470a5c69860110cf31bebbeeade3d01be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6110d9ed34eba6afb2de07e00dc712f3

SHA1
1b70935399a1cc57439ab7fa1112b1fcb237da24

SHA256
8e8cf401071b635fe6858e414afdc64135a46bdf5e83ed82efb09a89e5108ca1

SHA512
acb9f04bf2b6628229d59143f087036667ef9d8f6d62a7541fa131223cddf6d59a7b41f82d58852f4cd07eb2e51b4b36649a094faacd8d75cd09381804fd7a31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b23b4468f74d728d1201b9a2b26af606

SHA1
e4ab05fed55289dfe84154e7a66c1651ffa28204

SHA256
8741ac634fe069baaf19888c793a7a1555722e36c1c57606ba595812941ace89

SHA512
89074965c4565b5c8ae48c55a0855b792a3edb87ab9b67fde9cf9cc114e386bb9d2da36b4b3c87c6cb29a34de399e1398e272c258d353b81999c22ee51d80e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
462102505ff2c3760d1f977433f166b5

SHA1
9174ed6d916d41cbc5560beb9f28664210f4a70b

SHA256
fcdce2967474965b2c33463f487ed1083ddcb269315388da18cc3aabf140ae78

SHA512
88c76583a8f4949c831a1058ac5e8df957ca7b94f5532e5f28c6188160976a363b54fa779f114cffcc0f3c1a9dcc56a30cce3b6d5e1e40855cf852313eda3647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dba7ea19208ec8231f1efd9eb048c282

SHA1
21a5ec25b36ea33bbd8304163c122d4bc1ba0ca5

SHA256
81f9bf4de28d5a1245ee36d66d1d37e1a4d0abf58c50f5f6100e21ee5d0dedd0

SHA512
2e7753283ca330089c669d42454f94778ff3732f8b8ae960e024f5e451d6eec558dd7dd3c85330dcd00ea4bcee68a6016a162e7df451055d2672d9c4acb6339e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd1a8bd1dca4809db4214fdcce6d84ab

SHA1
531c3d62b2d8b8c10e645d17dd7b8af46d7082c7

SHA256
960f2da097e740790e862814bae38255698205a11979de9c27b05ff82f404c7d

SHA512
e3c7c83886cc9c01546d810be5092aaae6dd3d7e3cf3821f80b9b97a1185fea217c037c9133573663233611114767d4c1ce2b03ba553c647d50309fdb99ed8fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e9600f190f450e7bde61beeecbe3590

SHA1
06eedbf64c12ce28ca86334b015860656a730edf

SHA256
98cd9df215e0b1d72589cbeee843e87b6dc1604df0919219399876d5b3ef8c86

SHA512
153dc61a7d8aa43d325a7f2d74378338a048564084d58aeb7a6255eda754357e885921c3385e830a2010f51052a2337d4525720732dd65cc5f5faac1cd87161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80D6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82FA.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar834D.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit