Overview

overview

1

Static

static

irs/bank.php.js

windows7_x64

1

irs/bank.php.js

windows10_x64

1

irs/card.php.js

windows7_x64

1

irs/card.php.js

windows10_x64

1

irs/confirm.php.js

windows7_x64

1

irs/confirm.php.js

windows10_x64

1

irs/images...vg.xml

windows7_x64

1

irs/images...vg.xml

windows10_x64

1

irs/images...vg.xml

windows7_x64

1

irs/images...vg.xml

windows10_x64

1

irs/images...vg.xml

windows7_x64

1

irs/images...vg.xml

windows10_x64

1

irs/index.php.js

windows7_x64

1

irs/index.php.js

windows10_x64

1

irs/js/boo...min.js

windows7_x64

1

irs/js/boo...min.js

windows10_x64

1

irs/js/jqu...min.js

windows7_x64

1

irs/js/jqu...min.js

windows10_x64

1

irs/js/jquery.min.js

windows7_x64

1

irs/js/jquery.min.js

windows10_x64

1

irs/test.html

windows7_x64

1

irs/test.html

windows10_x64

1

Analysis

  • max time kernel
    136s
  • max time network
    164s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-08-2021 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    irs/images/success.svg.xml

  • Size

    513B

  • MD5

    7ba2c7ed2d27cc893b31d1689324ed2f

  • SHA1

    258e44e65d4ad780c6b86b8d3df1d1420264627b

  • SHA256

    aa73ecf6d7a0055ee569c7d11e1223342bfd53d83e137830a60cfc99eb5347c4

  • SHA512

    5b4a3715e650b024003c5767e0a87dde375267f407eb8b0c0c3a1da7f3d6cc13a6747f2052d30550221832be74e16ce4926cc5a64cec2c3e3669689194dbef86

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\irs\images\success.svg.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\irs\images\success.svg.xml
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3264 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    fb9ed523ba700d7bd169da09f80f35cb

    SHA1

    52b48d4ab50a3d34f15054c485215ad78b84a020

    SHA256

    9ad885119fb1556ae1f94eeb9a78709bc300c956d5de41ec19a84cdbc0ac7411

    SHA512

    44f3cc19d96e765a719d89273f1f2ff3d26eea5a274af97e136764fe63c0aaf72b343c6e6ce271e49d167f8c875566259d9b12245c7b05f69bd3bc17dc624ad9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    edb755344900bbadd0204e11ac58a5ce

    SHA1

    44c758d88c1c63a06fa545213ecc8ca13c061c91

    SHA256

    ce0408cf8c6f2fdc76d173cedbf1ff851f54474bec41adf0bed495f07fee618c

    SHA512

    cde00ae004fef4f721720e49e93beadcc51d4eba83f7e00f48abc568322bcae6957186fc8935caa2cec0bc248219bd96af1a3d1fd11977fb9a248aea6d5bdd9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1EIE7NWK.cookie
    MD5

    e03104515031bff0ea09cfb075366d66

    SHA1

    0fa8045b4e4d7e1e4655f08d03e41c0008e9b11e

    SHA256

    e00634a6c30dad33c1c5e3d6c2febaeef1db06794b5eeed6135edee0a5b192fe

    SHA512

    c86f6e8219bdba84a0b260e271d6d10262887599ebf545108c069f57fd635f26d744982c6b8a00d8aa8447c76f6aa36595990d6f2fdac8f2cc04c8cfa419a8c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YN9HWFU4.cookie
    MD5

    0457310741cb7e75a58073e88c9dda59

    SHA1

    d0831555843389fd1fae92888f1a85dcfae1bdfa

    SHA256

    c046dc3f65cd0e477cb2cdba97faa0d529edc3f82c702f7b9dca480001913a28

    SHA512

    7b7ac812528d9abdb2f0fdb5f3ea24b3af4a8a666b429e003983d0bff3e45e4a6406fc2a4c0575b77cc920fc49e58ba7b3663b67e41ec78ab10d2ada97287e0e

    Download Submit

  • memory/516-119-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-121-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-122-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-125-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-123-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-115-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-118-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-117-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-116-0x00007FF80BC00000-0x00007FF80BC10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2668-126-0x0000000000000000-mapping.dmp

    Download

  • memory/3264-120-0x0000000000000000-mapping.dmp

    Download

  • memory/3264-124-0x00007FF82EE80000-0x00007FF82EEEB000-memory.dmp

    Filesize

    428KB

    Download