Analysis Overview
SHA256
89ada36edefe7e1f4be30b96a5bd2553b5deb24c256632a099f16196e6245957
Threat Level: Known bad
The file inv_zippediso.zip was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-20 21:21
Signatures
Analysis: behavioral12
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win10v2004-20220715-en
Max time kernel
91s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\year\worker.js
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.3:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win7-20220718-en
Max time kernel
35s
Max time network
49s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk
Network
Files
memory/1120-54-0x000007FEFC101000-0x000007FEFC103000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:23
Platform
win10v2004-20220715-en
Max time kernel
91s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk
Network
| Country | Destination | Domain | Proto |
| US | 8.252.117.126:80 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| US | 8.252.117.126:80 | tcp | |
| US | 8.252.117.126:80 | tcp | |
| US | 8.252.117.126:80 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
155s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\year\make.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | explorblins.com | udp |
| NL | 165.22.201.70:80 | explorblins.com | tcp |
| US | 20.189.173.10:443 | tcp | |
| DE | 67.24.27.254:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp |
Files
memory/1792-130-0x0000000180000000-0x0000000180009000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win7-20220718-en
Max time kernel
113s
Max time network
117s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f0000000002000000000010660000000100002000000019fa54adaebddab62f45ca7807c09a6c327b559b685c4281ff8de79308033325000000000e8000000002000020000000511b4d21c8049133ed253627e6dc414f24f0e7987744e8b088bfa937b8b6afbb9000000043ae257deff0e5da622f406e956150738b1703cb8a0840537d641a3e38a0e26063fac0696aab39a41b5ce7ef4349667f35f210071514520d7071c0448981464cb51ab130833a706ffa21de2eea6ddb951760e23bf3b773d851b9bcb3ed4dc8c25f4d74a6f0895e6b3ca162e752b2d7aff49f42712680adf2e2c93af371fbf3b805f34a3d8556f2e88cc5f3161eab3b1840000000459e6b1322d8e61ac0b0ba2cc86d77973687853bfad7072bdf6c0dd6851445cc12bf12df1177a7f1099ea0e6e9d4770dad8de2212043905407e9d23afb6cc1ff | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f000000000200000000001066000000010000200000005f61510929cc14945c5112266416768ecd6bc2e34fb3d121d9cdf415b4859b22000000000e8000000002000020000000d6be360c4de4745bc48d6f05591cb8624d3cf820b46d18a19e1d3f1fbcbee05920000000e12eef4fc4e50296ad3fcd82a6ebc813282a5ed7b70c0ca73b3bf2eaf372a9194000000093f7d30119a713c00fc99d1ede369272b883f7262669583ecf993c1190a1d8c7bdf535101216a7129a7edb1e441af3be3efaeb50e14ccf4281fce96c7fc137bc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C08473F1-0882-11ED-BEB9-E6961454B536} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365124309" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c0c4978f9cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 1016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1444 wrote to memory of 1016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1444 wrote to memory of 1016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1444 wrote to memory of 1016 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\year\new.gif
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T8IIUSTN.txt
| MD5 | 90d8af9b3e37ff595449e4374a9d4f6e |
| SHA1 | 35a8d2603e2921e0f307236f3905c067823a0684 |
| SHA256 | 1246e48d8cbbe254ee1b760e9a065da585e7ee65a4253a21eb1085317bce2179 |
| SHA512 | 06fc9f0b2696f23ec14cc872d0940b982c14f358652fe96656ed46b73f544c80857b2f10f9d905f09ac5d0e03a449774b6f3c655d72e7560a92f0806789e3dd3 |
Analysis: behavioral8
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:25
Platform
win10v2004-20220718-en
Max time kernel
137s
Max time network
144s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E6F705C8-0882-11ED-BCFA-4EC039F34222} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b1900000000020000000000106600000001000020000000153f60763d3e55484af4886bdd655f0ec2afaf8d9e9be7fe8346160f05208d85000000000e800000000200002000000078e8ec41e8beebdc4a81919f01ac2c5b663f34f7d513832010802e70c4b4b4d4200000005abb8644d1d4d816ece0230091e051e1f55970f79a7d9f162a1242685fb3878340000000493376de4a59cf056e325e355b8d310d502e53eb5585c744a1fc0ca9137a1a54629ee7190059a396f348f5cb45cf254cad8cb8e65c16e350c4b2ead5bbc9cda2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909f02cc8f9cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3423355436" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b19000000000200000000001066000000010000200000007159d6b8e0478182d12023dbcc0a85aa6081998b12e44b65fbce5bebb6c9261d000000000e8000000002000020000000a6140c43dc205cfb51f119e54b24730e2748b1b6721f0a59f70134a113e50328200000007351081eece61b72e756332df0bd0264d68a56a333bb070450ef6f3a45e0a7df400000005983ed5ef54c506940f2872d5f4510995e7b478a3f68eb6c5c2949adaf21e310f3b5012867935d534c4c5ff0ddb2df3968ef4106a27f1e85adb2925a0c1bfc46 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30973071" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08a9bc98f9cd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3423355436" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30973071" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365124358" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 2716 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3488 wrote to memory of 2716 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3488 wrote to memory of 2716 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\year\new.gif
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3488 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| US | 13.89.178.27:443 | tcp | |
| NL | 104.110.191.165:80 | tcp | |
| NL | 104.110.191.165:80 | tcp | |
| NL | 104.110.191.165:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:25
Platform
win7-20220718-en
Max time kernel
38s
Max time network
46s
Command Line
Signatures
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 1612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 1744 wrote to memory of 1612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 1744 wrote to memory of 1612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\year\worker.cmd"
C:\Windows\system32\PING.EXE
ping google.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
Files
memory/1612-54-0x0000000000000000-mapping.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win10v2004-20220414-en
Max time kernel
90s
Max time network
156s
Command Line
Signatures
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5004 wrote to memory of 4112 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 5004 wrote to memory of 4112 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\year\worker.cmd"
C:\Windows\system32\PING.EXE
ping google.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 52.182.143.208:443 | tcp |
Files
memory/4112-130-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win7-20220715-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\year\day.jpg
Network
Files
memory/788-54-0x000007FEFC011000-0x000007FEFC013000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\year\day.jpg
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| IE | 20.50.80.209:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| NL | 20.190.160.4:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win7-20220715-en
Max time kernel
38s
Max time network
42s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\year\make.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | explorblins.com | udp |
| NL | 165.22.201.70:80 | explorblins.com | tcp |
Files
memory/1656-54-0x0000000180000000-0x0000000180009000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2022-07-20 21:21
Reported
2022-07-20 21:24
Platform
win7-20220715-en
Max time kernel
44s
Max time network
49s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\year\worker.js