Overview
overview
7Static
static
7WhatsApp/A...me.xml
windows7-x64
1WhatsApp/A...me.xml
windows10-2004-x64
1WhatsApp/A...gs.xml
windows7-x64
1WhatsApp/A...gs.xml
windows10-2004-x64
1WhatsApp/A...ng.xml
windows7-x64
1WhatsApp/A...ng.xml
windows10-2004-x64
1WhatsApp/A...ot.xml
windows7-x64
1WhatsApp/A...ot.xml
windows10-2004-x64
1WhatsApp/A...ys.xml
windows7-x64
1WhatsApp/A...ys.xml
windows10-2004-x64
1WhatsApp/A...ve.xml
windows7-x64
1WhatsApp/A...ve.xml
windows10-2004-x64
1WhatsApp/A...al.xml
windows7-x64
1WhatsApp/A...al.xml
windows10-2004-x64
1WhatsApp/A...in.xml
windows7-x64
1WhatsApp/A...in.xml
windows10-2004-x64
1WhatsApp/A...ce.xml
windows7-x64
1WhatsApp/A...ce.xml
windows10-2004-x64
1WhatsApp/A...ms.xml
windows7-x64
1WhatsApp/A...ms.xml
windows10-2004-x64
1WhatsApp/A...at.xml
windows7-x64
1WhatsApp/A...at.xml
windows10-2004-x64
1WhatsApp/A...me.xml
windows7-x64
1WhatsApp/A...me.xml
windows10-2004-x64
1WhatsApp/A...er.xml
windows7-x64
1WhatsApp/A...er.xml
windows10-2004-x64
1WhatsApp/A...er.xml
windows7-x64
1WhatsApp/A...er.xml
windows10-2004-x64
1WhatsApp/A...gs.xml
windows7-x64
1WhatsApp/A...gs.xml
windows10-2004-x64
1WhatsApp/A...ay.xml
windows7-x64
1WhatsApp/A...ay.xml
windows10-2004-x64
1Analysis
-
max time kernel
135s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 13:38
Behavioral task
behavioral1
Sample
WhatsApp/About/AppXRuntime.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
WhatsApp/About/AppXRuntime.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
WhatsApp/About/AuditSettings.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
WhatsApp/About/AuditSettings.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
WhatsApp/About/EventForwarding.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
WhatsApp/About/EventForwarding.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
WhatsApp/About/ExternalBoot.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
WhatsApp/About/ExternalBoot.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
WhatsApp/About/FileSys.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
WhatsApp/About/FileSys.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
WhatsApp/About/SkyDrive.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
WhatsApp/About/SkyDrive.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
WhatsApp/About/WinCal.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
WhatsApp/About/WinCal.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
WhatsApp/About/WorkplaceJoin.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
WhatsApp/About/WorkplaceJoin.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
WhatsApp/About/en-US/ActiveXInstallService.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
WhatsApp/About/en-US/ActiveXInstallService.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
WhatsApp/About/en-US/AddRemovePrograms.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
WhatsApp/About/en-US/AddRemovePrograms.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
WhatsApp/About/en-US/AppCompat.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
WhatsApp/About/en-US/AppCompat.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
WhatsApp/About/en-US/AppXRuntime.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
WhatsApp/About/en-US/AppXRuntime.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
WhatsApp/About/en-US/AppxPackageManager.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral26
Sample
WhatsApp/About/en-US/AppxPackageManager.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
WhatsApp/About/en-US/AttachmentManager.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
WhatsApp/About/en-US/AttachmentManager.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
WhatsApp/About/en-US/AuditSettings.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
WhatsApp/About/en-US/AuditSettings.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
WhatsApp/About/en-US/AutoPlay.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
WhatsApp/About/en-US/AutoPlay.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
WhatsApp/About/SkyDrive.xml
-
Size
2KB
-
MD5
a94642be85e83bd11fe2edc8ee57a052
-
SHA1
cce07bcc7dbe8bfef8f9397c8b6e76b96ddc9aa9
-
SHA256
da3489644a56924340c30ba06dca8d02ac68a772c1971ebeedfb07767ea6f1ee
-
SHA512
cfe4f318b08c3924c51eb679541b3a8d8d36cb47ffb5ebd9d979d254c1cba8782dfd8757f748944967392608dcc1775fdf82b9324b03481314b1f661a085b733
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{42296130-3A8D-11ED-B696-DEF0885D2AEB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985882" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "387789413" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370626364" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "384663085" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f018199aced801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "387789413" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30985882" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000001df9e53a18b743191f14f5986d88c5f84f4663ee3962f674ff9d9d7376f1a1b5000000000e800000000200002000000091ddc70e837bfa59a2df603da7fbeebfadcbf03d650e11b3b062f40911d18d95200000005450bf24c264c0d92f3526f3f5eb415f2b7125f99032ba576d96937b605eefa74000000094102b9a1f9c7aae241600bd0a08df826c9e009779e3ff920ad70f8f0bd04bf295a83e9c0c2cd3cfb59d7e7ee9d5f9fe35c151f09f83af4be82b97b07d661982 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "384663085" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985882" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30985882" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30cf5f179aced801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000007e82ba277fb566ea9316629ef437d976763ae9db05e66c01d1f915e5492c4379000000000e8000000002000020000000228e245bbd3914de90e9742c650285c6d0b7826105768873e13fdff74deb8163200000002a55c2dedb123e6ce322a50287c58a28ffac43fb5dcbefc8f4b15bbb828ffd274000000021a2c70d9067a2c34223b0d98367d218dd2fd17bb6ffa9530049f195eb0d73e9e051a7a255576e9ad2b174525ef38852f30bb7b42a03303b2161902419489ccd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2032 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2032 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2032 iexplore.exe 2032 iexplore.exe 3100 IEXPLORE.EXE 3100 IEXPLORE.EXE 3100 IEXPLORE.EXE 3100 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2032 1260 MSOXMLED.EXE 81 PID 1260 wrote to memory of 2032 1260 MSOXMLED.EXE 81 PID 2032 wrote to memory of 3100 2032 iexplore.exe 83 PID 2032 wrote to memory of 3100 2032 iexplore.exe 83 PID 2032 wrote to memory of 3100 2032 iexplore.exe 83
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\WhatsApp\About\SkyDrive.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\WhatsApp\About\SkyDrive.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3100
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD515afcebf1b296be7a78fac9d3700ef3d
SHA1c2210c056209dc67b283c3e5b5963e134479e4c3
SHA2564cab446eedf9d32c7e41482cac22a453dabcdbb0abb924801aefcc3c364636cb
SHA512ae33f97863d9de21fe642d432a0983aba3206b00e15f9430728a03127067424749d88a51ed1f59ffa6cd8428fb10701ed83b148f4f57ca0cd61553086c68c551
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5f7563eea77b879079a17b585e5e600e0
SHA1467bd09ddc5eb20a8cb850d28507d472a4636dc7
SHA256fe7b9aa69be2ae356cde45ebc7d1afce177a8400c868ed3c7232259a95506c5c
SHA512b09c4aa7dbb3f7400ac76b4b25f1e1bd9862a4b092f92b6fbad2cf037587a0cb210b3338482875882e82a8b4f707b50b3f66ac448d283e539f0dc81f630a3902