Overview
overview
1Static
static
iPRS導入...pp.xml
windows7-x64
1iPRS導入...pp.xml
windows10-2004-x64
1iPRS導入...ail.js
windows7-x64
1iPRS導入...ail.js
windows10-2004-x64
1iPRS導入...orm.js
windows7-x64
1iPRS導入...orm.js
windows10-2004-x64
1iPRS導入...pp.xml
windows7-x64
1iPRS導入...pp.xml
windows10-2004-x64
1iPRS導入...orm.js
windows7-x64
1iPRS導入...orm.js
windows10-2004-x64
1iPRS導入...er.vbs
windows7-x64
1iPRS導入...er.vbs
windows10-2004-x64
1iPRS導入...es.vbs
windows7-x64
1iPRS導入...es.vbs
windows10-2004-x64
1iPRS導入...ute.js
windows7-x64
1iPRS導入...ute.js
windows10-2004-x64
1iPRS導入...pp.xml
windows7-x64
1iPRS導入...pp.xml
windows10-2004-x64
1iPRS導入...orm.js
windows7-x64
1iPRS導入...orm.js
windows10-2004-x64
1iPRS導入...er.vbs
windows7-x64
1iPRS導入...er.vbs
windows10-2004-x64
1iPRS導入...es.vbs
windows7-x64
1iPRS導入...es.vbs
windows10-2004-x64
1iPRS導入...e1.htm
windows7-x64
1iPRS導入...e1.htm
windows10-2004-x64
1iPRS導入...e2.htm
windows7-x64
1iPRS導入...e2.htm
windows10-2004-x64
1iPRS導入...er.vbs
windows7-x64
1iPRS導入...er.vbs
windows10-2004-x64
1iPRS導入...es.vbs
windows7-x64
1iPRS導入...es.vbs
windows10-2004-x64
1Analysis
-
max time kernel
136s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 02:07
Static task
static1
Behavioral task
behavioral1
Sample
iPRS導入包/App/FCM_Report/App.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
iPRS導入包/App/FCM_Report/App.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
iPRS導入包/App/FCM_Report/App_Code/CommonLayer/DataAccessLayer/Business/busMail.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
iPRS導入包/App/FCM_Report/App_Code/CommonLayer/DataAccessLayer/Business/busMail.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
iPRS導入包/App/FCM_Report/App_Code/CommonLayer/DataAccessLayer/Business/busform.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
iPRS導入包/App/FCM_Report/App_Code/CommonLayer/DataAccessLayer/Business/busform.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
iPRS導入包/App/FCM_Report/Backup/App.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
iPRS導入包/App/FCM_Report/Backup/App.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
iPRS導入包/App/FCM_Report/Backup/App_Code/CommonLayer/DataAccessLayer/Business/busform.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
iPRS導入包/App/FCM_Report/Backup/App_Code/CommonLayer/DataAccessLayer/Business/busform.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
iPRS導入包/App/FCM_Report/Backup/Properties/Resources.Designer.vbs
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
iPRS導入包/App/FCM_Report/Backup/Properties/Resources.Designer.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
iPRS導入包/App/FCM_Report/Backup/Properties/Resources.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
iPRS導入包/App/FCM_Report/Backup/Properties/Resources.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
iPRS導入包/App/FCM_Report/Backup/formExcute.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral16
Sample
iPRS導入包/App/FCM_Report/Backup/formExcute.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
iPRS導入包/App/FCM_Report/Backup4/App.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
iPRS導入包/App/FCM_Report/Backup4/App.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
iPRS導入包/App/FCM_Report/Backup4/App_Code/CommonLayer/DataAccessLayer/Business/busform.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral20
Sample
iPRS導入包/App/FCM_Report/Backup4/App_Code/CommonLayer/DataAccessLayer/Business/busform.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
iPRS導入包/App/FCM_Report/Backup4/Properties/Resources.Designer.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
iPRS導入包/App/FCM_Report/Backup4/Properties/Resources.Designer.vbs
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
iPRS導入包/App/FCM_Report/Backup4/Properties/Resources.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
iPRS導入包/App/FCM_Report/Backup4/Properties/Resources.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
iPRS導入包/App/FCM_Report/HTMLPage1.htm
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
iPRS導入包/App/FCM_Report/HTMLPage1.htm
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
iPRS導入包/App/FCM_Report/HTMLPage2.htm
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral28
Sample
iPRS導入包/App/FCM_Report/HTMLPage2.htm
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
iPRS導入包/App/FCM_Report/Properties/Resources.Designer.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
iPRS導入包/App/FCM_Report/Properties/Resources.Designer.vbs
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
iPRS導入包/App/FCM_Report/Properties/Resources.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
iPRS導入包/App/FCM_Report/Properties/Resources.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
iPRS導入包/App/FCM_Report/HTMLPage2.htm
-
Size
20KB
-
MD5
0b45f91613308b938c288948f754d57b
-
SHA1
22976e850ed95f7ef15144378c9e4658320f10e5
-
SHA256
2d79eb20a13b9b0bd76464b6d0d17ace1681513cd6eeddba1978b9cb60dc4586
-
SHA512
e2585cc0fd96e77281e715a4dc8246cc02bb2a170a297c6878487379778dbde69cc6a9b51ef8eb813dcaef399168397d8a407d8f1388c0e486e54b1584efed25
-
SSDEEP
96:H1/krRQ3qQ3IQ3yQ3GGJXQ3qQ3IQ3yQ3H/kr2rvgqcdvXrvR4rN8vZg:HE7jNzeX7jNervyvbvE8ve
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30986589" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986589" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000b592e4b2c77ff1696d0ad25999883866b0845147961220ec4b048fceb1823574000000000e80000000020000200000003f3d173a5ff839ecedabf8297cab9fa5dea2214a16bb317f2a23103b9fa40872200000001006e2790193605ed5716e3e14ea57e7be358295af4f0be5aebc40ea696fa69640000000b8c7e498d9f32c6016da7c059e9ed3f051159c901f8477bddd9b5e8bfe288c355965415cb62eb9ec21edc2241f27bf22f05b3e121c55040068c39a7c90ad0ee0 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370930343" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3481915931" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30986589" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3481915931" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b103dd5dd1d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0c316dd5dd1d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000002dce3036469c8aadd7ee9b695af50c0cf3bd78739312950ab8be155f693c1067000000000e8000000002000020000000c80fb04c6d31379ce7901c908936ee25230675a7295252cb3deac2dd79a2f61a200000006ffc8ea658f124a3859fa65b4ec51be0345da23dc4395932392b4e9d0de8ca32400000007af5f8dc883edbee9c50619321ef38da6869bf96d8bcc3c33f86ad81be1a350b78223787bf0cc84a11a2ba691884aa88d0213aac0589c008b079d9e75091e80d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FD4BD111-3D50-11ED-AECB-CA2A13AD51D0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3642697895" IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2296 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2296 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2296 iexplore.exe 2296 iexplore.exe 2236 IEXPLORE.EXE 2236 IEXPLORE.EXE 2236 IEXPLORE.EXE 2236 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2236 2296 iexplore.exe 79 PID 2296 wrote to memory of 2236 2296 iexplore.exe 79 PID 2296 wrote to memory of 2236 2296 iexplore.exe 79
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\iPRS導入包\App\FCM_Report\HTMLPage2.htm1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5f6d292a2a65c9e87797c7b0fb3018460
SHA110b53657072ae3d240832b895e721dddfaadb6b3
SHA25668851b0ab7e9b1a9af4944d0459ae8adf3531e9345d2629f99f0a7ee5b8d0c6f
SHA512390095530172a02243c356b7d6049fd9b1da0e3a9f66918f0a2c1fee0ec27667724ab58266c46122ed6e5fd8389b5debf1ff0308285d136ce0cfcc7c3555d77d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD51a454c2640ff6129715c64ee945cf8e5
SHA1fda625bb01144ef08ad16743abfe4fdf03c9c76d
SHA2564e13ae28d90cb8eece5f4d324ded71af09c1649d80b342e6478da726cb75248d
SHA512d13f189dbcaab059d3a82752f57945363eebe4393714d173ab9fbabbf97245248cb4d0b85625aefa5ec6a910e3077baf71cabc5322f761069b05e3db337b7e35