Overview
overview
1Static
static
ripro/asse...an.xml
windows7-x64
1ripro/asse...an.xml
windows10-2004-x64
1ripro/asse...an.xml
windows7-x64
1ripro/asse...an.xml
windows10-2004-x64
1ripro/asse...ou.xml
windows7-x64
1ripro/asse...ou.xml
windows10-2004-x64
1ripro/asse...bi.xml
windows7-x64
1ripro/asse...bi.xml
windows10-2004-x64
1ripro/asse...ng.xml
windows7-x64
1ripro/asse...ng.xml
windows10-2004-x64
1ripro/asse...mu.xml
windows7-x64
1ripro/asse...mu.xml
windows10-2004-x64
1ripro/asse...ai.xml
windows7-x64
1ripro/asse...ai.xml
windows10-2004-x64
1ripro/asse...app.js
windows7-x64
1ripro/asse...app.js
windows10-2004-x64
1ripro/asse....js
windows7-x64
1ripro/asse....js
windows10-2004-x64
1ripro/asse...hiv.js
windows7-x64
1ripro/asse...hiv.js
windows10-2004-x64
1ripro/asse...min.js
windows7-x64
1ripro/asse...min.js
windows10-2004-x64
1ripro/asse...min.js
windows7-x64
1ripro/asse...min.js
windows10-2004-x64
1ripro/asse...ins.js
windows7-x64
1ripro/asse...ins.js
windows10-2004-x64
1ripro/asse...min.js
windows7-x64
1ripro/asse...min.js
windows10-2004-x64
1ripro/asse...min.js
windows7-x64
1ripro/asse...min.js
windows10-2004-x64
1ripro/asse...min.js
windows7-x64
1ripro/asse...min.js
windows10-2004-x64
1Analysis
-
max time kernel
107s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/09/2022, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
ripro/assets/images/svg/anquan.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
ripro/assets/images/svg/anquan.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ripro/assets/images/svg/dingdan.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
ripro/assets/images/svg/dingdan.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ripro/assets/images/svg/dou.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
ripro/assets/images/svg/dou.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ripro/assets/images/svg/jinbi.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
ripro/assets/images/svg/jinbi.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ripro/assets/images/svg/shoucang.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
ripro/assets/images/svg/shoucang.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ripro/assets/images/svg/xiangmu.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
ripro/assets/images/svg/xiangmu.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ripro/assets/images/svg/xiazai.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
ripro/assets/images/svg/xiazai.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ripro/assets/js/app.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
ripro/assets/js/app.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ripro/assets/js/html5shiv - .js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
ripro/assets/js/html5shiv - .js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ripro/assets/js/html5shiv.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
ripro/assets/js/html5shiv.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ripro/assets/js/jquery-2.2.4.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
ripro/assets/js/jquery-2.2.4.min.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ripro/assets/js/nprogress.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
ripro/assets/js/nprogress.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ripro/assets/js/plugins.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral26
Sample
ripro/assets/js/plugins.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ripro/assets/js/plugins/DPlayer.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
ripro/assets/js/plugins/DPlayer.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ripro/assets/js/plugins/hls.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
ripro/assets/js/plugins/hls.min.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
ripro/assets/js/plugins/html2canvas.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
ripro/assets/js/plugins/html2canvas.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
ripro/assets/images/svg/jinbi.xml
-
Size
1KB
-
MD5
953797652e0e44481ce2f92de09b1162
-
SHA1
9596269c729156ae42c93a4c09bf4d660e0cf19a
-
SHA256
3b9bfd8bcad542c7cf6712dd49a39b19da1292da363b12612353813331b27ce0
-
SHA512
3049ad655d6033a60ef346c680a5fbb0e02d3f67f0bd470e2cfe958349532caeb94aefdd1f769b4c4de8eea8d13e230eab4fa1b99a86e6142b388ef02bffd04b
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB155CE1-3E16-11ED-A920-7ADB5DB493F4} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b037818023d2d801 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371015241" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000e29f4dff7fbf5dbb37a5de5876ea47f884b004a7056fee2e0e177887b681e68d000000000e8000000002000020000000679b359b20305d398bb44f4a59939fd4e1d308d474257dc556c134fcf4e13f842000000086f606816355602837d672e70a478b44fae5d5a999d8a9e66e9c6794b3a1198440000000c9b366a80ac96751ab9632dd17b6d17906acfda407ca5592abb4bfb982ab830e9b94ab9e4fc124d9584ae2fc17b698a3223c547389cf6825b5f8adab93fea08b IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000015eb3b03f2e7187029c4b3353aad7bea83d5e0f9dd8858df5760084c6eb47482000000000e800000000200002000000017a29e790f043799cb32946bc11362930e8ca430c97b7088930036a014f6b8a79000000076cf64ab37b7d9c28b8bdfc227b0272b1216bf25301705d6be3fd32a7b8522ecfdb06d27ab8a2917c715caf559f415c2bcab2315564c84468a88a3b6ac5241f4a4c96b1dccf1699d0280262bd1ffc22aa62b659999d1e1b9a352c523ef0ecd7395239f889a2b4fdeb5837d44f8240bb2799ff294e446c135a31bd35c150bebb7f90f68960e868f55948ec6ffc334d23d40000000a5b8d8b879d06d39d81b02f1eff89e6a0ce57efca9b47db90780acc11cbe88abbf90c56f2ec05268dbebfa13c3aa6bbac8961a863def8b3c87502bff48f5fef6 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 856 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 856 IEXPLORE.EXE 856 IEXPLORE.EXE 1760 IEXPLORE.EXE 1760 IEXPLORE.EXE 1760 IEXPLORE.EXE 1760 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1036 wrote to memory of 1492 1036 MSOXMLED.EXE 28 PID 1036 wrote to memory of 1492 1036 MSOXMLED.EXE 28 PID 1036 wrote to memory of 1492 1036 MSOXMLED.EXE 28 PID 1036 wrote to memory of 1492 1036 MSOXMLED.EXE 28 PID 1492 wrote to memory of 856 1492 iexplore.exe 29 PID 1492 wrote to memory of 856 1492 iexplore.exe 29 PID 1492 wrote to memory of 856 1492 iexplore.exe 29 PID 1492 wrote to memory of 856 1492 iexplore.exe 29 PID 856 wrote to memory of 1760 856 IEXPLORE.EXE 30 PID 856 wrote to memory of 1760 856 IEXPLORE.EXE 30 PID 856 wrote to memory of 1760 856 IEXPLORE.EXE 30 PID 856 wrote to memory of 1760 856 IEXPLORE.EXE 30
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ripro\assets\images\svg\jinbi.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603B
MD5b442367e81d611e5cb722bf87bed5ba1
SHA1e6353c3ef28da239075433d7114bea1d6a138b9f
SHA2560796895e9695069094f3db66ec2a2cef9f32ec601fe3b38777baf9e16f1e4f09
SHA5128ffdb3f3fed5bba54bbefee26dd3d9f4aa54f553b99a5e689cc60f1a46e30660e00e6b47aa476dd2b04309295567fe51d07229e4b8d9affeb11aa3559d568661