Overview
overview
1Static
static
2.8.7.4(2k...g.html
windows7-x64
12.8.7.4(2k...g.html
windows10-2004-x64
12.8.7.4(2k...py.bat
windows7-x64
12.8.7.4(2k...py.bat
windows10-2004-x64
12.8.7.4(2k...oi.bat
windows7-x64
12.8.7.4(2k...oi.bat
windows10-2004-x64
12.8.7.4(2k...ks.bat
windows7-x64
12.8.7.4(2k...ks.bat
windows10-2004-x64
12.8.7.4(2k...th.cmd
windows7-x64
12.8.7.4(2k...th.cmd
windows10-2004-x64
12.8.7.4(2k...ev.exe
windows7-x64
12.8.7.4(2k...ev.exe
windows10-2004-x64
12.8.7.4(2k...ec.cmd
windows7-x64
12.8.7.4(2k...ec.cmd
windows10-2004-x64
12.8.7.4(2k...py.cmd
windows7-x64
12.8.7.4(2k...py.cmd
windows10-2004-x64
12.8.7.4(2k...aw.cmd
windows7-x64
12.8.7.4(2k...aw.cmd
windows10-2004-x64
12.8.7.4(2k...nc.cmd
windows7-x64
12.8.7.4(2k...nc.cmd
windows10-2004-x64
12.8.7.4(2k-XP)/ln.exe
windows7-x64
12.8.7.4(2k-XP)/ln.exe
windows10-2004-x64
12.8.7.4(2k...n.html
windows7-x64
12.8.7.4(2k...n.html
windows10-2004-x64
12.9.3.3/wi...g.html
windows7-x64
12.9.3.3/wi...g.html
windows10-2004-x64
12.9.3.3/wi...n.html
windows7-x64
12.9.3.3/wi...n.html
windows10-2004-x64
12.9.3.3/wi...py.bat
windows7-x64
12.9.3.3/wi...py.bat
windows10-2004-x64
12.9.3.3/wi...oi.bat
windows7-x64
12.9.3.3/wi...oi.bat
windows10-2004-x64
1Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
2.8.7.4(2k-XP)/Blog/blog.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
2.8.7.4(2k-XP)/Blog/blog.html
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
2.8.7.4(2k-XP)/bat/DeLoreanCopy.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
2.8.7.4(2k-XP)/bat/DeLoreanCopy.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
2.8.7.4(2k-XP)/bat/DeLoreanHanoi.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
2.8.7.4(2k-XP)/bat/DeLoreanHanoi.bat
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
2.8.7.4(2k-XP)/bat/DeleteAllHardlinks.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
2.8.7.4(2k-XP)/bat/DeleteAllHardlinks.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
2.8.7.4(2k-XP)/bat/QueryPath.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
2.8.7.4(2k-XP)/bat/QueryPath.cmd
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
2.8.7.4(2k-XP)/bat/dosdev.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
2.8.7.4(2k-XP)/bat/dosdev.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
2.8.7.4(2k-XP)/bat/vss-exec.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
2.8.7.4(2k-XP)/bat/vss-exec.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
2.8.7.4(2k-XP)/bat/vss_drivecopy.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
2.8.7.4(2k-XP)/bat/vss_drivecopy.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
2.8.7.4(2k-XP)/bat/vss_raw.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
2.8.7.4(2k-XP)/bat/vss_raw.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
2.8.7.4(2k-XP)/bat/vss_unc.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
2.8.7.4(2k-XP)/bat/vss_unc.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
2.8.7.4(2k-XP)/ln.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral22
Sample
2.8.7.4(2k-XP)/ln.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
2.8.7.4(2k-XP)/ln.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
2.8.7.4(2k-XP)/ln.html
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
2.9.3.3/win32/Doc/Blog/blog.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
2.9.3.3/win32/Doc/Blog/blog.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
2.9.3.3/win32/Doc/ln.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
2.9.3.3/win32/Doc/ln.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
2.9.3.3/win32/bat/DeLoreanCopy.bat
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral30
Sample
2.9.3.3/win32/bat/DeLoreanCopy.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
2.9.3.3/win32/bat/DeLoreanHanoi.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
2.9.3.3/win32/bat/DeLoreanHanoi.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
2.9.3.3/win32/Doc/Blog/blog.html
-
Size
8KB
-
MD5
8a5da9c7cbac968c6b96d8c37ae43397
-
SHA1
9380bfb32c8672a172826c156786c7aa49d84c20
-
SHA256
09b0a74afb421fa5ea43a7bcc039eeb2124e7e5c4f4514bc3e092213479f099c
-
SHA512
2afa21752746decc1caf7babfab55d5e4ab0bfe33b57f921ef2ce6c9677c5549dcfc6d6bffe9ea314356b6833019fb9e11b37262af98ddfda2b783f7f6544a4f
-
SSDEEP
192:GflXI1udvjA34v1V3KpsXMSLwBHBO9k+J8:GfYudvjggVTMS81B
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000d5b6cc8da04a5471be37121705972293fa83c3ab5aeeff805c9f369542ff72fd000000000e8000000002000020000000d08ac0e55044bdbe72d934abbb0fa0a5530adf08986d3070a3c246233e3e4dfa90000000b60aca08562b7b5da0e6bcd82b82aec25889c3ccf160d68a835e1c47a1c98c14436fd848a201626c767b7fa995fab9af30c6a563d051308f7a2e085a58a4ebb180e5b1438324bcaeb0741aa358720837fa9d35f64c3654b2665da43e01dad7f36f8f2b9b574fbd9f9011bbde781afb1d7e7dd91fdd06106ed358f18cbe0e3174e248369e5655a8c9c72b3f98e895f21e40000000d71b6781cf93509312bea79ff3a73adad20972a6779d1c439fcf62e85d20333a3b87174414dbd93bb89f83855936bb7e1232c415079e58c4c7d101927ae6d7a6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fa06e99bdcd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000007450eeda3c335eb1db36c05b0cf2a8697b90c56775cac6b926d03930f4b0f17a000000000e80000000020000200000001a00125a91a10f1fa7bbb8a3d375dfa9c9317168aa3516dce6ecff0283cae2a02000000048088555fb21b1abb91553aca19673db701dec32eb35621591f879b81604350e400000001e3fc36230cf1e1c44c5bd8bb210e912a5201d1bdd900a4115c0ff52f6ca2056c8a8577f5a32d0b0f647664c8887f97dc5d023b2f37ca4bbdc18ca2052205478 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E61A90D1-488E-11ED-A6AC-DE5CC620A9B4} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372166397" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1096 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1096 iexplore.exe 1096 iexplore.exe 2028 IEXPLORE.EXE 2028 IEXPLORE.EXE 2028 IEXPLORE.EXE 2028 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2028 1096 iexplore.exe 28 PID 1096 wrote to memory of 2028 1096 iexplore.exe 28 PID 1096 wrote to memory of 2028 1096 iexplore.exe 28 PID 1096 wrote to memory of 2028 1096 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2.9.3.3\win32\Doc\Blog\blog.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD5d73230302c16ca40300ee95c1b2e0e8b
SHA18d2e960a9088735b10e590ee806baee437fbbb0a
SHA25629f8a98a022a6795c1a837374382a2d974765cecdd2b3cc919756861d4661853
SHA512aac146aaa875a30fcd8896881e34e5cec062635137099c871a62adf5a3bc395864b673a2acedc993841f97e7ba7db6013f65d2be24be91877762ee4d5158eafa
-
Filesize
608B
MD50bd62723723c1f18b099140ecae380e9
SHA171568b36e2c63e34bf3e4a50d2712a57d8a73e7f
SHA2562d80abf66728543c32b07ad2c36f90d9c688f059f27b29ebb985e1efc7c2fb64
SHA51254a1ed93da1059b1e1f0c036ed38ecb2a1e8a8527054a2d7b747a1ca2370272f12d2be13f8b12cea74b2563d983efe81f2a29ab5a1e79ecb4547bada34be01fb