Overview
overview
1Static
static
2.8.7.4(2k...g.html
windows7-x64
12.8.7.4(2k...g.html
windows10-2004-x64
12.8.7.4(2k...py.bat
windows7-x64
12.8.7.4(2k...py.bat
windows10-2004-x64
12.8.7.4(2k...oi.bat
windows7-x64
12.8.7.4(2k...oi.bat
windows10-2004-x64
12.8.7.4(2k...ks.bat
windows7-x64
12.8.7.4(2k...ks.bat
windows10-2004-x64
12.8.7.4(2k...th.cmd
windows7-x64
12.8.7.4(2k...th.cmd
windows10-2004-x64
12.8.7.4(2k...ev.exe
windows7-x64
12.8.7.4(2k...ev.exe
windows10-2004-x64
12.8.7.4(2k...ec.cmd
windows7-x64
12.8.7.4(2k...ec.cmd
windows10-2004-x64
12.8.7.4(2k...py.cmd
windows7-x64
12.8.7.4(2k...py.cmd
windows10-2004-x64
12.8.7.4(2k...aw.cmd
windows7-x64
12.8.7.4(2k...aw.cmd
windows10-2004-x64
12.8.7.4(2k...nc.cmd
windows7-x64
12.8.7.4(2k...nc.cmd
windows10-2004-x64
12.8.7.4(2k-XP)/ln.exe
windows7-x64
12.8.7.4(2k-XP)/ln.exe
windows10-2004-x64
12.8.7.4(2k...n.html
windows7-x64
12.8.7.4(2k...n.html
windows10-2004-x64
12.9.3.3/wi...g.html
windows7-x64
12.9.3.3/wi...g.html
windows10-2004-x64
12.9.3.3/wi...n.html
windows7-x64
12.9.3.3/wi...n.html
windows10-2004-x64
12.9.3.3/wi...py.bat
windows7-x64
12.9.3.3/wi...py.bat
windows10-2004-x64
12.9.3.3/wi...oi.bat
windows7-x64
12.9.3.3/wi...oi.bat
windows10-2004-x64
1Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
2.8.7.4(2k-XP)/Blog/blog.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
2.8.7.4(2k-XP)/Blog/blog.html
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
2.8.7.4(2k-XP)/bat/DeLoreanCopy.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
2.8.7.4(2k-XP)/bat/DeLoreanCopy.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
2.8.7.4(2k-XP)/bat/DeLoreanHanoi.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
2.8.7.4(2k-XP)/bat/DeLoreanHanoi.bat
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
2.8.7.4(2k-XP)/bat/DeleteAllHardlinks.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
2.8.7.4(2k-XP)/bat/DeleteAllHardlinks.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
2.8.7.4(2k-XP)/bat/QueryPath.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
2.8.7.4(2k-XP)/bat/QueryPath.cmd
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
2.8.7.4(2k-XP)/bat/dosdev.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
2.8.7.4(2k-XP)/bat/dosdev.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
2.8.7.4(2k-XP)/bat/vss-exec.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
2.8.7.4(2k-XP)/bat/vss-exec.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
2.8.7.4(2k-XP)/bat/vss_drivecopy.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
2.8.7.4(2k-XP)/bat/vss_drivecopy.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
2.8.7.4(2k-XP)/bat/vss_raw.cmd
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
2.8.7.4(2k-XP)/bat/vss_raw.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
2.8.7.4(2k-XP)/bat/vss_unc.cmd
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
2.8.7.4(2k-XP)/bat/vss_unc.cmd
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
2.8.7.4(2k-XP)/ln.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral22
Sample
2.8.7.4(2k-XP)/ln.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
2.8.7.4(2k-XP)/ln.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
2.8.7.4(2k-XP)/ln.html
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
2.9.3.3/win32/Doc/Blog/blog.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
2.9.3.3/win32/Doc/Blog/blog.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
2.9.3.3/win32/Doc/ln.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
2.9.3.3/win32/Doc/ln.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
2.9.3.3/win32/bat/DeLoreanCopy.bat
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral30
Sample
2.9.3.3/win32/bat/DeLoreanCopy.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
2.9.3.3/win32/bat/DeLoreanHanoi.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
2.9.3.3/win32/bat/DeLoreanHanoi.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
2.9.3.3/win32/Doc/ln.html
-
Size
337KB
-
MD5
d74ab50b5fdd66148cc8114aa4aa937f
-
SHA1
c27018e520910a3bca18072ebc98baf5f529d95b
-
SHA256
befa1d9242e386cf48924f9baa53357993077f25c41bf424ebca81ef5347bdef
-
SHA512
a1496d0e3879c27d77dbb697e943dd69e529eafa74c3753bc69764b5041fcbcbfa915cf7f63139f873abd775f87b248463ab8b5aaafa777e4432fafa7bcbae93
-
SSDEEP
6144:g0idqvdLbxA1tcd7U3kfJOcEf+ax3+FbZq8g6XKU11oi3PYjVfBc5uJxMxXXYOe:gFSbe1tcZUUfS78g6XKU11oi3PYjVfBL
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408851c09bdcd801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102a62c09bdcd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3190320139" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989467" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000ed1a449ed151c6d31a9a5085d8eda29a58d23767558113dc16eac899f1866fd1000000000e8000000002000020000000b3fec4e7d68e3f7f26d475b77c402984244e39a5566a300adede170e710597e8200000000ae0247b12bb3c88e60c887ef5bd50295df004774ce9cf0ee804c5ecedf24b0640000000343ca63ea88147a2b34331b005bdc3ed9c078fc4cb9db7b86283db495e3acf93ef75cd19233e501026dbfe35ef73c3d22d12ad181c04ad4f753e157e39449399 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E696A746-488E-11ED-B696-F639923F7CA1} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989467" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3204852175" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000745fba387d13458c2bcdfd2d006c8e8e8f19581cad0e16dfce4e5178e5cc68ef000000000e80000000020000200000001e99fa203a5bc92a70945c746c68030ea45abff2baa7859b155a5e858d2118172000000032393a6fb929e43964b78e81b2290313c0da97321b8366f63c540383fc3c90534000000044d19a95d83465a3e85b536effac662862ed9cdb23b96d4901ac744a751994510e3afdd407f92b9ae7c8da4f9e638ffe8d36b6861b0b29044da19bf81a5bf46c iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3190320139" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989467" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372166392" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3232 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3232 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3232 iexplore.exe 3232 iexplore.exe 544 IEXPLORE.EXE 544 IEXPLORE.EXE 544 IEXPLORE.EXE 544 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3232 wrote to memory of 544 3232 iexplore.exe 82 PID 3232 wrote to memory of 544 3232 iexplore.exe 82 PID 3232 wrote to memory of 544 3232 iexplore.exe 82
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2.9.3.3\win32\Doc\ln.html1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:544
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5f353d5071a9d2a4db6413b4d78a761bd
SHA1f9a1b1bacbcdbaf3902f1529c7ccd23046438c01
SHA256fb240094bd6b8ec9dd17df602c669c4b642b1f8acba065924ea5f0d169937ac5
SHA512ac4f8feee797cf840a8f872aa14afd7d44bfd0533c4ec76ef4aee67eb16f58450bed4a0f4e007450e78d79cf33b3ae06d8d82825c5f0cf7a61fb76f741013dcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD51fddf5b921d2f3c4bcb4b5ef6a1040cc
SHA15691fa9677a6f16bcc7f6d4537b6c2db310cad98
SHA2563b771037964f56f6923ebb1716224614b2ccd542db01f2ce57149496a0ffa465
SHA512f89248d546ce91207859fcff01a61047af903ad250d728c8742a9e64c3d73ff2b57abe4fa721f9740492eb272caf055212e415f0d7f9721c0e858c736f9e4b2f