Static
static
wp-asset-c...ain.js
wp-asset-c...ain.js
wp-asset-c...min.js
wp-asset-c...min.js
windows10-2004-x64
1wp-asset-c...re.xml
windows7-x64
1wp-asset-c...re.xml
windows10-2004-x64
1wp-asset-c...ie.xml
windows7-x64
1wp-asset-c...ie.xml
windows10-2004-x64
1wp-asset-c...al.xml
windows7-x64
1wp-asset-c...al.xml
windows10-2004-x64
1wp-asset-c...ue.xml
windows7-x64
1wp-asset-c...ue.xml
windows10-2004-x64
1wp-asset-c...me.jpg
windows7-x64
3wp-asset-c...me.jpg
windows10-2004-x64
3wp-asset-c...go.xml
windows7-x64
1wp-asset-c...go.xml
windows10-2004-x64
1wp-asset-c...min.js
windows7-x64
1wp-asset-c...min.js
windows10-2004-x64
1wp-asset-c...rt2.js
windows7-x64
1wp-asset-c...rt2.js
windows10-2004-x64
1wp-asset-c...min.js
windows7-x64
1wp-asset-c...min.js
windows10-2004-x64
1wp-asset-c...bug.js
windows7-x64
1wp-asset-c...bug.js
windows10-2004-x64
1wp-asset-c...ar.ps1
windows7-x64
1wp-asset-c...ar.ps1
windows10-2004-x64
1wp-asset-c...es.ps1
windows7-x64
1wp-asset-c...es.ps1
windows10-2004-x64
1wp-asset-c...nUp.js
windows7-x64
1wp-asset-c...nUp.js
windows10-2004-x64
1wp-asset-c...ug.ps1
windows7-x64
1wp-asset-c...ug.ps1
windows10-2004-x64
1Analysis
-
max time kernel
133s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2022, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
wp-asset-clean-up-pro/assets/auto-complete/main.js
Behavioral task
behavioral2
Sample
wp-asset-clean-up-pro/assets/auto-complete/main.js
Behavioral task
behavioral3
Sample
wp-asset-clean-up-pro/assets/chosen/chosen.jquery.min.js
Behavioral task
behavioral4
Sample
wp-asset-clean-up-pro/assets/chosen/chosen.jquery.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
wp-asset-clean-up-pro/assets/icons/icon-cloudflare.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral6
Sample
wp-asset-clean-up-pro/assets/icons/icon-cloudflare.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
wp-asset-clean-up-pro/assets/icons/icon-ie.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
wp-asset-clean-up-pro/assets/icons/icon-ie.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
wp-asset-clean-up-pro/assets/icons/loader-horizontal.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral10
Sample
wp-asset-clean-up-pro/assets/icons/loader-horizontal.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
wp-asset-clean-up-pro/assets/icons/premium-plugins/gravityforms-blue.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
wp-asset-clean-up-pro/assets/icons/premium-plugins/gravityforms-blue.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
wp-asset-clean-up-pro/assets/icons/themes/betheme.jpg
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
wp-asset-clean-up-pro/assets/icons/themes/betheme.jpg
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
wp-asset-clean-up-pro/assets/icons/woocommerce-icon-logo.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral16
Sample
wp-asset-clean-up-pro/assets/icons/woocommerce-icon-logo.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
wp-asset-clean-up-pro/assets/script.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
wp-asset-clean-up-pro/assets/script.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
wp-asset-clean-up-pro/assets/sweetalert2/dist/sweetalert2.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
wp-asset-clean-up-pro/assets/sweetalert2/dist/sweetalert2.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
wp-asset-clean-up-pro/assets/tooltipster/tooltipster.bundle.min.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
wp-asset-clean-up-pro/assets/tooltipster/tooltipster.bundle.min.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
wp-asset-clean-up-pro/assets/wpacu-debug.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral24
Sample
wp-asset-clean-up-pro/assets/wpacu-debug.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
wp-asset-clean-up-pro/classes/AdminBar.ps1
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
wp-asset-clean-up-pro/classes/AdminBar.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
wp-asset-clean-up-pro/classes/BulkChanges.ps1
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral28
Sample
wp-asset-clean-up-pro/classes/BulkChanges.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
wp-asset-clean-up-pro/classes/CleanUp.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
wp-asset-clean-up-pro/classes/CleanUp.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
wp-asset-clean-up-pro/classes/Debug.ps1
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
wp-asset-clean-up-pro/classes/Debug.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
wp-asset-clean-up-pro/assets/icons/icon-cloudflare.xml
-
Size
1KB
-
MD5
a6f95823344b1b66f56a9eb699384d5d
-
SHA1
b2c33f92ffd27c2678823f6a2df2bef4b60dc284
-
SHA256
e0edf50a3b4ce9018914a131a8250f31837d5d3cb08ece7f805c4aac70593436
-
SHA512
f83c69d85fd3966de6b6f89cba9c532188d532d8a50eee8c86c1fc2bc3c5f3a7730446237104adb230a2830f2274887c939cc13ddc0b419c18a5d17f2a815316
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990509" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20dc7e35ade0d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000e0c8026a7bab8a8f96751935ffc06413d64675ced7f08782417926b7cec71df5000000000e80000000020000200000008290e68d483084b103fea85a3328c97c3d053c01c21d7dbb229810fad96ae3d020000000a9aee17642140dc722f1afd33a4027b4d433ea90bcfba9b9956431e09fe6e65540000000e9a603b9bd0b090c3a2f09bc1f60b1bbbb29e7f46285178f2c9eb808939edd9944c53bef31ab0e0e05bbd06e69f3916619ca026abbebf8d768024de72e3f20f7 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1176418143" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30990509" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990509" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1176418143" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30990509" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000d1e815654070f9a75c7fb5f5ea8c22a46e8b28804d48690319cf94d6fb201e27000000000e80000000020000200000005211e88801637360ad4e7c389335aa5dee03ca4753eefc3fd56e82b030e8e41c20000000162f784fc84645888de111dac2fe53e1a2d1aad5b3ea06fd69c93d3272ea5971400000003d4fa6db623e156f0b17ef3ec49fe6ef5d4af2589b802dd815d83e26267b27982e710d0097339706690fcbb6150e6204ac5169abe1bc698fe743c0574e80083b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d4fa45ade0d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "897200530" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D654477-4CA0-11ED-B696-C264E7FE3618} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "897355824" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372613693" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4112 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4112 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4112 iexplore.exe 4112 iexplore.exe 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4112 4772 MSOXMLED.EXE 80 PID 4772 wrote to memory of 4112 4772 MSOXMLED.EXE 80 PID 4112 wrote to memory of 2056 4112 iexplore.exe 82 PID 4112 wrote to memory of 2056 4112 iexplore.exe 82 PID 4112 wrote to memory of 2056 4112 iexplore.exe 82
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\wp-asset-clean-up-pro\assets\icons\icon-cloudflare.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\wp-asset-clean-up-pro\assets\icons\icon-cloudflare.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4112 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5635fcc1aee365eda7128db61d981aa5c
SHA1a35b851b0af54180a91566b2ec2e50f21a85a54c
SHA2565f2300980b866ce4c808c8c5b5383a7777cff9eff3b5468b9a3a5d175f552700
SHA5127f1400556575d86c8243c6be279d59fa35cdd400d7003d40c25852a0ad203aa053fec1b7f45107b1f66ac505deb47a2341a71642ad9f7f0e8c4bd57ebe43d918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD54fff6678ae44efe7f543dc130c4cec8f
SHA1aed4678e2295df05e1097f23587fd26dd28656d0
SHA256fd1bdf04fd8e9a9f06d3b3d9fc0573ec9f80fdebb56a9a794ee5653475ab716a
SHA512cd11eccd86a916519e42890dd063c433cdfd9444125a32e2458bbcf7b8f44c6277a7d134f6411325a70e7d316e5f7bf1bdee3e76a620103c5e331f4f70803c7e