Overview
overview
10Static
static
10text/part0...55.xml
windows10-1703-x64
1text/part0...56.xml
windows10-1703-x64
1text/part0...57.xml
windows10-1703-x64
1text/part0...58.xml
windows10-1703-x64
1text/part0...59.xml
windows10-1703-x64
1text/part0...60.xml
windows10-1703-x64
1text/part0...61.xml
windows10-1703-x64
1text/part0...62.xml
windows10-1703-x64
1text/part0...63.xml
windows10-1703-x64
1text/part0...65.xml
windows10-1703-x64
1text/part0...66.xml
windows10-1703-x64
1text/part0...67.xml
windows10-1703-x64
1text/part0...68.xml
windows10-1703-x64
1text/part0...69.xml
windows10-1703-x64
1text/part0...70.xml
windows10-1703-x64
1text/part0...71.xml
windows10-1703-x64
1text/part0...72.xml
windows10-1703-x64
1text/part0...73.xml
windows10-1703-x64
1text/part0...75.xml
windows10-1703-x64
1text/part0...76.xml
windows10-1703-x64
1text/part0...77.xml
windows10-1703-x64
1text/part0...78.xml
windows10-1703-x64
1text/part0...79.xml
windows10-1703-x64
1text/part0...80.xml
windows10-1703-x64
1text/part0...81.xml
windows10-1703-x64
1text/part0...82.xml
windows10-1703-x64
1text/part0...83.xml
windows10-1703-x64
1text/part0...84.xml
windows10-1703-x64
1text/part0...85.xml
windows10-1703-x64
1text/part0...86.xml
windows10-1703-x64
1titlepage.xml
windows10-1703-x64
1toc.xml
windows10-1703-x64
1Analysis
-
max time kernel
94s -
max time network
227s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
19-11-2022 12:00
Behavioral task
behavioral1
Sample
text/part0000_split_055.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
text/part0000_split_056.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
text/part0000_split_057.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
text/part0000_split_058.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
text/part0000_split_059.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
text/part0000_split_060.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
text/part0000_split_061.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
text/part0000_split_062.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
text/part0000_split_063.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
text/part0000_split_065.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
text/part0000_split_066.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
text/part0000_split_067.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
text/part0000_split_068.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
text/part0000_split_069.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
text/part0000_split_070.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
text/part0000_split_071.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
text/part0000_split_072.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
text/part0000_split_073.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
text/part0000_split_075.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
text/part0000_split_076.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
text/part0000_split_077.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
text/part0000_split_078.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
text/part0000_split_079.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
text/part0000_split_080.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
text/part0000_split_081.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
text/part0000_split_082.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
text/part0000_split_083.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
text/part0000_split_084.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
text/part0000_split_085.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
text/part0000_split_086.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
titlepage.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
toc.xml
Resource
win10-20220812-en
windows10-1703-x64
General
-
Target
text/part0000_split_065.xml
-
Size
4KB
-
MD5
685dd7fce786b74e4cc861e6441ce460
-
SHA1
dfe8891b2a678705147d208cc1738820fe3b0465
-
SHA256
efde0f813e80bfa3c0fc0e235d535c7e9f1076bc6686b9ffce754781fdd94cce
-
SHA512
c62f539a9d07b634553ac7c04f0ba024fb0eed59f633de991cb841818e755e5195763b7683c81249e3b9cd42ded602376e7817edaf29beb5b8133139f643770e
-
SSDEEP
96:byhe8DDRoDgeBZtxqDyMSYDOM8UrWt/4ODGOQPDsUBU:bzZiSfKrWwg
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E35B0C6E-6801-11ED-9424-DEC334A64072} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997518" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd8011000000000200000000001066000000010000200000000175f8e482d9f2db6c792c6e270cb99ffacb0475314c387b306b35a8cb955c23000000000e800000000200002000000075816cee3c120e510d622781ddb5d9ca90814418cf9b26f5211124ed5162486c20000000d70e78cf0d1bd6ac415493ee32c798852fd1aa1c821cd1b0f68690619347eebc40000000bcf9089da88ff710eadf5374549d6cf02d2a6dacea515094aa57041c1579111189ceeeedaf67fb1806a533d3814248a53a68ba74262aaae3e617bb583835898b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997518" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 700ce5b80efcd801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3093740153" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375640852" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3085771970" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3085771970" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375624258" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375672844" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997518" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd801100000000020000000000106600000001000020000000c7877596452c7fbb131c179fcb02f9625a4bcd8a86d720979523062d6b46f28a000000000e800000000200002000000066a6273117e397fc892df88c62b29e9b8c990c7f3e490a235524e688020faf3320000000277e4a7065e6086197ad530317ab61a10be6a8bfa0fb1330328ef05ec015a12f4000000077d87e86c2b03140136a7718660a10e2ab5f397512f77c4f0412270a47c67c8eaac5e82a47f6add625744f6648ebde265d1cf0e92460c9e1080e6df7ec8fec03 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5082eeb80efcd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3760 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3760 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3760 iexplore.exe 3760 iexplore.exe 3316 IEXPLORE.EXE 3316 IEXPLORE.EXE 3316 IEXPLORE.EXE 3316 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2172 wrote to memory of 3760 2172 MSOXMLED.EXE 66 PID 2172 wrote to memory of 3760 2172 MSOXMLED.EXE 66 PID 3760 wrote to memory of 3316 3760 iexplore.exe 68 PID 3760 wrote to memory of 3316 3760 iexplore.exe 68 PID 3760 wrote to memory of 3316 3760 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_065.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_065.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3760 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3316
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD57b35d09c8d594ddc91418302b68198a6
SHA174cd30ebe4bb6d31cb7a0b2987590f9ce9ff8659
SHA256286981a655ce6984be66771a091daa1bea33a43cb7233ac74d2f43825281ec05
SHA512a19a14c619d3ae1600595c4e21a1ae9112548029bfacfe0fb877ff0a7cf5d147370364444a044b94b69a088f58ce8035d42ef33d756f9afcb970fe2c32b8dd69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD58a6a5e117ac131d0f9513a67d5b22c7c
SHA15ba96fa123e3610316f294589f77ba57210384af
SHA256a70497ad872fc75628d635c87a03e20542370e0dbc3d9bd0ba26d5271366c3e6
SHA512334d57d3c8eb72dba981a35c89d202211468187d69ad9503c8c45f2f72d1f308ea749ad3657259ac17912aae1bcde14a6c20b288673aab07c2cc590d760057bf
-
Filesize
615B
MD550b5129b37f076691f50060e56302090
SHA16e16b1fb8b12d4352f90d218a73d64cb2c01ce28
SHA256fa87cf9c122d116d42281d67abd15144b7ff8ee412bf7f0faa279f77d3c4cdf0
SHA5124baf6c9db7d997fb61441272eb70d3de40df05e08ec05b5a5d0b3db5951c8f5801c8e126c83564e13fb25fdcea36c397e785c467d258561c9b51852b3a9d1a22
-
Filesize
615B
MD58c4d99b8da22aba203c64f1ca93f597e
SHA1afe507739a000e1fca95fdc33bde8d33ea4b2dc3
SHA256087f3bdefe6b32af6dafea4cf67b14b50c81f50664172c4fe1654290607bbee0
SHA51218c57f8311450c152b96532fb6635ad730415b94c65c650b88fa1f448357dffb7e8f29e2b286c958d0c0b37f7568a5841b83a264a5ee99817963510717b3278e