Overview
overview
10Static
static
10text/part0...55.xml
windows10-1703-x64
1text/part0...56.xml
windows10-1703-x64
1text/part0...57.xml
windows10-1703-x64
1text/part0...58.xml
windows10-1703-x64
1text/part0...59.xml
windows10-1703-x64
1text/part0...60.xml
windows10-1703-x64
1text/part0...61.xml
windows10-1703-x64
1text/part0...62.xml
windows10-1703-x64
1text/part0...63.xml
windows10-1703-x64
1text/part0...65.xml
windows10-1703-x64
1text/part0...66.xml
windows10-1703-x64
1text/part0...67.xml
windows10-1703-x64
1text/part0...68.xml
windows10-1703-x64
1text/part0...69.xml
windows10-1703-x64
1text/part0...70.xml
windows10-1703-x64
1text/part0...71.xml
windows10-1703-x64
1text/part0...72.xml
windows10-1703-x64
1text/part0...73.xml
windows10-1703-x64
1text/part0...75.xml
windows10-1703-x64
1text/part0...76.xml
windows10-1703-x64
1text/part0...77.xml
windows10-1703-x64
1text/part0...78.xml
windows10-1703-x64
1text/part0...79.xml
windows10-1703-x64
1text/part0...80.xml
windows10-1703-x64
1text/part0...81.xml
windows10-1703-x64
1text/part0...82.xml
windows10-1703-x64
1text/part0...83.xml
windows10-1703-x64
1text/part0...84.xml
windows10-1703-x64
1text/part0...85.xml
windows10-1703-x64
1text/part0...86.xml
windows10-1703-x64
1titlepage.xml
windows10-1703-x64
1toc.xml
windows10-1703-x64
1Analysis
-
max time kernel
164s -
max time network
227s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
19-11-2022 12:00
Behavioral task
behavioral1
Sample
text/part0000_split_055.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
text/part0000_split_056.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
text/part0000_split_057.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
text/part0000_split_058.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
text/part0000_split_059.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
text/part0000_split_060.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
text/part0000_split_061.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
text/part0000_split_062.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
text/part0000_split_063.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
text/part0000_split_065.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
text/part0000_split_066.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
text/part0000_split_067.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
text/part0000_split_068.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
text/part0000_split_069.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
text/part0000_split_070.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
text/part0000_split_071.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
text/part0000_split_072.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
text/part0000_split_073.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
text/part0000_split_075.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
text/part0000_split_076.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
text/part0000_split_077.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
text/part0000_split_078.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
text/part0000_split_079.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
text/part0000_split_080.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
text/part0000_split_081.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
text/part0000_split_082.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
text/part0000_split_083.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
text/part0000_split_084.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
text/part0000_split_085.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
text/part0000_split_086.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
titlepage.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
toc.xml
Resource
win10-20220812-en
windows10-1703-x64
General
-
Target
text/part0000_split_068.xml
-
Size
1KB
-
MD5
d61b0f2c4ba9624d16b206c9c8f01dd3
-
SHA1
0f805930a7b58dbd25be5cc60261315efb51a2e6
-
SHA256
83f83a2ea9b770a9d2e32b5fe1b13e3911609087da4ac9bb44cccbf47db880d5
-
SHA512
5bd47f4e989e7b412847d280df062b9268c1d9d51fbd21ef93bfcac7bd121ac9813cd16939449b19416983f139b0bd25d0143d6874cfa999b70dbc6513640422
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997518" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997518" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375672844" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd80110000000002000000000010660000000100002000000001ce50649bce92832e2138afd7cfec6eb3b0f91182737891884312a51c0e6861000000000e80000000020000200000003213f18d92cacc46bd35a9dd7b90db3f3998b80719fa3a9c36bbad7b7801651420000000d64d3d9499d5988ee0a50252b69c69085ddb51a7343dc15e66f3fca9597be51b40000000d9b693bade44f5d9e6a60241d1a6f3e98d17971a9d690a644491eb8606b49207769652284841154e2217060786dcc782e926ccfc132fee88cb786164007bc424 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997518" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E347B761-6801-11ED-9424-DA56E08ABBFF} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3085129104" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3094816287" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048dd1ad2bf5eea499f26ca602abd801100000000020000000000106600000001000020000000ae92dd06cbbb5b087f38c877626d3593a2574956e4566937a81ac67468487634000000000e8000000002000020000000b85458d84fb2757173c8f21053ee9f5c9cd6ce67427d5cf0bd05e53f685e02902000000068349dad368170d8ce211afbe6559f16906a09990e32b9115c9fd347f65fa4ff4000000068eb1e68236c2692019e670b532a55f623e8dd56688b17034f8b68704edf2012039973a5b29202b0b88af5ef861da2d1ef4e4b11307f615723dc88fc873c34a0 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80abd1b80efcd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3085129104" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375640852" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907fcab80efcd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375624259" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3660 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3660 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3660 iexplore.exe 3660 iexplore.exe 2516 IEXPLORE.EXE 2516 IEXPLORE.EXE 2516 IEXPLORE.EXE 2516 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2656 wrote to memory of 3660 2656 MSOXMLED.EXE 66 PID 2656 wrote to memory of 3660 2656 MSOXMLED.EXE 66 PID 3660 wrote to memory of 2516 3660 iexplore.exe 68 PID 3660 wrote to memory of 2516 3660 iexplore.exe 68 PID 3660 wrote to memory of 2516 3660 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_068.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_068.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3660 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD57b35d09c8d594ddc91418302b68198a6
SHA174cd30ebe4bb6d31cb7a0b2987590f9ce9ff8659
SHA256286981a655ce6984be66771a091daa1bea33a43cb7233ac74d2f43825281ec05
SHA512a19a14c619d3ae1600595c4e21a1ae9112548029bfacfe0fb877ff0a7cf5d147370364444a044b94b69a088f58ce8035d42ef33d756f9afcb970fe2c32b8dd69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD507a994f0d45fc98229eebfa1b7a4939e
SHA119e22d5b76eccdb15bf96b78d180d9ae428c274e
SHA25644a39e7f16c38b60f89ae7d54f0a35976835b704ffb36797ff2ad0d8ba014a6a
SHA5126ffccac75aca3f0b6f7b9201e6d82a24ea614a2a7121ae647f35221ee89f0f408805c71394bf899145e261c0952b75c98f75a975dc2a4c1acadaf7178648a5c8
-
Filesize
615B
MD57c06e0931a6bd1ce55e5d79b631f70c9
SHA1363cda7a6202c341b83949226b2394403bef0a49
SHA256b46fed2f55eae0a15e696b5538519a386f1a13bac80aa63c1916e0893cae117c
SHA51202ec6b39b6b00d67ed3764ba77b089d2d804275399f02e1eef017963e94fe107937afdf4e9d1c4d30f9f1bb81371c2e0e609dcc5799a41256c5941e9c34b379d
-
Filesize
615B
MD5bfe4f133c72a399a55be064ee315fa4d
SHA1e8c2a9abbcf9a9f1264b1bf8e725ae869695ef57
SHA256b07bd1ed3f8f8ff843ebf7e1ef3d19ef65d3a5d72cc72f613523669244d2ff83
SHA5122cb3834db0d78661e1ee3157b56294f1942beba0dfe24e79abb2f14fa515ecd815b26fcabd1e418cb6cafd3c525174e4ada13a7fd2e8c9929e60ae1155b90d6e