Overview
overview
10Static
static
10text/part0...55.xml
windows10-1703-x64
1text/part0...56.xml
windows10-1703-x64
1text/part0...57.xml
windows10-1703-x64
1text/part0...58.xml
windows10-1703-x64
1text/part0...59.xml
windows10-1703-x64
1text/part0...60.xml
windows10-1703-x64
1text/part0...61.xml
windows10-1703-x64
1text/part0...62.xml
windows10-1703-x64
1text/part0...63.xml
windows10-1703-x64
1text/part0...65.xml
windows10-1703-x64
1text/part0...66.xml
windows10-1703-x64
1text/part0...67.xml
windows10-1703-x64
1text/part0...68.xml
windows10-1703-x64
1text/part0...69.xml
windows10-1703-x64
1text/part0...70.xml
windows10-1703-x64
1text/part0...71.xml
windows10-1703-x64
1text/part0...72.xml
windows10-1703-x64
1text/part0...73.xml
windows10-1703-x64
1text/part0...75.xml
windows10-1703-x64
1text/part0...76.xml
windows10-1703-x64
1text/part0...77.xml
windows10-1703-x64
1text/part0...78.xml
windows10-1703-x64
1text/part0...79.xml
windows10-1703-x64
1text/part0...80.xml
windows10-1703-x64
1text/part0...81.xml
windows10-1703-x64
1text/part0...82.xml
windows10-1703-x64
1text/part0...83.xml
windows10-1703-x64
1text/part0...84.xml
windows10-1703-x64
1text/part0...85.xml
windows10-1703-x64
1text/part0...86.xml
windows10-1703-x64
1titlepage.xml
windows10-1703-x64
1toc.xml
windows10-1703-x64
1Analysis
-
max time kernel
95s -
max time network
226s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
19-11-2022 12:00
Behavioral task
behavioral1
Sample
text/part0000_split_055.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
text/part0000_split_056.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
text/part0000_split_057.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
text/part0000_split_058.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
text/part0000_split_059.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
text/part0000_split_060.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
text/part0000_split_061.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
text/part0000_split_062.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
text/part0000_split_063.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
text/part0000_split_065.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
text/part0000_split_066.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
text/part0000_split_067.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
text/part0000_split_068.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
text/part0000_split_069.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
text/part0000_split_070.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
text/part0000_split_071.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
text/part0000_split_072.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
text/part0000_split_073.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
text/part0000_split_075.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
text/part0000_split_076.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
text/part0000_split_077.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
text/part0000_split_078.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
text/part0000_split_079.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
text/part0000_split_080.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
text/part0000_split_081.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
text/part0000_split_082.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
text/part0000_split_083.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
text/part0000_split_084.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
text/part0000_split_085.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
text/part0000_split_086.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
titlepage.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
toc.xml
Resource
win10-20220812-en
windows10-1703-x64
General
-
Target
text/part0000_split_082.xml
-
Size
1KB
-
MD5
1c6d7bc91d5d498196ec9f38ea51b795
-
SHA1
a124bc3ddfd0f2d8313e5e7a6f4819a7ca3d24b5
-
SHA256
81a13510441f8663c7eb3339df03364a21df5fc62086dfb41ba7447c48e71232
-
SHA512
40d808beacc8760c53082750fe8ddc8271d8c0b36bcf6e8afc3cee7ced5598b2dc9566703a4cd19d2480995d45513d1d01849f8eb4b23473fa6f96259e566713
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea9265d35ad962438f957b609726524600000000020000000000106600000001000020000000061e1450e9b7829f0461d7df4048846ffb133c0969ff4b1704577d5d0733a852000000000e8000000002000020000000ea10ba7ceda852e1a7e937c207681b5f49047210708db7e6501381e93237a57520000000a26931c6f57f9710b2cafee955807dfab2ace8c0f377f47ad7c040280cc1308b40000000903eda2b680963a3a1b9c38bf1eaaa39739fd1172cd6724bca166e463f25c40970f9a458d1f4d31ec861a5ce2080c002241959230bb9aabdc7080e242b4c83c3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375627859" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800cac1a17fcd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "456706743" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997527" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45AEBAAB-680A-11ED-98FA-7AFE47082869} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea9265d35ad962438f957b609726524600000000020000000000106600000001000020000000323422520740518a593afb6f865e6e40c118bcf8997ef39c32436668cce57797000000000e80000000020000200000008abeb4de149ac204eceb33447e166e52e8ef4983f11644f9649a10d15fe0b40420000000c02dfef6a6536e275ac6840cf569cf0a989fc8a0cfaff51104161e6baa1f52864000000095b865b343a2be503e6bcbc4a6af58c580cb8db8614b0c511f8465cb22bf19a46dafb97eb9db9e86817031e934fb120014c1335bc887ebbfe47c461ee0545020 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "456862255" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375676445" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375644453" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bc381b17fcd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3868 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3868 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3868 iexplore.exe 3868 iexplore.exe 4128 IEXPLORE.EXE 4128 IEXPLORE.EXE 4128 IEXPLORE.EXE 4128 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4236 wrote to memory of 3868 4236 MSOXMLED.EXE 66 PID 4236 wrote to memory of 3868 4236 MSOXMLED.EXE 66 PID 3868 wrote to memory of 4128 3868 iexplore.exe 68 PID 3868 wrote to memory of 4128 3868 iexplore.exe 68 PID 3868 wrote to memory of 4128 3868 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_082.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_082.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4128
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
610B
MD52eaea345e300195426e106fb99cc74ab
SHA128ceb23cee985594701fd1a6f4feb86889d6ac1e
SHA2566fb1a11cd492422a6e23a18d0f765ae2ce771cf38fb12e443085b9d93103cfbd
SHA5124aedda5c0224d6520e142a7729672459d7a1a5515f3a75ae68a6e61069a6ce64c9304907c9e630c38ae727648780132e5d3b85f88df6ba7d418e9000a7cb7650
-
Filesize
610B
MD56ee6e22929da4b171e408da5e0ccca5f
SHA18c05e6d0862f9405d93fefd0ca3d597b5a714096
SHA256f16637d497d09a70029fa3f8ba3b0d322b97200be8f984217172ebec724131ea
SHA512dcd664c15d69075ef404087ad17a7d48b8753382cb4cca58fa8225982e3d4a1ede0584a8f0c07688a6cab614d15dd77cebf34db4c7725816b99e17821fc483e9