Overview
overview
10Static
static
10text/part0...55.xml
windows10-1703-x64
1text/part0...56.xml
windows10-1703-x64
1text/part0...57.xml
windows10-1703-x64
1text/part0...58.xml
windows10-1703-x64
1text/part0...59.xml
windows10-1703-x64
1text/part0...60.xml
windows10-1703-x64
1text/part0...61.xml
windows10-1703-x64
1text/part0...62.xml
windows10-1703-x64
1text/part0...63.xml
windows10-1703-x64
1text/part0...65.xml
windows10-1703-x64
1text/part0...66.xml
windows10-1703-x64
1text/part0...67.xml
windows10-1703-x64
1text/part0...68.xml
windows10-1703-x64
1text/part0...69.xml
windows10-1703-x64
1text/part0...70.xml
windows10-1703-x64
1text/part0...71.xml
windows10-1703-x64
1text/part0...72.xml
windows10-1703-x64
1text/part0...73.xml
windows10-1703-x64
1text/part0...75.xml
windows10-1703-x64
1text/part0...76.xml
windows10-1703-x64
1text/part0...77.xml
windows10-1703-x64
1text/part0...78.xml
windows10-1703-x64
1text/part0...79.xml
windows10-1703-x64
1text/part0...80.xml
windows10-1703-x64
1text/part0...81.xml
windows10-1703-x64
1text/part0...82.xml
windows10-1703-x64
1text/part0...83.xml
windows10-1703-x64
1text/part0...84.xml
windows10-1703-x64
1text/part0...85.xml
windows10-1703-x64
1text/part0...86.xml
windows10-1703-x64
1titlepage.xml
windows10-1703-x64
1toc.xml
windows10-1703-x64
1Analysis
-
max time kernel
136s -
max time network
242s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
19-11-2022 12:00
Behavioral task
behavioral1
Sample
text/part0000_split_055.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
text/part0000_split_056.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
text/part0000_split_057.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
text/part0000_split_058.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
text/part0000_split_059.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
text/part0000_split_060.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
text/part0000_split_061.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
text/part0000_split_062.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
text/part0000_split_063.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
text/part0000_split_065.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
text/part0000_split_066.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
text/part0000_split_067.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
text/part0000_split_068.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
text/part0000_split_069.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
text/part0000_split_070.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
text/part0000_split_071.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
text/part0000_split_072.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
text/part0000_split_073.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
text/part0000_split_075.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
text/part0000_split_076.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
text/part0000_split_077.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
text/part0000_split_078.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
text/part0000_split_079.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
text/part0000_split_080.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
text/part0000_split_081.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
text/part0000_split_082.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
text/part0000_split_083.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
text/part0000_split_084.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
text/part0000_split_085.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
text/part0000_split_086.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
titlepage.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
toc.xml
Resource
win10-20220812-en
windows10-1703-x64
General
-
Target
text/part0000_split_057.xml
-
Size
1KB
-
MD5
891223d75c88f06a70281a33e16111b9
-
SHA1
d44943be450e6a166c414019fb150d1f91c7d980
-
SHA256
a513e78de4f7553fbfd9509457b971005ee4a9385d45fa04588e94f1637bffd6
-
SHA512
27d57c44d92446b68c63f1a112fd18fd5d64fc0ade12460071a1f8faab8d118d15922e88a77007f8c84d2bea34f6ae924300dd2303d393afde7b16b3c61b64a0
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375676467" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375644476" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "684551095" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0cbe52a17fcd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "568614273" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "568614273" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50041f2b17fcd801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000047cfc34f3663dd4c85b7ec47b6a947190000000002000000000010660000000100002000000029cf0f9f4d981bb4ddf515035ed3fc2a746aacaa391dcc73fa23b1f1fa60ffcc000000000e80000000020000200000006929b6318595527487f533cf9f12d97d2444f33b25910a358a51bc2eae90d3bb200000008b7d31f15eb5f7ff0c6c12c2964c996c48ce2fbf9802ab63d59a05a664b3f0de4000000053795197edaa7542aee0ed7b2bca0c843dbdff4cf5b267eafa5beb205b3a676845ce64695f443d1bcab1f3e8a52348aceda016d8f36903b47013d9aa88bd820f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C3DB4C3-680A-11ED-A973-E6969348A192} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997527" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375627882" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000047cfc34f3663dd4c85b7ec47b6a947190000000002000000000010660000000100002000000063b964e98f892e7de69b2236920950de06d85a63d16b11750f4c3874939a822a000000000e8000000002000020000000e58ada8c8fd1a0b09bf31e1641b3fa57fcce3e28b0d436d65fd9c2c67c1ef92b200000006366740189843f516ec96b6aab5ddc758882f33a92a30c9a8797838e6b92821c400000000dd42baa4df1307917bb87aef0824a28a67e7fe418babab813c5d7fdbf2a12784900e740c42bae77f1833720fc44bdcfdefd5721bb3293fe440e57c1d8c9fbba iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2452 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2452 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2452 iexplore.exe 2452 iexplore.exe 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE 1572 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2452 2132 MSOXMLED.EXE 66 PID 2132 wrote to memory of 2452 2132 MSOXMLED.EXE 66 PID 2452 wrote to memory of 1572 2452 iexplore.exe 68 PID 2452 wrote to memory of 1572 2452 iexplore.exe 68 PID 2452 wrote to memory of 1572 2452 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_057.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_057.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD57b35d09c8d594ddc91418302b68198a6
SHA174cd30ebe4bb6d31cb7a0b2987590f9ce9ff8659
SHA256286981a655ce6984be66771a091daa1bea33a43cb7233ac74d2f43825281ec05
SHA512a19a14c619d3ae1600595c4e21a1ae9112548029bfacfe0fb877ff0a7cf5d147370364444a044b94b69a088f58ce8035d42ef33d756f9afcb970fe2c32b8dd69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD531df8b673385f0fd54b8ff71133ca02e
SHA12a46389f55d3d8f6f27ef9fd595e24c29ff172aa
SHA256951e360b40558c6979c9856141691b927cf2889db6a6e62294ec07cdd95d2a65
SHA51223bb0b4162e0cee52ebe51848d56a5756a9f1d4effa9415f8a1c71613574417ec3cfa7c91210aad1238a62c166f4ce527ea381d725fc28d626c746cc03f89d22
-
Filesize
615B
MD5c7f230e49ccf6aea2a15a024a281033f
SHA1b5e209b13085790cd8e08acdfe43781be7ec7dc7
SHA256efb5f547ba6098cc78cad6b2c375467239d0deea0bdf0d6b8f705bd50c73f3af
SHA512fab9394d2b5d688ed77eb5929214ae67b12cc08a532bf6ce1f69e57e9c5fffd1ce171adad7e68443a8e239e0df1b4e350dd3a9dbc6084de2fa9daeb19ef826f5
-
Filesize
615B
MD525b7127377f41102fe1c05c8e53fdcf9
SHA141efde319824fb8a489fdfe2af171d1461bf117e
SHA25692ee1f7001a79fbb14789216d4b38f6a80ef80fbe96eaa19547ece7392a8c005
SHA5125cac2263a61faca290ae18d765546a176e6da243d0023593505c1305c2b1f5c8b6849c56f2e2d7c03c5563e43f7a0cc86a7c9cf5ca4bd888563c9c03710f58d4