Overview
overview
10Static
static
10text/part0...55.xml
windows10-1703-x64
1text/part0...56.xml
windows10-1703-x64
1text/part0...57.xml
windows10-1703-x64
1text/part0...58.xml
windows10-1703-x64
1text/part0...59.xml
windows10-1703-x64
1text/part0...60.xml
windows10-1703-x64
1text/part0...61.xml
windows10-1703-x64
1text/part0...62.xml
windows10-1703-x64
1text/part0...63.xml
windows10-1703-x64
1text/part0...65.xml
windows10-1703-x64
1text/part0...66.xml
windows10-1703-x64
1text/part0...67.xml
windows10-1703-x64
1text/part0...68.xml
windows10-1703-x64
1text/part0...69.xml
windows10-1703-x64
1text/part0...70.xml
windows10-1703-x64
1text/part0...71.xml
windows10-1703-x64
1text/part0...72.xml
windows10-1703-x64
1text/part0...73.xml
windows10-1703-x64
1text/part0...75.xml
windows10-1703-x64
1text/part0...76.xml
windows10-1703-x64
1text/part0...77.xml
windows10-1703-x64
1text/part0...78.xml
windows10-1703-x64
1text/part0...79.xml
windows10-1703-x64
1text/part0...80.xml
windows10-1703-x64
1text/part0...81.xml
windows10-1703-x64
1text/part0...82.xml
windows10-1703-x64
1text/part0...83.xml
windows10-1703-x64
1text/part0...84.xml
windows10-1703-x64
1text/part0...85.xml
windows10-1703-x64
1text/part0...86.xml
windows10-1703-x64
1titlepage.xml
windows10-1703-x64
1toc.xml
windows10-1703-x64
1Analysis
-
max time kernel
144s -
max time network
227s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
19-11-2022 12:00
Behavioral task
behavioral1
Sample
text/part0000_split_055.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
text/part0000_split_056.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
text/part0000_split_057.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
text/part0000_split_058.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
text/part0000_split_059.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
text/part0000_split_060.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
text/part0000_split_061.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
text/part0000_split_062.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
text/part0000_split_063.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
text/part0000_split_065.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
text/part0000_split_066.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
text/part0000_split_067.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
text/part0000_split_068.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
text/part0000_split_069.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
text/part0000_split_070.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
text/part0000_split_071.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
text/part0000_split_072.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
text/part0000_split_073.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
text/part0000_split_075.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
text/part0000_split_076.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
text/part0000_split_077.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
text/part0000_split_078.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
text/part0000_split_079.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
text/part0000_split_080.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
text/part0000_split_081.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
text/part0000_split_082.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
text/part0000_split_083.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
text/part0000_split_084.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
text/part0000_split_085.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
text/part0000_split_086.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
titlepage.xml
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral32
Sample
toc.xml
Resource
win10-20220812-en
windows10-1703-x64
General
-
Target
text/part0000_split_058.xml
-
Size
25KB
-
MD5
7e95967dbc295641377f096ed0abbb96
-
SHA1
c9518c9bd2e18e40aa64ff98f4dd69ec5a807302
-
SHA256
e2f2b5e37b1b7c8dfd52dbe8a9f5fcc9f241912331c5967a7716e1c663620450
-
SHA512
8d79783b16b0aceb0f34be1ff54fef72559766a5e7d705503fe56b570a0ea95a34ef5c7cbc9959e4ad55ec91223fb042e424e1cf640a088ed628ac0a9dfd2f73
-
SSDEEP
768:in7g5YeRQs6Nba1G5csWhWW1gD4OdTd596G:y7C7QsOXesWhWW1gsOdx5wG
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a196bc8c721ecc4bae158dede57d76ea0000000002000000000010660000000100002000000096dc34937d1a167680d35f33fc964584da453976834ef1325f34afab96e625c9000000000e8000000002000020000000f36bfcb544ca4d3753dfcb5b4a8d4feaa0fe976e0fe06b9f478cadbea638867020000000fb3c8de0ebb43a51e440514b2821889a80ded37f742f5081d1472c34e6cbe0d0400000009de551dc4c6516f3787bfef89b19fa6846e42d78d19132387491257a287b252bd6b0d563d96fcea0a780fe80d191b3ab8ed3cc743dd94ce5f3d1dff07002b676 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375676445" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375644471" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a196bc8c721ecc4bae158dede57d76ea00000000020000000000106600000001000020000000061e75223078a914c7d07b709e530d1f1d32b636013876ab6131aa0e3c9dd5a6000000000e8000000002000020000000db3d7f2c69be12efa79201491b5b80b1833f33bf3c46ef02cffbcbf4b34619e82000000028ad09477c25ad64a44a716bd7dd96fc9eca5cac063d20e502e09c7d365e688040000000ffe5775d1b1a32a980fe62b1c502f4735fdaf681f6d5df9d474bbce3c246b55c38e9b54951de549978a7a3d5e34d395d9b68bb1f914b4acb67e05bf0d6cf4d3e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "440024510" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "426742553" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375627859" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ff701a17fcd801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006a921a17fcd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{449D2132-680A-11ED-A7A3-C21852EE622F} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997527" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "426742553" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527" IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5016 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5016 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5016 iexplore.exe 5016 iexplore.exe 4052 IEXPLORE.EXE 4052 IEXPLORE.EXE 4052 IEXPLORE.EXE 4052 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4324 wrote to memory of 5016 4324 MSOXMLED.EXE 66 PID 4324 wrote to memory of 5016 4324 MSOXMLED.EXE 66 PID 5016 wrote to memory of 4052 5016 iexplore.exe 68 PID 5016 wrote to memory of 4052 5016 iexplore.exe 68 PID 5016 wrote to memory of 4052 5016 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\text\part0000_split_058.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\text\part0000_split_058.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5016 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4052
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD57b35d09c8d594ddc91418302b68198a6
SHA174cd30ebe4bb6d31cb7a0b2987590f9ce9ff8659
SHA256286981a655ce6984be66771a091daa1bea33a43cb7233ac74d2f43825281ec05
SHA512a19a14c619d3ae1600595c4e21a1ae9112548029bfacfe0fb877ff0a7cf5d147370364444a044b94b69a088f58ce8035d42ef33d756f9afcb970fe2c32b8dd69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD588f7579ae6a8c42e5d072fe4c286c080
SHA1c21b6fcd66ab2703ee4c60d0ea226e92f79550d9
SHA25635c688836bad19d720d09d1c811f2c0b5818958b653b069f29c1d271dae87524
SHA5126eee0168c352b246351260a9b9510fdab50daf7d37da975213364d8b89d3881c9af1c8c70deb3d546d3d7cf1011b8d3e3e81fd58bce42a69cfc9aac07b10c99e
-
Filesize
610B
MD594fb30267d972e3306d82d496420dffc
SHA12f45b1625b931a9ea219e95ea9e66c4c88fe9c2f
SHA256b4818eefc384aa029d0905a0830c76ad72f1912699046462409517d8063cd5ee
SHA5129e6c13225e65e22b8d2dad0fd863b389e26aef19f80b8d6d9ee0bfcbacf3cca7b04dde0124cce9a25a0509fd9ea6914fd85d565472c34af784431c1e2c40a884
-
Filesize
610B
MD5f793beb4e488bf469f28a7784675bfee
SHA12a7957818a0beb7563f5f1c5c76f910e42e1dabf
SHA2568198b1c2f4f6a675cbb59cf11258f4a6153942f8177da6f1f13062e4afa59054
SHA51217bc12935e185f4ac62f1b814d872102e7077015ba36617cdd915ab65585724931afa877c484d65f21ca2c99de09e4499ece96b97af659b7626d0ba8f41892bd