Overview
overview
5Static
static
d7361457b9...d99.gz
windows7-x64
3d7361457b9...d99.gz
windows10-2004-x64
3.new/ascri...ce.vbs
windows7-x64
1.new/ascri...ce.vbs
windows10-2004-x64
1.new/ascri...er.vbs
windows7-x64
1.new/ascri...er.vbs
windows10-2004-x64
1.new/ascri..._N.ps1
windows7-x64
1.new/ascri..._N.ps1
windows10-2004-x64
1.new/ascri..._n.ps1
windows7-x64
1.new/ascri..._n.ps1
windows10-2004-x64
1.new/ascri..._s.vbs
windows7-x64
1.new/ascri..._s.vbs
windows10-2004-x64
1.new/ascri..._X.vbs
windows7-x64
1.new/ascri..._X.vbs
windows10-2004-x64
1.new/ascri..._m.ps1
windows7-x64
1.new/ascri..._m.ps1
windows10-2004-x64
1.new/ascri..._o.vbs
windows7-x64
1.new/ascri..._o.vbs
windows10-2004-x64
1.new/ascri..._l.vbs
windows7-x64
1.new/ascri..._l.vbs
windows10-2004-x64
1.new/ascri..._v.vbs
windows7-x64
1.new/ascri..._v.vbs
windows10-2004-x64
1.new/ascri..._q.vbs
windows7-x64
1.new/ascri..._q.vbs
windows10-2004-x64
1.new/auto
ubuntu-18.04-amd64
5.new/auto
debian-9-armhf
5.new/auto
debian-9-mips
5.new/auto
debian-9-mipsel
1.new/doc/TRICKS.vbs
windows7-x64
1.new/doc/TRICKS.vbs
windows10-2004-x64
1.new/doc/h...t.html
windows7-x64
1.new/doc/h...t.html
windows10-2004-x64
1Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
d7361457b9a5090057132219b1212d6fdee117069039df7baf757ba5b5d52d99.gz
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
d7361457b9a5090057132219b1212d6fdee117069039df7baf757ba5b5d52d99.gz
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
.new/ascript/a&a_03_a_xservice.vbs
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
.new/ascript/a&a_03_a_xservice.vbs
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
.new/ascript/a&a_10_a_owner.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
.new/ascript/a&a_10_a_owner.vbs
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
.new/ascript/a&a_11_a_global_N.ps1
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
.new/ascript/a&a_11_a_global_N.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
.new/ascript/a&a_12_a_global_n.ps1
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
.new/ascript/a&a_12_a_global_n.ps1
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
.new/ascript/a&a_17_a_global_s.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral12
Sample
.new/ascript/a&a_17_a_global_s.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
.new/ascript/a&a_21_a_local_X.vbs
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
.new/ascript/a&a_21_a_local_X.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
.new/ascript/a&a_23_a_local_m.ps1
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
.new/ascript/a&a_23_a_local_m.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
.new/ascript/a&a_24_a_local_o.vbs
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
.new/ascript/a&a_24_a_local_o.vbs
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
.new/ascript/a&a_25_a_local_l.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
.new/ascript/a&a_25_a_local_l.vbs
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
.new/ascript/a&a_26_a_local_v.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral22
Sample
.new/ascript/a&a_26_a_local_v.vbs
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
.new/ascript/a&a_27_a_local_q.vbs
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
.new/ascript/a&a_27_a_local_q.vbs
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
.new/auto
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
Behavioral task
behavioral26
Sample
.new/auto
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral27
Sample
.new/auto
Resource
debian9-mipsbe-en-20211208
debian-9-mips
Behavioral task
behavioral28
Sample
.new/auto
Resource
debian9-mipsel-20221111-en
debian-9-mipsel
Behavioral task
behavioral29
Sample
.new/doc/TRICKS.vbs
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
.new/doc/TRICKS.vbs
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
.new/doc/html/about.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
.new/doc/html/about.html
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
.new/doc/html/about.html
-
Size
3KB
-
MD5
8b96d1dfcfa19a0e3f3b9f8a885af155
-
SHA1
97b7d340d1c92a927d7a135ad5ff0866b1d4ce02
-
SHA256
62643fe848f827296342eb30fc6f5022fa22178d1180f556f99aa073fa22aa02
-
SHA512
860e7f69c413ff2eaaaff7f1dce49c40d33def4ecd98a77773987c3b621fc59e19436b4341e683ab5317a227f0e384ed8c03305200116e664abc8d2134703dcc
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{58866271-6F45-11ED-A50E-C6457FCBF3CF} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e5ba365203d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008b845a54fd5e00499435da61b658362e00000000020000000000106600000001000020000000035f7c171afebb8c85cfff0ada61e8a8156932b88115ba0bdd70b494bffcf00f000000000e8000000002000020000000df55af1bf4b45186cde6ae68c4f12c2571944a296e59ca5386ecb7bd05cad83c200000007e25058cb3a085ca0d789a435aa9b6b54e125f10e238126cf6f3f2c27a55f81e40000000f6dbf08ecdef7ea8b751350406f51b46ec3fcf14b174c2554271cd72de4da28a13e7499056a99ba879be7fd64c0c10b92d1f94068b23a4c2d44de10a447505e9 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008b845a54fd5e00499435da61b658362e0000000002000000000010660000000100002000000085829d95f0f004fb7f408391c54321505d8f5b6e62ad2f7f66737be4208de1e5000000000e8000000002000020000000c5c97fb41426c18b8cb72d849506577e8f303bba78e644a8c68651eac38551dd9000000052044182133cc34977fbdc3d29133e4ed349bef5a2bf05968a8b86b67dc403225be04002b1bf4bc825f27cb9596ac81ddc4076459dfd66b1e69efd20a06175a880864b5772158bd57f07ce1380d5f5ee98a001e840b3bdc588f5b57e27b26d4dcd9149a79493451a828f368348880dea2fceb81e7694991880a842ecadcb88e40ed28f1b8b68084fca0e5b5b45b9f764400000005aba857d4229abc7e35cc838bb83ec0c6b257ad3fa6901f198aef3939b84c75d8f26e3ca90a0a029e31746cf91496fd222620668e060a6054e250d5fd2f49f7d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376422919" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1732 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1732 iexplore.exe 1732 iexplore.exe 240 IEXPLORE.EXE 240 IEXPLORE.EXE 240 IEXPLORE.EXE 240 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1732 wrote to memory of 240 1732 iexplore.exe 28 PID 1732 wrote to memory of 240 1732 iexplore.exe 28 PID 1732 wrote to memory of 240 1732 iexplore.exe 28 PID 1732 wrote to memory of 240 1732 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\.new\doc\html\about.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:240
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD51d20d984472592d32c750ffea521a3e4
SHA1c4df2e5656bd0c2c0287046bb61ebb2ebbb5ae0f
SHA25681c634c65453ae74b75814b2854d8f3aa4c92819864d7868cc3a4b8f40df029a
SHA512e88af36e38e5f927ee9c5ea8513f5d4a3ed3ac715ad4608dc098ce55254e32a2c0b0e1b95a5c70ff983f0a0cfeee5a0e067d6876eec5baa20bcbffd07b085719