Overview
overview
1Static
static
App Settin...me.xml
windows7-x64
1App Settin...me.xml
windows10-2004-x64
1App Settin...gs.xml
windows7-x64
1App Settin...gs.xml
windows10-2004-x64
1App Settin...ng.xml
windows7-x64
1App Settin...ng.xml
windows10-2004-x64
1App Settin...ot.xml
windows7-x64
1App Settin...ot.xml
windows10-2004-x64
1App Settin...ys.xml
windows7-x64
1App Settin...ys.xml
windows10-2004-x64
1App Settin...ve.xml
windows7-x64
1App Settin...ve.xml
windows10-2004-x64
1App Settin...al.xml
windows7-x64
1App Settin...al.xml
windows10-2004-x64
1App Settin...in.xml
windows7-x64
1App Settin...in.xml
windows10-2004-x64
1App Settin...ce.xml
windows7-x64
1App Settin...ce.xml
windows10-2004-x64
1App Settin...ms.xml
windows7-x64
1App Settin...ms.xml
windows10-2004-x64
1App Settin...at.xml
windows7-x64
1App Settin...at.xml
windows10-2004-x64
1App Settin...me.xml
windows7-x64
1App Settin...me.xml
windows10-2004-x64
1App Settin...er.xml
windows7-x64
1App Settin...er.xml
windows10-2004-x64
1App Settin...er.xml
windows7-x64
1App Settin...er.xml
windows10-2004-x64
1App Settin...gs.xml
windows7-x64
1App Settin...gs.xml
windows10-2004-x64
1App Settin...ay.xml
windows7-x64
1App Settin...ay.xml
windows10-2004-x64
1Analysis
-
max time kernel
183s -
max time network
250s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2022, 19:43
Static task
static1
Behavioral task
behavioral1
Sample
App Settings/AppXRuntime.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
App Settings/AppXRuntime.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
App Settings/AuditSettings.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
App Settings/AuditSettings.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
App Settings/EventForwarding.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
App Settings/EventForwarding.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
App Settings/ExternalBoot.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
App Settings/ExternalBoot.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
App Settings/FileSys.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
App Settings/FileSys.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
App Settings/SkyDrive.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
App Settings/SkyDrive.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
App Settings/WinCal.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
App Settings/WinCal.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
App Settings/WorkplaceJoin.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
App Settings/WorkplaceJoin.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
App Settings/en-US/ActiveXInstallService.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
App Settings/en-US/ActiveXInstallService.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
App Settings/en-US/AddRemovePrograms.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
App Settings/en-US/AddRemovePrograms.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
App Settings/en-US/AppCompat.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
App Settings/en-US/AppCompat.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
App Settings/en-US/AppXRuntime.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral24
Sample
App Settings/en-US/AppXRuntime.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
App Settings/en-US/AppxPackageManager.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
App Settings/en-US/AppxPackageManager.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
App Settings/en-US/AttachmentManager.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
App Settings/en-US/AttachmentManager.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
App Settings/en-US/AuditSettings.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral30
Sample
App Settings/en-US/AuditSettings.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
App Settings/en-US/AutoPlay.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral32
Sample
App Settings/en-US/AutoPlay.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
App Settings/FileSys.xml
-
Size
6KB
-
MD5
499e7751b019078a8a997d67e8805686
-
SHA1
8d3bc566a990569dcd87a4862f4ea74b5a8d7696
-
SHA256
bc713bc684b0bdda9342da9fa7e36caf7f328f32915144c6eca49b674917df88
-
SHA512
0ccb75c55eeddfaaaf658087904bfca12c520d542789527e1248785ead66bf9f3de8478b2661814f549c6ec0bf8ebaefa1ec250199b1a6e3ccf95f6f60637d12
-
SSDEEP
192:sYl9Bi4JFLHTSRPTsOyA0VXAQsMAy5PVzRMS6l0TE:ztJFLHTSRPTsOylXgMf9zRMV2E
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a8bb788f11d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31003023" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2016039004" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2016039004" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2019633126" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31003023" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000c6b662962b6373e06ded875e2129a5abd77994ca2fbfd979814aa3e1e8d30529000000000e80000000020000200000007942c99649ab3d4a64f911b16ded576d212a707fc0b393d2af7d7d791d8077c320000000827515c463c1f1972986625786b5d58eaa01b5bbc3d590573b2d1b171ac369fb400000003f6fa545295cb369d4e3774bcefbccfecf1280f6007786ac32eee7a87335fc3edcb082641782050c4421266446b6101179f9c02bdc61e7603414e43f0343bfd6 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000d3b983520c9ca1ad4f65c4618b2bab84d90b535229faaa653e9a446edb7a6a57000000000e80000000020000200000004b95c38c3b526be9652e93cdfb77739c012f8641f7500f55517df82f60e5c1f920000000019b72a88da87f3b3488aacee5128e77b3acd0404cad65cfb516582826dd26e340000000b834c97224b47d426b2cc4b1cc854f7e5cd01ace50a7e6e189079946b69e33b2f0deda99b30407c3f2080c47a751f1bc4725ef6984649730ab05c430f6e9102c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705167798f11d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377988531" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A39115BA-7D82-11ED-919F-42A3CC74B480} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31003023" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31003023" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2019633126" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4600 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4600 iexplore.exe 4600 iexplore.exe 204 IEXPLORE.EXE 204 IEXPLORE.EXE 204 IEXPLORE.EXE 204 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1156 wrote to memory of 4600 1156 MSOXMLED.EXE 79 PID 1156 wrote to memory of 4600 1156 MSOXMLED.EXE 79 PID 4600 wrote to memory of 204 4600 iexplore.exe 81 PID 4600 wrote to memory of 204 4600 iexplore.exe 81 PID 4600 wrote to memory of 204 4600 iexplore.exe 81
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\App Settings\FileSys.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\App Settings\FileSys.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4600 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ef882f1932c9dd68c8afda2ebc27364b
SHA14593fc073e078220e8d3e5fb6cf205430119c058
SHA2565144288105e9dfc259e9526551a92ff8f2edf2c15f395c4b3948930139bece23
SHA512abed9efc412039e8364507af7c857e2bb88ded864ef4d7754e6b4ea4ea750217954a672efb3a6c663498858e5c7660a33b02891f0f0d2b11a9616bd7c138931c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD528659fc00db9e8b79cacddb5b01a9f1e
SHA114232eb5daf41e28454dc9d5e59bb4b66459581f
SHA256c08d35e39110d24a09a13b2bba8418612013e2720b8a58a59eab05f985f181ff
SHA5123ad95e570337361342c562fe732f20d5651adeeac828302bde288accb8acb04e4108d1d8eb0a95a6274fcbc6cc716c131df6ffe146547858a3507d188ccf3cfd