Overview
overview
3Static
static
InstallSet...up.exe
windows7-x64
1InstallSet...up.exe
windows10-2004-x64
1InstallSet...UX.exe
windows7-x64
3InstallSet...UX.exe
windows10-2004-x64
1InstallSet...es.xml
windows7-x64
1InstallSet...es.xml
windows10-2004-x64
1InstallSet...ce.dll
windows7-x64
1InstallSet...ce.dll
windows10-2004-x64
3InstallSet...er.dll
windows7-x64
1InstallSet...er.dll
windows10-2004-x64
3InstallSet...er.dll
windows7-x64
1InstallSet...er.dll
windows10-2004-x64
3InstallSet...KL.dll
windows7-x64
1InstallSet...KL.dll
windows10-2004-x64
1InstallSet...GN.dll
windows7-x64
1InstallSet...GN.dll
windows10-2004-x64
1InstallSet...GR.dll
windows7-x64
1InstallSet...GR.dll
windows10-2004-x64
1InstallSet...R1.dll
windows7-x64
1InstallSet...R1.dll
windows10-2004-x64
1InstallSet...ND.dll
windows7-x64
1InstallSet...ND.dll
windows10-2004-x64
1InstallSet...A2.dll
windows7-x64
1InstallSet...A2.dll
windows10-2004-x64
1InstallSet...A3.dll
windows7-x64
1InstallSet...A3.dll
windows10-2004-x64
1InstallSet...PT.dll
windows7-x64
1InstallSet...PT.dll
windows10-2004-x64
1InstallSet...HU.dll
windows7-x64
1InstallSet...HU.dll
windows10-2004-x64
1InstallSet...U1.dll
windows7-x64
1InstallSet...U1.dll
windows10-2004-x64
1Analysis
-
max time kernel
127s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
InstallSetup/InstallSetup.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
InstallSetup/InstallSetup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
InstallSetup/bin/AppV/AppVStreamingUX.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
InstallSetup/bin/AppV/AppVStreamingUX.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
InstallSetup/bin/SMI/Schema/WcmTypes.xml
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
InstallSetup/bin/SMI/Schema/WcmTypes.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
InstallSetup/bin/WinBioPlugIns/FaceDriver/amd64/HelloFace.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
InstallSetup/bin/WinBioPlugIns/FaceDriver/amd64/HelloFace.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
InstallSetup/bin/WinBioPlugIns/winbiosensoradapter.dll
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
InstallSetup/bin/WinBioPlugIns/winbiosensoradapter.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
InstallSetup/bin/WinBioPlugIns/winbiovsmstorageadapter.dll
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
InstallSetup/bin/WinBioPlugIns/winbiovsmstorageadapter.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
InstallSetup/libs/KBDGKL.dll
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
InstallSetup/libs/KBDGKL.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
InstallSetup/libs/KBDGN.dll
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
InstallSetup/libs/KBDGN.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
InstallSetup/libs/KBDGR.dll
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
InstallSetup/libs/KBDGR.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
InstallSetup/libs/KBDGR1.dll
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
InstallSetup/libs/KBDGR1.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
InstallSetup/libs/KBDGRLND.dll
Resource
win7-20221111-en
Behavioral task
behavioral22
Sample
InstallSetup/libs/KBDGRLND.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral23
Sample
InstallSetup/libs/KBDHELA2.dll
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
InstallSetup/libs/KBDHELA2.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral25
Sample
InstallSetup/libs/KBDHELA3.dll
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
InstallSetup/libs/KBDHELA3.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
InstallSetup/libs/KBDHEPT.dll
Resource
win7-20221111-en
Behavioral task
behavioral28
Sample
InstallSetup/libs/KBDHEPT.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
InstallSetup/libs/KBDHU.dll
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
InstallSetup/libs/KBDHU.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
InstallSetup/libs/KBDHU1.dll
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
InstallSetup/libs/KBDHU1.dll
Resource
win10v2004-20220812-en
General
-
Target
InstallSetup/bin/SMI/Schema/WcmTypes.xml
-
Size
1KB
-
MD5
32731cf7bbadc49604b4eb4b0c0bcd62
-
SHA1
35393a2dcbea0addbfbbe32e2504c892cc8d5c83
-
SHA256
cd701b2bdd71894d2613decbee016446f8261d6cbb51493eeff372530b00e1f1
-
SHA512
214507a4a359346a86b2c240e2b74ed1bf1943b5bf69db579a0aa2c11fbe3431675d74f3668f8cc2a5c70af925a0d45e535444ba78bec644b5d1e2093edfbada
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31003122" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b694ebf211d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378031243" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000322ce10db0edac413eb146dbfdcdd886636d893969768d4ef63826bffccb3ecd000000000e80000000020000200000004af83c8f25133e23dd83ee9cf7923ed76c49855dc7c3e33a644fa6e568ffe7352000000095c764a749c4757d81e0fc43284fb73037cb4ec6cc690f09fce2b0f633960b5440000000a5f532b234e3649aac98aafdaa4cad3a6bba882eb4f145d964605f5d866a070e573e28132003d8c19e3f8101454c2728854c22ab403fe37d80af7d1bab7b71e0 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15BE6E4C-7DE6-11ED-919F-FE1968EF3A40} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3942551692" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3931302296" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31003122" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0198bebf211d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3931302296" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31003122" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000a8a521fe37cfd4e5f9fedb7841cf7616f6d8f2a16c4012a6333789bd7cbbd84f000000000e8000000002000020000000b3ed2966c290f2fb85027e99257745eadcb583c7fbadbe7517c071c5febfdf64200000003b5d6ddaaff6232ddfc579bdbb2c41883e1a5f4cb2efe7e654e23b639899a439400000002ed9180ec90ad4c665b8102076ac663361c150ccf5e781154a7e83ac08fd2cbe2578449592b5c37a7afd40a71412aac261d3c10e59dc73f06b909e806b8c1933 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 384 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 384 iexplore.exe 384 iexplore.exe 4576 IEXPLORE.EXE 4576 IEXPLORE.EXE 4576 IEXPLORE.EXE 4576 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3148 wrote to memory of 384 3148 MSOXMLED.EXE 80 PID 3148 wrote to memory of 384 3148 MSOXMLED.EXE 80 PID 384 wrote to memory of 4576 384 iexplore.exe 82 PID 384 wrote to memory of 4576 384 iexplore.exe 82 PID 384 wrote to memory of 4576 384 iexplore.exe 82
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\InstallSetup\bin\SMI\Schema\WcmTypes.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\InstallSetup\bin\SMI\Schema\WcmTypes.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ef882f1932c9dd68c8afda2ebc27364b
SHA14593fc073e078220e8d3e5fb6cf205430119c058
SHA2565144288105e9dfc259e9526551a92ff8f2edf2c15f395c4b3948930139bece23
SHA512abed9efc412039e8364507af7c857e2bb88ded864ef4d7754e6b4ea4ea750217954a672efb3a6c663498858e5c7660a33b02891f0f0d2b11a9616bd7c138931c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD54418f2165c37a7a68299e7c592d4cb0c
SHA11d1e8c6d20496f3e658bf65419bfbeb5e87c6fbb
SHA2565f2aa183f71539e478593adf794134882d05352f5ef7ca511b373654c5361149
SHA5121f127211b32efa64ea83bfe93c231dcf0cdc13b92a8af663b3632b3bbb98698620d013468333f95b70bc8b65ebc56397314f5fa04a7efcfbb63b0a706ec7f3f7