Overview
overview
10Static
static
10publish/OpenAL32.dll
windows7-x64
1publish/OpenAL32.dll
windows10-2004-x64
1publish/Ry...ll.xml
windows7-x64
1publish/Ry...ll.xml
windows10-2004-x64
1publish/Ryujinx.exe
windows7-x64
1publish/Ryujinx.exe
windows10-2004-x64
7publish/SDL2.dll
windows7-x64
1publish/SDL2.dll
windows10-2004-x64
1publish/av...59.dll
windows7-x64
1publish/av...59.dll
windows10-2004-x64
1publish/avutil-57.dll
windows7-x64
3publish/avutil-57.dll
windows10-2004-x64
3publish/bi...-0.dll
windows7-x64
3publish/bi...-0.dll
windows10-2004-x64
3publish/bi...-1.dll
windows7-x64
3publish/bi...-1.dll
windows10-2004-x64
3publish/bi...-2.dll
windows7-x64
3publish/bi...-2.dll
windows10-2004-x64
3publish/bi...-2.dll
windows7-x64
1publish/bi...-2.dll
windows10-2004-x64
1publish/bi...-3.dll
windows7-x64
3publish/bi...-3.dll
windows10-2004-x64
3publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...tl.xml
windows7-x64
1publish/sh...tl.xml
windows10-2004-x64
1Analysis
-
max time kernel
73s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
28-12-2022 18:25
Behavioral task
behavioral1
Sample
publish/OpenAL32.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral2
Sample
publish/OpenAL32.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral3
Sample
publish/Ryujinx.SDL2.Common.dll.xml
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral4
Sample
publish/Ryujinx.SDL2.Common.dll.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral5
Sample
publish/Ryujinx.exe
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral6
Sample
publish/Ryujinx.exe
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral7
Sample
publish/SDL2.dll
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral8
Sample
publish/SDL2.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral9
Sample
publish/avcodec-59.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral10
Sample
publish/avcodec-59.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral11
Sample
publish/avutil-57.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral12
Sample
publish/avutil-57.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral13
Sample
publish/bin/libatk-1.0-0.dll
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral14
Sample
publish/bin/libatk-1.0-0.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral15
Sample
publish/bin/libbz2-1.dll
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral16
Sample
publish/bin/libbz2-1.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral17
Sample
publish/bin/libcairo-2.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral18
Sample
publish/bin/libcairo-2.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral19
Sample
publish/bin/libcairo-gobject-2.dll
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral20
Sample
publish/bin/libcairo-gobject-2.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral21
Sample
publish/bin/libcroco-0.6-3.dll
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral22
Sample
publish/bin/libcroco-0.6-3.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral23
Sample
publish/share/icons/Adwaita/scalable/categories/emoji-nature-symbolic.xml
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral24
Sample
publish/share/icons/Adwaita/scalable/categories/emoji-nature-symbolic.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral25
Sample
publish/share/icons/Adwaita/scalable/devices/phone-old-symbolic.xml
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral26
Sample
publish/share/icons/Adwaita/scalable/devices/phone-old-symbolic.xml
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral27
Sample
publish/share/icons/Adwaita/scalable/mimetypes/inode-directory-symbolic.xml
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral28
Sample
publish/share/icons/Adwaita/scalable/mimetypes/inode-directory-symbolic.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral29
Sample
publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral30
Sample
publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral31
Sample
publish/share/icons/Adwaita/scalable/status/semi-starred-symbolic-rtl.xml
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral32
Sample
publish/share/icons/Adwaita/scalable/status/semi-starred-symbolic-rtl.xml
Resource
win10v2004-20220812-es
windows10-2004-x64
General
-
Target
publish/share/icons/Adwaita/scalable/mimetypes/inode-directory-symbolic.xml
-
Size
3KB
-
MD5
1a9526bce4500770dc9da3fac276de77
-
SHA1
8e3be08d46567e15b0d7beb9c749ff361d61aedc
-
SHA256
4698902117a08b3a216ec9187382b94d85d23ba1230497b823bc4f0398301b3d
-
SHA512
2860804f3b03574b29679fc070f167cb7c4c5b69f7cd0352bc68f74c665e5075dcb543441bd424dac29b04205456f6d26ccab021b1bc879fd41a5819598e824d
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3812236395" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31005426" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005426" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901dbde3f21ad901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3812236395" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f1b5e3f21ad901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3817391489" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31005426" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000098c4843a18d171e64db2ac19c75448b6bb83509c22624b389bf9e3f898110421000000000e8000000002000020000000d1da0141661fa5c178b8d0287e5f7463a41693d370a1a3a78c68cc387e1f830b200000008218b0f8634f9c5e8eb7b2c1216f0ff500d680e7317fff13c2f313d5ca149ae24000000055f781d7bcf13894c25f6e4a594d92ed8ece6b231a29a426dff6bac9992e8c9843c9b8c62f05e324a3d63c494b7702680fb89f6818aa3f0b191ff913cddcfe17 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0EAA6601-86E6-11ED-91A0-6AA3C320090C} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000160fcd02b96dc7882e9f2cc814cc74ef36e52210357a74cbaf40730e3645f701000000000e8000000002000020000000d2e186934252502366d9d4af117133842040339e8d33646713c6d13ac633dfc5200000009aca2f5d4c9ebeeca3c211e80612f35fb42fa44cac55df537edff36eae1e4a3040000000e327f24bb265ae71cbf67d45ed07c82681ab7455dd18a9cacd7ec7c9bfad7150f1e79e4d1a55a04bb49ee2e61a4acf02c670eae6751adfe5993c62840d196a3d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379020791" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4948 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4948 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4948 iexplore.exe 4948 iexplore.exe 932 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE 932 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 524 wrote to memory of 4948 524 MSOXMLED.EXE 79 PID 524 wrote to memory of 4948 524 MSOXMLED.EXE 79 PID 4948 wrote to memory of 932 4948 iexplore.exe 81 PID 4948 wrote to memory of 932 4948 iexplore.exe 81 PID 4948 wrote to memory of 932 4948 iexplore.exe 81
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\mimetypes\inode-directory-symbolic.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\mimetypes\inode-directory-symbolic.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:932
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5f7b6855beb7fde6cdb1a2a9ba9fa6bcd
SHA1fd947696cabb78e309ad669dff0b980b17818567
SHA256f1630debcf83e724c695443316dc8ad1abfb9d422e1450edbd3fc87b23f0649d
SHA512e21c7570af2e3a77ce35f0f4ea4bef6b2a96bb7910a5c84eab60cba45a653b428c92def96f3d9bf393a156ccb901eb9f131eee2b71b91c20c38bf50b9ebe554e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5a948fc6e2c0902de3836855cb4696c42
SHA172a44379b5c70321d628660e6f91250b59b82549
SHA256c57d3e76c60eef765c7be782e7973ccc0ec994da2f937d4863829c0446bca7f1
SHA512e9de0fd776e23c66067533049f79f537f105039836baf87c3e4844ebb15253376345ec4fc044a7a0d206ae3d24f985841f8445d972394b1a3cc8ce9a5740be35