Overview
overview
10Static
static
10publish/OpenAL32.dll
windows7-x64
1publish/OpenAL32.dll
windows10-2004-x64
1publish/Ry...ll.xml
windows7-x64
1publish/Ry...ll.xml
windows10-2004-x64
1publish/Ryujinx.exe
windows7-x64
1publish/Ryujinx.exe
windows10-2004-x64
7publish/SDL2.dll
windows7-x64
1publish/SDL2.dll
windows10-2004-x64
1publish/av...59.dll
windows7-x64
1publish/av...59.dll
windows10-2004-x64
1publish/avutil-57.dll
windows7-x64
3publish/avutil-57.dll
windows10-2004-x64
3publish/bi...-0.dll
windows7-x64
3publish/bi...-0.dll
windows10-2004-x64
3publish/bi...-1.dll
windows7-x64
3publish/bi...-1.dll
windows10-2004-x64
3publish/bi...-2.dll
windows7-x64
3publish/bi...-2.dll
windows10-2004-x64
3publish/bi...-2.dll
windows7-x64
1publish/bi...-2.dll
windows10-2004-x64
1publish/bi...-3.dll
windows7-x64
3publish/bi...-3.dll
windows10-2004-x64
3publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...ic.xml
windows7-x64
1publish/sh...ic.xml
windows10-2004-x64
1publish/sh...tl.xml
windows7-x64
1publish/sh...tl.xml
windows10-2004-x64
1Analysis
-
max time kernel
133s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
28-12-2022 18:25
Behavioral task
behavioral1
Sample
publish/OpenAL32.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral2
Sample
publish/OpenAL32.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral3
Sample
publish/Ryujinx.SDL2.Common.dll.xml
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral4
Sample
publish/Ryujinx.SDL2.Common.dll.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral5
Sample
publish/Ryujinx.exe
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral6
Sample
publish/Ryujinx.exe
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral7
Sample
publish/SDL2.dll
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral8
Sample
publish/SDL2.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral9
Sample
publish/avcodec-59.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral10
Sample
publish/avcodec-59.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral11
Sample
publish/avutil-57.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral12
Sample
publish/avutil-57.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral13
Sample
publish/bin/libatk-1.0-0.dll
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral14
Sample
publish/bin/libatk-1.0-0.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral15
Sample
publish/bin/libbz2-1.dll
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral16
Sample
publish/bin/libbz2-1.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral17
Sample
publish/bin/libcairo-2.dll
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral18
Sample
publish/bin/libcairo-2.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral19
Sample
publish/bin/libcairo-gobject-2.dll
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral20
Sample
publish/bin/libcairo-gobject-2.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral21
Sample
publish/bin/libcroco-0.6-3.dll
Resource
win7-20220901-es
windows7-x64
Behavioral task
behavioral22
Sample
publish/bin/libcroco-0.6-3.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral23
Sample
publish/share/icons/Adwaita/scalable/categories/emoji-nature-symbolic.xml
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral24
Sample
publish/share/icons/Adwaita/scalable/categories/emoji-nature-symbolic.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral25
Sample
publish/share/icons/Adwaita/scalable/devices/phone-old-symbolic.xml
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral26
Sample
publish/share/icons/Adwaita/scalable/devices/phone-old-symbolic.xml
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral27
Sample
publish/share/icons/Adwaita/scalable/mimetypes/inode-directory-symbolic.xml
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral28
Sample
publish/share/icons/Adwaita/scalable/mimetypes/inode-directory-symbolic.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral29
Sample
publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
Resource
win7-20221111-es
windows7-x64
Behavioral task
behavioral30
Sample
publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral31
Sample
publish/share/icons/Adwaita/scalable/status/semi-starred-symbolic-rtl.xml
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral32
Sample
publish/share/icons/Adwaita/scalable/status/semi-starred-symbolic-rtl.xml
Resource
win10v2004-20220812-es
windows10-2004-x64
General
-
Target
publish/share/icons/Adwaita/scalable/status/non-starred-symbolic.xml
-
Size
6KB
-
MD5
e27ddf9ac9d222009698c91755e91f37
-
SHA1
df622a2877b04d698ad39b89f1e2591635c2db1b
-
SHA256
c602b20c7b60b3b5aa554237bfa371ea484acf7b8a7ba64da23dbaafe5733e5f
-
SHA512
5cc9cdfc2d20f9c850299cdb121e4986422e835a25350df09ae1a9cdd7b9b02f11f549e61c57a4a697f357f9523216c745a21ea347d1ea5370da9cffa445a01a
-
SSDEEP
192:BkY3alv39nhwtVN6fF6Knqi3Ec+5ddWcQaVG2WWfIUjFaK:aYGtnitXKJUcC0xaV9V
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3003b8e5f21ad901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0F78E378-86E6-11ED-BF60-42DBF9D6FBAB} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a0c1e5f21ad901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379020794" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000023e34dbcdb5fd8f7d9490c78d86a6ced9ee06167010b74cf0a1c5bda68b4caca000000000e80000000020000200000008ae302f7d4fba8016c92f44f4c9def4c7e610001de97f1e8a916c497e838759c20000000afe07f3a129cda15eab8af66a864d48460848a6900e72712b8eb6e00260438424000000014425bb5fc8f8ce6d0b940585e8b1dc5ba09e62ef8123682fb684341dd4860fe91a05141c2c9dcf0207758869f8581fa76606c9ce708a4ae1a71cae81a4554ec iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb00000000020000000000106600000001000020000000420a0b945728029033c7711f088709183a1cda7a6a0dcfae8092513c5dbba919000000000e8000000002000020000000993d5a0c1e483a0303e0099d23afdcae439bd7a74115cec30d3aa3efc443b5ae20000000ce4d2c280d23a76afbd56010e958f9bfdb3a795cc8c1cb4e42021766612f320640000000e2cd5be6df7eacb68d5c86d05a41ffbff219ab976cad2f19c83f2d39736b50b4be6e5d042aad68647add16826379a94b9b09dc03e9a65729176000f57f6c4148 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 864 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 864 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 864 iexplore.exe 864 iexplore.exe 3720 IEXPLORE.EXE 3720 IEXPLORE.EXE 3720 IEXPLORE.EXE 3720 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1728 wrote to memory of 864 1728 MSOXMLED.EXE 80 PID 1728 wrote to memory of 864 1728 MSOXMLED.EXE 80 PID 864 wrote to memory of 3720 864 iexplore.exe 82 PID 864 wrote to memory of 3720 864 iexplore.exe 82 PID 864 wrote to memory of 3720 864 iexplore.exe 82
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\status\non-starred-symbolic.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\publish\share\icons\Adwaita\scalable\status\non-starred-symbolic.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3720
-
-