Overview
overview
7Static
static
5Setup.exe
windows7-x64
7Setup.exe
windows10-2004-x64
7data/AppXRuntime.xml
windows7-x64
1data/AppXRuntime.xml
windows10-2004-x64
1data/Audit...gs.xml
windows7-x64
1data/Audit...gs.xml
windows10-2004-x64
1data/Event...ng.xml
windows7-x64
1data/Event...ng.xml
windows10-2004-x64
1data/ExternalBoot.xml
windows7-x64
1data/ExternalBoot.xml
windows10-2004-x64
1data/FileSys.xml
windows7-x64
1data/FileSys.xml
windows10-2004-x64
1data/SkyDrive.xml
windows7-x64
1data/SkyDrive.xml
windows10-2004-x64
1data/WinCal.xml
windows7-x64
1data/WinCal.xml
windows10-2004-x64
1data/Workp...in.xml
windows7-x64
1data/Workp...in.xml
windows10-2004-x64
1data/en-US...ce.xml
windows7-x64
1data/en-US...ce.xml
windows10-2004-x64
1data/en-US...ms.xml
windows7-x64
1data/en-US...ms.xml
windows10-2004-x64
1data/en-US...at.xml
windows7-x64
1data/en-US...at.xml
windows10-2004-x64
1data/en-US...me.xml
windows7-x64
1data/en-US...me.xml
windows10-2004-x64
1data/en-US...er.xml
windows7-x64
1data/en-US...er.xml
windows10-2004-x64
1data/en-US...er.xml
windows7-x64
1data/en-US...er.xml
windows10-2004-x64
1data/en-US...gs.xml
windows7-x64
1data/en-US...gs.xml
windows10-2004-x64
1Analysis
-
max time kernel
73s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2023, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
data/AppXRuntime.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
data/AppXRuntime.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
data/AuditSettings.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
data/AuditSettings.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
data/EventForwarding.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
data/EventForwarding.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
data/ExternalBoot.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
data/ExternalBoot.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
data/FileSys.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral12
Sample
data/FileSys.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
data/SkyDrive.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
data/SkyDrive.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
data/WinCal.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
data/WinCal.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
data/WorkplaceJoin.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
data/WorkplaceJoin.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
data/en-US/ActiveXInstallService.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
data/en-US/ActiveXInstallService.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
data/en-US/AddRemovePrograms.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
data/en-US/AddRemovePrograms.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
data/en-US/AppCompat.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
data/en-US/AppCompat.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
data/en-US/AppXRuntime.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral26
Sample
data/en-US/AppXRuntime.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
data/en-US/AppxPackageManager.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral28
Sample
data/en-US/AppxPackageManager.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
data/en-US/AttachmentManager.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral30
Sample
data/en-US/AttachmentManager.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
data/en-US/AuditSettings.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
data/en-US/AuditSettings.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
data/WorkplaceJoin.xml
-
Size
1KB
-
MD5
4a94b4f104af2c09215eb52d7f84f748
-
SHA1
5c414d468a0b571ca9fec00364dd4e2a185dbe92
-
SHA256
5fabf5c534f78ce92bf7daa6d4ade2dd61002e689a8246928209bf38d7bf1bee
-
SHA512
971a7f298fb6ece17bd9e02d636988960b4955ed8c6e44d271f4405e06268b65db6ce396caeeb41113ef2d220418c7c0bd48f3dc5852de76331eec0307516af4
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012069" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012069" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c53cf0e534d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012069" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb0000000002000000000010660000000100002000000070eb796559e92876233c51fa34d9288b675cad2a69a75413198221035250eb10000000000e8000000002000020000000843db56c2ba95407bb5decfe0db5259f2bafb6dd48bff6da87d7e238ab216d9c20000000f8db500f02d91283ae02eb00bcc15cf9ef88e0da643348751d59f75ec68d807c40000000be22a632fa0d79f7924ca3bf5980cfe4f6fbebc6d556c070d56f2c3537c34f53e27303d8e55a5593967d380b842b2b4cc8802c29086544e0406bf9b82615bebc iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06d2ef0e534d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381873957" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4023015998" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb000000000200000000001066000000010000200000004ddd764b158f2096f92f74ac84e59080bd5176ac145781fa372b7d8fff7a99b3000000000e80000000020000200000004dfe3e101347182f4f19e347510a6b81b460e8c5d247e81df589288a029e862620000000ffa91d57f614224fa4bb40c70c9c768251df57bca96c7f9107265b8009a91c8a4000000081284df488f919952dd2a0f7a533606b39081bb5bf6d850ebe95b0d81c618fc4588d8265650c60746ad939b577ee143d23587e9bd3f1fe217ebee58ec757fa7f iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A3B8C14-A0D9-11ED-BF5F-4EF50EB22100} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4013172433" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012069" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4023015998" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4013172433" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4320 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4320 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4320 iexplore.exe 4320 iexplore.exe 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4320 4876 MSOXMLED.EXE 81 PID 4876 wrote to memory of 4320 4876 MSOXMLED.EXE 81 PID 4320 wrote to memory of 2764 4320 iexplore.exe 83 PID 4320 wrote to memory of 2764 4320 iexplore.exe 83 PID 4320 wrote to memory of 2764 4320 iexplore.exe 83
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\data\WorkplaceJoin.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\data\WorkplaceJoin.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4320 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ee0a37a05b705a5f66ebdd61da30b479
SHA1136f52350f4f9213cd7a3062b4143b64a54c9549
SHA25611a400393192414706b8051b4b37f3ef76d81885d41e0259d17a1517c2ccf56f
SHA512c724734022d241f608b8b9515a6c1c87b4899f2d2dc2ea637a6c2acfabf7f00864bcf4478359f9ac5de31316046151e25eca389b8a9d136d4d84fcd61f9670bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5b8226377c6bcf4833f163809e3394eb6
SHA1a11d3c5a1927eb7cc4aee73d08791611a65f0bf4
SHA256c1a4f4866821f85a35b1194d2888144dcb197eed474e6dd68a6f3f4492b4372c
SHA5129d7e36fe01fe839f50511686e1dadc6f2b11324bf5dd13359b4b6a78db811e4c9fef3f82a16e3aacf26c227d233de151c47eba3e7c25089e68d3dc0e8b462330