Overview
overview
5Static
static
Accessible.tlb
windows10-1703-x64
3Cracker.dll
windows10-1703-x64
1Data/Language.pimx
windows10-1703-x64
3Data/Main.ini
windows10-1703-x64
1Data/Packa...in.xml
windows10-1703-x64
1Data/Packa...ce.zip
windows10-1703-x64
1placeholder.txt
windows10-1703-x64
1Data/Packa...ls.xml
windows10-1703-x64
1Debug/DebugPPF.tmp
windows10-1703-x64
3Debug/DebugPPT.tmp
windows10-1703-x64
3Debug/Management.log
windows10-1703-x64
1Microsoft ...ed.exe
windows10-1703-x64
5Resource.dll
windows10-1703-x64
1libGLESv2.dll
windows10-1703-x64
1update-settings.ini
windows10-1703-x64
1updater.ini
windows10-1703-x64
1Resubmissions
31/01/2023, 21:40
230131-1jhk5acd7z 531/01/2023, 21:36
230131-1gd5xscd7v 331/01/2023, 21:32
230131-1dzbpacd6y 5Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/01/2023, 21:40
Static task
static1
Behavioral task
behavioral1
Sample
Accessible.tlb
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Cracker.dll
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Data/Language.pimx
Resource
win10-20220901-en
Behavioral task
behavioral4
Sample
Data/Main.ini
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
Data/Packaged/Main.xml
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
Data/Packaged/Resource.zip
Resource
win10-20220812-en
Behavioral task
behavioral7
Sample
placeholder.txt
Resource
win10-20220901-en
Behavioral task
behavioral8
Sample
Data/Packaged/Utils.xml
Resource
win10-20220812-en
Behavioral task
behavioral9
Sample
Debug/DebugPPF.tmp
Resource
win10-20220812-en
Behavioral task
behavioral10
Sample
Debug/DebugPPT.tmp
Resource
win10-20220812-en
Behavioral task
behavioral11
Sample
Debug/Management.log
Resource
win10-20220901-en
Behavioral task
behavioral12
Sample
Microsoft Office Cracked.exe
Resource
win10-20220812-en
Behavioral task
behavioral13
Sample
Resource.dll
Resource
win10-20220812-en
Behavioral task
behavioral14
Sample
libGLESv2.dll
Resource
win10-20220901-en
Behavioral task
behavioral15
Sample
update-settings.ini
Resource
win10-20220812-en
Behavioral task
behavioral16
Sample
updater.ini
Resource
win10-20220812-en
General
-
Target
Data/Packaged/Main.xml
-
Size
1KB
-
MD5
7b53ebd64e5781e02eaefb6739a6b556
-
SHA1
d5332b200cf5dcea0419afdb66a15d89b9eb619f
-
SHA256
b975c9251ef7394dcc69f49e54dc5aa5e8df32f9b5e8c687484ddd840eb94d20
-
SHA512
c4a25c07e19760547e91818ba6e9ec3fe89206c29429668731c7563b7407cb56d8c0adca519bf96dc82a1631e82cfe63b68439cad4102ea2a1df438bac8400fd
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80175e5cc535d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "382018503" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1549515054" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000862a839488fc0e4ebe5f785a282e792e000000000200000000001066000000010000200000000a8b3069c1a6d3459b8043f95057ebadb966294cb4b39fab7fc1726b0c3e3153000000000e80000000020000200000007481af85e6bc04e0b32c1237331d1abffb7cfccc8fc947abc689c8bbe64c661720000000cedf66d90e5d8e6c5234441943294f50cf203e14a944daa3ff9f1d6df731e0c9400000003197660456f9b075236e61973e192d07a3f04e85ebaed8e390b2e669c5cfaa9f12c3ba05cc9fd5b2b21fb097feab953b25f2b88fa184504cf1cec2bdd9c3d82c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "381986527" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1549983496" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012293" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502a715cc535d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012293" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000862a839488fc0e4ebe5f785a282e792e0000000002000000000010660000000100002000000066acafec9a6ed8461feea594e72886db28f8c7377b52a805fc569a5de0652069000000000e800000000200002000000059ccdb93681b81394ceb461ca37eb24fb0b07d92b01856e9d26120c26e88b848200000000834ed67f4ce463f9cdcac29e6d4096996a4c32cd37fc461322c7fb18caba093400000007d9ab89a52583501de81cc28b693165333756723a02e3f151f96f025a7d1780b83bc2a9d192c626418eb1e9dfd096e7d5b30b5e9514390bdc4864f29b746de83 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381969918" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86CF4E7C-A1B8-11ED-98FA-52E72BE7C633} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1549515054" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1549983496" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012293" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012293" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1788 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1788 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1788 iexplore.exe 1788 iexplore.exe 4168 IEXPLORE.EXE 4168 IEXPLORE.EXE 4168 IEXPLORE.EXE 4168 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2784 wrote to memory of 1788 2784 MSOXMLED.EXE 66 PID 2784 wrote to memory of 1788 2784 MSOXMLED.EXE 66 PID 1788 wrote to memory of 4168 1788 iexplore.exe 68 PID 1788 wrote to memory of 4168 1788 iexplore.exe 68 PID 1788 wrote to memory of 4168 1788 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Data\Packaged\Main.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Data\Packaged\Main.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4168
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5415f2185a9c64b830e7558bce25207be
SHA15b9087daa5a7c1b42fa0d84b25de64ecc9ab335b
SHA2569845be82fb85d04acc616713931ce35e21b76fb6bd0c76945417c9377200607b
SHA512a6385a6c7a0c8eb7f4dc5dbaba72d34e921ece1bda233687a38520b10fdb1a1451339ff6a4e63e6ce3840dfeadaf01e2d95cc01554830f88811989a814ccfbac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD58ed652238a71543bebf3336d2390db11
SHA13a371e45c0beda7d1fa2dbc562d3d732bfd350a2
SHA2569afa9051fd2ce28317edbb20f389c5a95c6c0a9676eb136c599000fec5f94fde
SHA51200d1b4d059431c0bfea4688dc02d2c2f685e6010e58e0935757b68b81de90479b3d47e4519cbc68e0ae2259d8fe74e5ebaf759818e7ec25c5dec7d4d9537030d
-
Filesize
611B
MD502b31b8528b2eeb6f9d55fc13f3a9de8
SHA170ff937e2a2520b6bdadf7f1f3cd0b12f9fed577
SHA256e68b2c5037b26f2b45065da9745d94f0e64e60fdc9cc68e9c8b137556b19b9b3
SHA5129236133206c4355412a2df547e14cec1085d6ad65fdf709c5a18890e5fd5f5b125d4d44cad1865738ae944174877446f1d4d55b8ca8dfc367a8c8c5f1b6c29eb