Overview
overview
10Static
static
1VSCodeUser....3.exe
windows7-x64
10VSCodeUser....3.exe
windows10-2004-x64
10VSCodeUser...-1.dll
windows7-x64
3VSCodeUser...-1.dll
windows10-2004-x64
3VSCodeUser...10.dll
windows7-x64
3VSCodeUser...10.dll
windows10-2004-x64
3VSCodeUser...30.dll
windows7-x64
1VSCodeUser...30.dll
windows10-2004-x64
1VSCodeUser...re.dll
windows7-x64
1VSCodeUser...re.dll
windows10-2004-x64
1VSCodeUser...bs.dll
windows7-x64
1VSCodeUser...bs.dll
windows10-2004-x64
3VSCodeUser...ds.dll
windows7-x64
1VSCodeUser...ds.dll
windows10-2004-x64
7VSCodeUser...ec.dll
windows7-x64
1VSCodeUser...ec.dll
windows10-2004-x64
1VSCodeUser...ic.dll
windows7-x64
1VSCodeUser...ic.dll
windows10-2004-x64
1VSCodeUser...l2.dll
windows7-x64
1VSCodeUser...l2.dll
windows10-2004-x64
3VSCodeUser...ts.xml
windows7-x64
1VSCodeUser...ts.xml
windows10-2004-x64
1VSCodeUser...el.exe
windows7-x64
VSCodeUser...el.exe
windows10-2004-x64
Resubmissions
04-02-2023 21:43
230204-1lbwcseg47 10Analysis
-
max time kernel
133s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2023 21:43
Static task
static1
Behavioral task
behavioral1
Sample
VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgcc_s_seh-1.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral4
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgcc_s_seh-1.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgmp-10.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgmp-10.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgnutls-30.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgnutls-30.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcore.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral10
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcore.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcsubs.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcsubs.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfds.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfds.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfdvdec.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral16
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfdvdec.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MemoryDiagnostic.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral18
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MemoryDiagnostic.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MessagingDataModel2.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral20
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MessagingDataModel2.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral22
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/mcupdate_GenuineIntel.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/mcupdate_GenuineIntel.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml
-
Size
2KB
-
MD5
bc0afacd8028e222472bb32474db8148
-
SHA1
826f5ec70527440c72e0be67cd4744d95f45f288
-
SHA256
0d2e249a171a07a0b412c9f3eca041e772d530991d6333f9c96600c8c0935027
-
SHA512
d65ac28f18ae9886f05f19feb209b6b26199c9353928f304ed705efa9e0632b66442fde52e6fcabdc81a9b3b42bb3a751df5e08929acea14ecbfb43294214664
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000dc0e761537f4e3d0b940821e585059259292fee8a4273aca7ef5bf1ce834c8a6000000000e800000000200002000000002c769b9d1be642c5c1cbb7d20b30d4dcd23bfee327efe2e5fee54fec9d0720920000000d6afc76ad5f4cacad13187587dce26d2da5704a89e2a4f5a4e9aeb1f5d209f3840000000d79eb9e8d15baf01defe2c5ec8edd7dac7984e14d62a8774deb59419dc9181cc3a09e0c577be775dadc68be860fb3affeb910be238f7b4e34293d31e8cde56e4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20009277ea38d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1995122274" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31013098" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A1EB6423-A4DD-11ED-919F-DAB196BEBF97} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31013098" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31013098" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000020c83d1aee3f2c9fe90b9b291273bc96059e2d57878d597cfb9edbcd41680934000000000e8000000002000020000000284389f43db9de602c8d97d938e8837e8cede0f2bbed983bf8c793ee200608a62000000044c1802538281e52598a5885854485019a55c3cf5990aff66f2235d8163cb3ce4000000083ac5a1a729787aace944153d272e4fac06caf21cf1f4e60f94142b03570ed8c6eac7a90c8959cf2439f32a570407e714c16789bf477247d70c2b7c7af12d23c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2019f677ea38d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1995122274" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382315708" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2012623520" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31013098" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2012623520" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4316 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4316 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4316 iexplore.exe 4316 iexplore.exe 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4316 2596 MSOXMLED.EXE 80 PID 2596 wrote to memory of 4316 2596 MSOXMLED.EXE 80 PID 4316 wrote to memory of 4816 4316 iexplore.exe 84 PID 4316 wrote to memory of 4816 4316 iexplore.exe 84 PID 4316 wrote to memory of 4816 4316 iexplore.exe 84
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\VSCodeUserSetup-x64-1.74.3\upl\locales\docs\defaults.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\VSCodeUserSetup-x64-1.74.3\upl\locales\docs\defaults.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4316 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4816
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD58a7207e4856d7203b09f88754603c2a0
SHA105fc6b1d3b6f392d5b4d5c30bf4625ecb9a6167a
SHA25611233063afbe9a4dd8dd99bc27cc126ffb19a5db3f50f4834127c40900e5b6f0
SHA512095f97025cc8567dd07c91862906e9e0bfe3aafd99cd7f45f3e1dbd326ee3f2f5156406e3cd8b281900ce51a7bbee151c0a8b380310a9542a82eb24a25fc40c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5854e937e0256ec064e3ce8338c5bd088
SHA15e763a2f0ee26c9cc9876135d9985ceab33f287d
SHA256107a4b07963b297d79df12697d9f182a7c4c95604fe9480202adb4048bbe9928
SHA5124cb25cac6a8ee9338b1fa32a0a100ed5fd9168f6c12240cbb2cdbdaae59b59ef2124d0530f0b1015cbe96587701572aad4cd5148251aa50434d30b0cecaa0606