Overview
overview
9Static
static
1ItroublveTSC.exe
windows10-1703-x64
9bin/App.xml
windows10-1703-x64
1bin/Binari...rv.exe
windows10-1703-x64
9bin/Program.js
windows10-1703-x64
1bin/Proper...er.vbs
windows10-1703-x64
1bin/Proper...es.vbs
windows10-1703-x64
1bin/obf/CLI.exe
windows10-1703-x64
1bin/obf/Co...re.dll
windows10-1703-x64
1bin/obf/Co...er.dll
windows10-1703-x64
1bin/obf/Co...ns.dll
windows10-1703-x64
1bin/obf/Co...er.dll
windows10-1703-x64
1bin/obf/Co...me.dll
windows10-1703-x64
1bin/obf/Teen.dll
windows10-1703-x64
1bin/obf/dnlib.dll
windows10-1703-x64
1bin/packag...le.dll
windows10-1703-x64
1bin/packag...le.dll
windows10-1703-x64
1bin/packag...le.dll
windows10-1703-x64
1bin/packag...le.dll
windows10-1703-x64
1Analysis
-
max time kernel
371s -
max time network
435s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
13/02/2023, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
ItroublveTSC.exe
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
bin/App.xml
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
bin/Binaries/RtkBtManServ.exe
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
bin/Program.js
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
bin/Properties/Resources.Designer.vbs
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
bin/Properties/Resources.vbs
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
bin/obf/CLI.exe
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
bin/obf/Confuser.Core.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
bin/obf/Confuser.DynCipher.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
bin/obf/Confuser.Protections.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
bin/obf/Confuser.Renamer.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
bin/obf/Confuser.Runtime.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
bin/obf/Teen.dll
Resource
win10-20220901-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
bin/obf/dnlib.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
bin/packages/System.IO.Compression.ZipFile.4.3.0/lib/net46/System.IO.Compression.ZipFile.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
bin/packages/System.IO.Compression.ZipFile.4.3.0/lib/netstandard1.3/System.IO.Compression.ZipFile.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
bin/packages/System.IO.Compression.ZipFile.4.3.0/ref/net46/System.IO.Compression.ZipFile.dll
Resource
win10-20220812-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
bin/packages/System.IO.Compression.ZipFile.4.3.0/ref/netstandard1.3/System.IO.Compression.ZipFile.dll
Resource
win10-20220901-en
windows10-1703-x64
General
-
Target
bin/App.xml
-
Size
184B
-
MD5
13ff21470b63470978e08e4933eb8e56
-
SHA1
3fa7077272c55e85141236d90d302975e3d14b2e
-
SHA256
16286566d54d81c3721f7ecf7f426d965de364e9be2f9e628d7363b684b6fe6a
-
SHA512
56d0e52874744df091ba8421eeda9c37854ece32a826bd251f74b88b6334df69736b8cd97104e6e7b2279ef01d2144fee100392744cc1afb7025ebbad5c307a8
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "383129100" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "383097108" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "714631853" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f5aa2b8c53421a4182c964ea3f8331ee00000000020000000000106600000001000020000000d29d31bb2d05a7dbb6580a4c75ef6d72f5b585c2e391cf328e18c5dee575aefd000000000e80000000020000200000008c9fa8afdced761254990b108f76f5fa957ab71debbaf14f5462153f4e30d20c2000000054489f640da714d6d08f2f47576d16f36b02fc512e712a090c2b2c41beaac40f40000000f4a9f58d58eb94da6e3f944bebbb17052cc6e453def45c86e504c72624e9aaf21cb494eb656b68be0ddc742f93360906dadf4087ff775a3dcd9785de353f33c7 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80febf2bdf3fd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55A95B2F-ABD2-11ED-9424-42569F8D2136} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "730414389" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31014879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014879" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05caf2bdf3fd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383080514" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "714788009" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f5aa2b8c53421a4182c964ea3f8331ee00000000020000000000106600000001000020000000ee5c8e47a07d2d2fdd83adaffbd1619ef1a65ee3a7ba656198ebee0571e4d792000000000e8000000002000020000000f55f4df6902794227aaae84eb2640c8134ce3736dfb54d9987bdfda552b889c020000000d342deee30cafd275627db5ddd207febfaceca03ed865dd2e629ebd87f991cdc40000000ca75fdcca6b4c52f6ac675e314812e4e333394a789497887fdf7d054bde73d822735dc4690f86b07d35f438044d4b960ee5c4476d2ed0b8b4ceaa47d5c9329f3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4936 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4936 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4936 iexplore.exe 4936 iexplore.exe 2300 IEXPLORE.EXE 2300 IEXPLORE.EXE 2300 IEXPLORE.EXE 2300 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4936 4760 MSOXMLED.EXE 66 PID 4760 wrote to memory of 4936 4760 MSOXMLED.EXE 66 PID 4936 wrote to memory of 2300 4936 iexplore.exe 68 PID 4936 wrote to memory of 2300 4936 iexplore.exe 68 PID 4936 wrote to memory of 2300 4936 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\bin\App.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\bin\App.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4936 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD53e472b0f5a701aa836fb601ca75b32f6
SHA136058caf014a2a437db05da767e8992cf44fd7ab
SHA2568b96d03923483c423948faac348c850ec54cd35621836d1612259b825f6498ea
SHA5125885c94f81236f2aedb5c30fffa128550eb5b52e609ef5ae2bc5a21b50500cc08652bdcc4eb037137ca703b7c9b18e47965d33906f8b3b7b028347681b7470fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5c61d3b011b7ac613a12030b40d5dab87
SHA1b44b8f3d1fef9dc5818dc914e5751f6a0dd4735c
SHA256c6d51564bbede8972f6713a41725766735692d531767997a98ff0888b2c1351b
SHA512c23f1c036fab9750aaf370dbf700387938ed816caae222caead334a1be6ac759bce8dff3e25bef015aacc67c1c64b5cc00afd2dfba9394118b6ec724bb720790
-
Filesize
615B
MD5b5ec6a1fc58c678198e1f94011f3c289
SHA14d5a5db62b0f1921fc17cf491ca6a9c7f7c2569f
SHA256a923883559c5ad4335c19ed092f19a14298d0c715ba4d39b49804bf4ca730f07
SHA512777f235f2d51cdb67fc19fe89dc8929953465f1873d4aa93c0c85c00d02baf5dc6b0af207dde148b79cc766a56e8731d8825680e6f5bd09883eb8416e121fa1e