Overview
overview
10Static
static
101JATLV2V.zip
windows7-x64
11JATLV2V.zip
windows10-2004-x64
1NagTracking[1].htm
windows7-x64
1NagTracking[1].htm
windows10-2004-x64
1NagTracking[2].htm
windows7-x64
1NagTracking[2].htm
windows10-2004-x64
1getipaddress[1].htm
windows7-x64
1getipaddress[1].htm
windows10-2004-x64
1handdiy_4[1].exe
windows7-x64
7handdiy_4[1].exe
windows10-2004-x64
7plus[1].htm
windows7-x64
1plus[1].htm
windows10-2004-x64
1Analysis
-
max time kernel
92s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-02-2023 21:45
Behavioral task
behavioral1
Sample
1JATLV2V.zip
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
1JATLV2V.zip
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
NagTracking[1].htm
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
NagTracking[1].htm
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
NagTracking[2].htm
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
NagTracking[2].htm
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
getipaddress[1].htm
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
getipaddress[1].htm
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
handdiy_4[1].exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
handdiy_4[1].exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
plus[1].htm
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
plus[1].htm
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
NagTracking[1].htm
-
Size
178B
-
MD5
bd2695f4b079c71dbddde3436286fb9c
-
SHA1
733c05da132193d6cf1d8e242d12e2525c03bab4
-
SHA256
2e04a18ff185ba5b16f762a0538339bc4049aceaef9738edd43af77d2ceb788b
-
SHA512
5b73af24d095f7593026d3f211da6775d91c2efb5cdb0e0258ccca8edd3f8645cdf80d8338c863794d260f4bca08637233be3548d83e7225518dee2f47560798
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383179717" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0c9e725c640d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "612511533" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015110" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "622354661" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80dcfa25c640d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "612511533" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4F7A9107-ACB9-11ED-89AC-D2D0017C8629} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015110" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015110" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094ece7c065546e4fad195dbdde5412d2000000000200000000001066000000010000200000002d23bcef1032ce51592d6a58c20426d7e5b64177eb2a9e30a1d637517295ed67000000000e80000000020000200000004b4190e314bf079daceee5c1f4d3a1735636d393a4d365e23e9438345ef7695e20000000d061e30cf566a059159596781bb62d790550f669b7070f408593aa0faa031b32400000005decffe1d344c3d5ceb5dd2e78e665c735c562a030b9c19722a77f30e7067c8732dd4eef1fa5db819c816a67190f66d472a6aefec58e4cf60d3662b3a52bdb19 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094ece7c065546e4fad195dbdde5412d200000000020000000000106600000001000020000000b4ef10e026b4de870654cd9c63e491c768d001ade0e9c7f34804fa7a1643f91b000000000e80000000020000200000000ce6e334544048ac9357514e98d8328c28e5e7576a718977481e8c765a6098f4200000007bfc1d75c796e6f8cdaf519cc70e41ea41e5f4a766c01c042a4917ccc4c168d740000000db384a3863ff8d323bf14720c7c61d098cee3865fd5093a8e7088c919005f9da6e17dced13f54d3c17c25627c4ac554dfc8380769def827fc6d5966f49029f99 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "622354661" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015110" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2492 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2492 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2492 iexplore.exe 2492 iexplore.exe 4412 IEXPLORE.EXE 4412 IEXPLORE.EXE 4412 IEXPLORE.EXE 4412 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4412 2492 iexplore.exe 79 PID 2492 wrote to memory of 4412 2492 iexplore.exe 79 PID 2492 wrote to memory of 4412 2492 iexplore.exe 79
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\NagTracking[1].htm1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4412
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5dd3762c0e3e884c5b1810e000d348bae
SHA1a5c25fc58e5f1ab11c2eae9fb8fd640b35ea6e1f
SHA256513f96d78d0b4e87981ab4764943bc623fbb5bd28afc86fa8c259c590aa42514
SHA512df20a18964229e3101d4769cd8696e92cb9246e91538d6b0ecf66363e55f1466370613074cb98a28c00b478087d594f247591e1988ccbb25f5d331b4157cb245
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5e29a1249279668ad7712e5f9c31f8c7d
SHA10838eb6018b6496074f2f0510137d521837d0aae
SHA2563b5c63cfc594b82caf1d03961b9e4ecd534aee8e188600326bf0749d7dfc99d3
SHA512b1ee877ef8c18ef87cf7f93a852e217e62bdd1aa6faa2e66a203a66bad3366ad3171e91daa6bc6bbb796e7b47bce4d083961193f56650a6f9a4ca128dc115876