Overview
overview
3Static
static
1gqkKxBl3G3...tb.zip
windows7-x64
1gqkKxBl3G3...tb.zip
windows10-2004-x64
1Temp1_TEC3...).zip_
windows7-x64
3Temp1_TEC3...).zip_
windows10-2004-x64
3file-acqui...jk.xml
windows7-x64
1file-acqui...jk.xml
windows10-2004-x64
1files-raw....Pb.xml
windows7-x64
1files-raw....Pb.xml
windows10-2004-x64
1manifest.json
windows7-x64
3manifest.json
windows10-2004-x64
3metadata.json
windows7-x64
3metadata.json
windows10-2004-x64
3script.xml
windows7-x64
1script.xml
windows10-2004-x64
1sysinfo.4O...pD.xml
windows7-x64
1sysinfo.4O...pD.xml
windows10-2004-x64
1Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2023, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
gqkKxBl3G3bfRT6q3vs4tb.zip
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
gqkKxBl3G3bfRT6q3vs4tb.zip
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Temp1_TEC355O-Living-into-our-Commitments-and-Effecting-Social-C-2022-Dec-01_21-20-18-031 (1).zip_
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
Temp1_TEC355O-Living-into-our-Commitments-and-Effecting-Social-C-2022-Dec-01_21-20-18-031 (1).zip_
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
files-raw.02yWR7s32W07cyKDS54YPb.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
files-raw.02yWR7s32W07cyKDS54YPb.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
manifest.json
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
manifest.json
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
metadata.json
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
metadata.json
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
script.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
script.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
sysinfo.4OBd0NfrLz74ffVhS1ZlpD.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
sysinfo.4OBd0NfrLz74ffVhS1ZlpD.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml
-
Size
486B
-
MD5
eb94c1d5d89052ee13484e540288e924
-
SHA1
172025598e7eb6e839ef08e4993ebc6bbd895e57
-
SHA256
c8e273ed4257e12f6fee2a7ddc9a05289e71f76afb9dd4214a754057192a387b
-
SHA512
9f37c698895c96ebe4a985ea4434e4e7e1aa229a26b743d94ff5c7b2b1a0b647e090d2f738bd932d3f066a6ca254ec89ab0eb9abeeb6f0fbcb74fafca194cce4
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383238516" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "196296526" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015247" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015247" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ce890c4f41d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015247" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c07d0c4f41d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003710c56ab91bec4184f6ebcdce38ecab00000000020000000000106600000001000020000000b8765906caf3ff46c4911cf057ea320b570a4ca66a48ad01a791b1cbdf522645000000000e80000000020000200000008eb066246b96a7056d7b4194a80671146b2fd925dc9a663ee5f307cc5e4c46a52000000073ef7350e74342f43fa33fac6888999c7e0a36c7b534ed35900234a08129b60b40000000ab0f2e7816839c388da250836f54234f1f84f6043f4e2a313613898f0e47344cbb800f154dabde89abd6d144d7925fb9005b489d6bf9c4732232221ae3348477 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "196296526" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "205201624" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015247" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36C8F1F3-AD42-11ED-A0EE-C2D2A1265889} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003710c56ab91bec4184f6ebcdce38ecab000000000200000000001066000000010000200000009fe1f523514eb0409106ac727c29736041082cd9c4f1b5b53d78578c1117bda9000000000e800000000200002000000077256b50a739deaf195cb49479d15028fe11128931c47b2e6688cab12567b0692000000021a099af9d359aca321eb8f26d507b286f576ea7e83c357c2588b720806c37ce40000000f721ba39b56c835bf36ac1041772df62242c5588b33b369def98242e9fb53729bc8f59e725b746e32397e1da2fad44da18d51c41eeb6970c57b8020c4738574e iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "205201624" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4860 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4860 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4860 iexplore.exe 4860 iexplore.exe 392 IEXPLORE.EXE 392 IEXPLORE.EXE 392 IEXPLORE.EXE 392 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3044 wrote to memory of 4860 3044 MSOXMLED.EXE 81 PID 3044 wrote to memory of 4860 3044 MSOXMLED.EXE 81 PID 4860 wrote to memory of 392 4860 iexplore.exe 83 PID 4860 wrote to memory of 392 4860 iexplore.exe 83 PID 4860 wrote to memory of 392 4860 iexplore.exe 83
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4860 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:392
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD53e41dd9366864e66b96c7435d56506ff
SHA17514d785e9fad54ffd07bde3f86d90bc4ac52bf8
SHA2565902822e5633fd62796953f564224537bb472a22c1b4d0810f705f8e1e81603f
SHA512ba64698f66e406a64667af24aca8f6187b9c8a477551970d8ba0a73c089b9577bf7c2c1bb95c764f84dc98fdb76d126bbdb1ae96b0657291507af46a2a922d9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD553aaedf3217084f5c67c164b232be738
SHA12ff3fd01756873144da3b537d6e09566acc6a2cd
SHA2568289b1c84a33ae860c3101c287e1df78d9154e4a712cf8de0740a31551413723
SHA51247a6d3f573cc28ed409db3a240afb19f235bfc4dabe90a231496fcbb9d293a3507693eff373cbd1aee0b30956434c8c6f691a7f4254c8e8a69a6a023107b43a4