Overview
overview
3Static
static
1gqkKxBl3G3...tb.zip
windows7-x64
1gqkKxBl3G3...tb.zip
windows10-2004-x64
1Temp1_TEC3...).zip_
windows7-x64
3Temp1_TEC3...).zip_
windows10-2004-x64
3file-acqui...jk.xml
windows7-x64
1file-acqui...jk.xml
windows10-2004-x64
1files-raw....Pb.xml
windows7-x64
1files-raw....Pb.xml
windows10-2004-x64
1manifest.json
windows7-x64
3manifest.json
windows10-2004-x64
3metadata.json
windows7-x64
3metadata.json
windows10-2004-x64
3script.xml
windows7-x64
1script.xml
windows10-2004-x64
1sysinfo.4O...pD.xml
windows7-x64
1sysinfo.4O...pD.xml
windows10-2004-x64
1Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2023, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
gqkKxBl3G3bfRT6q3vs4tb.zip
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
gqkKxBl3G3bfRT6q3vs4tb.zip
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Temp1_TEC355O-Living-into-our-Commitments-and-Effecting-Social-C-2022-Dec-01_21-20-18-031 (1).zip_
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
Temp1_TEC355O-Living-into-our-Commitments-and-Effecting-Social-C-2022-Dec-01_21-20-18-031 (1).zip_
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
file-acquisition-raw-issues.SBATyvPdjH47BIZ5LIiOjk.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
files-raw.02yWR7s32W07cyKDS54YPb.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
files-raw.02yWR7s32W07cyKDS54YPb.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
manifest.json
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
manifest.json
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
metadata.json
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
metadata.json
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
script.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral14
Sample
script.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
sysinfo.4OBd0NfrLz74ffVhS1ZlpD.xml
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
sysinfo.4OBd0NfrLz74ffVhS1ZlpD.xml
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
files-raw.02yWR7s32W07cyKDS54YPb.xml
-
Size
1KB
-
MD5
8f2dcf8552a107e8e675f267a70b9306
-
SHA1
6589033fbcec132906412765429706b5a36e988e
-
SHA256
a951d462ec57c30a694e8315fc0d81e00feee91edaa604c08c1b70c1bc460524
-
SHA512
bc5668bd387b8eb0bbdd38e4a763df3c14afafa2a3a71264a4bb20226e9266855522c897fa28db503da463a5ab3ebad7348afd6eb4eb5a63d3951abe3a97b390
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008cfe064944547941ba19bf9f9b79c7fb000000000200000000001066000000010000200000002b889bd39033a12cbe18b67e8821665e423465278e49b1cb8b9870c6da153c27000000000e8000000002000020000000fb45f89a0e59e30755f3f83e810c8063b634ac2eebb35099073113f3192f26bc20000000a677fecf0bdce8dcdce56b3e14b74c5457b4b793baa469303b26d46986b3272a400000001ae58fe7d689b789888966cfbb5c2bb92c7b7ce8d9a2df4394f27ea887c1cef38538eefb91f393d9893f5745ca8e1b7196335cf732dacbe9b79d70c6a4ed42a0 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015255" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1853108500" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1845139696" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0028c6e5741d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d0a36e5741d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015255" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{98860613-AD4A-11ED-B696-CA2A13AD51D0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1853108500" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015255" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015255" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008cfe064944547941ba19bf9f9b79c7fb0000000002000000000010660000000100002000000020be0586feb10f1d9fe4cba6270edb7773bcb0d86b3b9f4fef6bb9a327b86b0f000000000e8000000002000020000000dc64d75b51040a887a832b1b5f8a06a39d98f27ddc32e913365971adc6a8638620000000f9602f99b5fd3edb044ea0047cd57eb5e9e04a3601cb42591f3e0a706e705b6e4000000033b891762642bf7b7ae3cb2b66fc2ae5100186f5536d2497c05f8585ea3086f0f78ce37c646b5b721bf04f1c2325d286d8e14aa8911f3b4468fbba42310a3329 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1845139696" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383242117" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2976 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2976 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2976 iexplore.exe 2976 iexplore.exe 4436 IEXPLORE.EXE 4436 IEXPLORE.EXE 4436 IEXPLORE.EXE 4436 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2976 2476 MSOXMLED.EXE 80 PID 2476 wrote to memory of 2976 2476 MSOXMLED.EXE 80 PID 2976 wrote to memory of 4436 2976 iexplore.exe 82 PID 2976 wrote to memory of 4436 2976 iexplore.exe 82 PID 2976 wrote to memory of 4436 2976 iexplore.exe 82
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\files-raw.02yWR7s32W07cyKDS54YPb.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\files-raw.02yWR7s32W07cyKDS54YPb.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD53e41dd9366864e66b96c7435d56506ff
SHA17514d785e9fad54ffd07bde3f86d90bc4ac52bf8
SHA2565902822e5633fd62796953f564224537bb472a22c1b4d0810f705f8e1e81603f
SHA512ba64698f66e406a64667af24aca8f6187b9c8a477551970d8ba0a73c089b9577bf7c2c1bb95c764f84dc98fdb76d126bbdb1ae96b0657291507af46a2a922d9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD50cb28dcef7cba60f117ad4316a23671e
SHA1cef59d82d9c6249f77bfb78251570dbd1b3a5447
SHA25608de33d819d1bb62e23a9581f2c0df6668615631691f27f9faaf2a832afd892b
SHA512ed492bb5d85dfa2928eeda2fb33812088ccd34c489af87ae81abc4e26983c48f9b3f791aaa1186bd80e941cdb09dd49c107d9c1ac0d891ac58343c0561ae1b55