Overview
overview
1Static
static
15319275A.W...1).zip
windows10-1703-x64
1WhatsApp_2...f.appx
windows10-1703-x64
WhatsApp_2...r.appx
windows10-1703-x64
WhatsApp_2...n.appx
windows10-1703-x64
WhatsApp_2...g.appx
windows10-1703-x64
WhatsApp_2...n.appx
windows10-1703-x64
WhatsApp_2...a.appx
windows10-1703-x64
WhatsApp_2...s.appx
windows10-1703-x64
WhatsApp_2...a.appx
windows10-1703-x64
WhatsApp_2...e.appx
windows10-1703-x64
WhatsApp_2...l.appx
windows10-1703-x64
WhatsApp_2...s.appx
windows10-1703-x64
WhatsApp_2...t.appx
windows10-1703-x64
WhatsApp_2...a.appx
windows10-1703-x64
WhatsApp_2...i.appx
windows10-1703-x64
WhatsApp_2...n.appx
windows10-1703-x64
WhatsApp_2...r.appx
windows10-1703-x64
WhatsApp_2...u.appx
windows10-1703-x64
WhatsApp_2...e.appx
windows10-1703-x64
WhatsApp_2...i.appx
windows10-1703-x64
[Content_Types].xml
windows10-1703-x64
1Microsoft....we.cab
windows10-1703-x64
1BlockMap.xml
windows10-1703-x64
1Microsoft....we.cab
windows10-1703-x64
1BlockMap.xml
windows10-1703-x64
1Microsoft....we.cab
windows10-1703-x64
1BlockMap.xml
windows10-1703-x64
1Microsoft....we.cab
windows10-1703-x64
1BlockMap.xml
windows10-1703-x64
1Microsoft....we.cab
windows10-1703-x64
1BlockMap.xml
windows10-1703-x64
1Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13-04-2023 20:08
Static task
static1
Behavioral task
behavioral1
Sample
5319275A.WhatsAppDesktop_2.2313.6.0_neutral_~_cv1g1gvanyjgm (1).zip
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
WhatsApp_2.2313.6.0_language-af.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
WhatsApp_2.2313.6.0_language-ar.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
WhatsApp_2.2313.6.0_language-az-latn.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
WhatsApp_2.2313.6.0_language-bg.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
WhatsApp_2.2313.6.0_language-bn.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
WhatsApp_2.2313.6.0_language-ca.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
WhatsApp_2.2313.6.0_language-cs.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
WhatsApp_2.2313.6.0_language-da.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
WhatsApp_2.2313.6.0_language-de.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
WhatsApp_2.2313.6.0_language-el.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
WhatsApp_2.2313.6.0_language-es.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
WhatsApp_2.2313.6.0_language-et.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
WhatsApp_2.2313.6.0_language-fa.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral15
Sample
WhatsApp_2.2313.6.0_language-fi.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
WhatsApp_2.2313.6.0_language-fil-latn.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral17
Sample
WhatsApp_2.2313.6.0_language-fr.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
WhatsApp_2.2313.6.0_language-gu.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral19
Sample
WhatsApp_2.2313.6.0_language-he.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
WhatsApp_2.2313.6.0_language-hi.appx
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral21
Sample
[Content_Types].xml
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__8wekyb3d8bbwe.cab
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral23
Sample
BlockMap.xml
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe.cab
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral25
Sample
BlockMap.xml
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
Microsoft.UI.Xaml.2.8_8.2212.15002.0_x64__8wekyb3d8bbwe.cab
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral27
Sample
BlockMap.xml
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
Microsoft.VCLibs.140.00.UWPDesktop_14.0.30704.0_x64__8wekyb3d8bbwe.cab
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral29
Sample
BlockMap.xml
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
Microsoft.VCLibs.140.00_14.0.30704.0_x64__8wekyb3d8bbwe.cab
Resource
win10-20230220-en
windows10-1703-x64
Behavioral task
behavioral31
Sample
BlockMap.xml
Resource
win10-20230220-en
windows10-1703-x64
General
-
Target
BlockMap.xml
-
Size
1KB
-
MD5
0a2f905f3ad824ba476bc6cc5a9d63d3
-
SHA1
90437f072fc847a2b4c0024b1362ec8443e32ecb
-
SHA256
4e8e0684caeb9a31c6c538f44670c25f33efa65737dd5d2706d782d4aaadba73
-
SHA512
892f7d8050c99c8554cdf64c6fe291ad6b9058969ca0c72d336d06e167bc047804894302070ace011994b4932959ea9a2fdd39a8aa77e951572ddba7c879beb2
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C16CF3C-DA37-11ED-9346-66236AA79184} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b04712446ed901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "286847396" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026756" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0525812446ed901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "277628565" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc00000000020000000000106600000001000020000000d2a807eae403dc1dd723ded2624508b4a208cf4ca44d78fae2c3c3edf2704baf000000000e8000000002000020000000af9baedc2e2b522d3e87472541b408a05c8e9e22f8538da167c983a658048bd62000000067449bd1f3fea1b5700cf97c69c9170d9c8fd0828728a0fc6948c4aa6cb768c240000000608950c39aed84302fbeebdbec156cf4afa2aaaa9a716f26efe8c283cfecf303db1235cbb920c0297dbefbafaefec3be1d529720c5b446038702fb588854d51e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388181603" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "388230189" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026756" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "277628565" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026756" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc00000000020000000000106600000001000020000000dc8d50a461ae9d923c64226ca7ddd89c10a2a0222c1635758e8295aae2a6158d000000000e800000000200002000000019bb2f323335117df549b515e5791ace1b0b07776ad7e50e56a7025a020775d520000000a88c9a95368313d8d7e90202393d49b7dbfb19a91229b1606ad9175e1689fa90400000009304d9d674848e52e896c1c09ea6a09318d6477e0ea51a8861c2924443e8e5098fd8ce9b529990398173fcf2b58fd15d4728855d07bd2ac1716fc6d2c3b42801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "388198197" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2488 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2488 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2488 iexplore.exe 2488 iexplore.exe 4160 IEXPLORE.EXE 4160 IEXPLORE.EXE 4160 IEXPLORE.EXE 4160 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2488 2200 MSOXMLED.EXE 66 PID 2200 wrote to memory of 2488 2200 MSOXMLED.EXE 66 PID 2488 wrote to memory of 4160 2488 iexplore.exe 68 PID 2488 wrote to memory of 4160 2488 iexplore.exe 68 PID 2488 wrote to memory of 4160 2488 iexplore.exe 68
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlockMap.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\BlockMap.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4160
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5dd25eece262055fa2e7c798da8245627
SHA17f8dff5bf53fc2a6775d657cf30e43c712333a5e
SHA25667d71d2d39ee7819764bef14658bb14d434a0969010f4a63936a478e55441637
SHA512268aba5ef911eb1dec777fd52bbe230adceefae7b6c145e41d1ab4531b6e3f2858141325d4da67422078181fdf7641df475bb68384cecb334a3c24bee62676d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5dab2f842a04415c9af34ecb7c1e96f69
SHA1ebcfc3b8c1d096b2f078b32161e4ed73088ba1a3
SHA256b9ab06e80b430549a8d54851dd5fbb7cf4958cadf10a048240e1ad4b0e5a8433
SHA512cdce00ed6434c334b86995dc868e9a1cd8f1ce1b37ab1f2f222ae9cd5de1ba44dccf128d5d0560108028657bb47b5314a1c6321da2654aa679941a8377e1613f
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
608B
MD505916b5d7e23ad2372c85416f4339500
SHA1fbbd3e17b0db5bc4767587390364b789650d0832
SHA2565a439c5b32ea3818ca5cac4392c718bf29c9a87fc57820cc75a9d7025801c9e6
SHA512fd40939360b59b769bbe42dd97d280e1bfcb7c942681d3a9638cfca9f9fd3fb593ef8429c284266903e4d1b7f0040b50da0871e60abea332d363b1ac4851d41e