Overview
overview
7Static
static
789cb774edd...c0.apk
android-9-x86
1en_alias.vbs
windows7-x64
1en_alias.vbs
windows10-2004-x64
1gpen_handwriter_32
debian-9-armhf
1gpen_handwriter_64
ubuntu-18.04-amd64
gpen_handwriter_64
debian-9-armhf
gpen_handwriter_64
debian-9-mips
gpen_handwriter_64
debian-9-mipsel
libwbsafeedit
debian-9-armhf
libwbsafeedit_64
ubuntu-18.04-amd64
libwbsafeedit_64
debian-9-armhf
libwbsafeedit_64
debian-9-mips
libwbsafeedit_64
debian-9-mipsel
libwbsafeedit_x86
ubuntu-18.04-amd64
1libwbsafeedit_x86_64
ubuntu-18.04-amd64
1news.html
windows7-x64
1news.html
windows10-2004-x64
1jquery.1.7.1.min.js
windows7-x64
1jquery.1.7.1.min.js
windows10-2004-x64
1privacy_gu...n.html
windows7-x64
1privacy_gu...n.html
windows10-2004-x64
1privacy_policy.html
windows7-x64
1privacy_policy.html
windows10-2004-x64
1privacy_po...o.html
windows7-x64
1privacy_po...o.html
windows10-2004-x64
1privacy_po...d.html
windows7-x64
1privacy_po...d.html
windows10-2004-x64
1privacy_po...o.html
windows7-x64
1privacy_po...o.html
windows10-2004-x64
1privacy_po...e.html
windows7-x64
1privacy_po...e.html
windows10-2004-x64
1user_agreement.html
windows7-x64
1Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
08-10-2023 00:10
Static task
static1
Behavioral task
behavioral1
Sample
89cb774eddd70c9c39332fe1c87cb62baea5090b471260a0af27bf996b549ac0.apk
Resource
android-x86-arm-20230831-en
android-9-x86
Behavioral task
behavioral2
Sample
en_alias.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral3
Sample
en_alias.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
gpen_handwriter_32
Resource
debian9-armhf-20230831-en
debian-9-armhf
Behavioral task
behavioral5
Sample
gpen_handwriter_64
Resource
ubuntu1804-amd64-20230831-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
gpen_handwriter_64
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral7
Sample
gpen_handwriter_64
Resource
debian9-mipsbe-20230831-en
debian-9-mips
Behavioral task
behavioral8
Sample
gpen_handwriter_64
Resource
debian9-mipsel-20230831-en
debian-9-mipsel
Behavioral task
behavioral9
Sample
libwbsafeedit
Resource
debian9-armhf-20230831-en
debian-9-armhf
Behavioral task
behavioral10
Sample
libwbsafeedit_64
Resource
ubuntu1804-amd64-20230831-en
ubuntu-18.04-amd64
Behavioral task
behavioral11
Sample
libwbsafeedit_64
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral12
Sample
libwbsafeedit_64
Resource
debian9-mipsbe-20230831-en
debian-9-mips
Behavioral task
behavioral13
Sample
libwbsafeedit_64
Resource
debian9-mipsel-20230831-en
debian-9-mipsel
Behavioral task
behavioral14
Sample
libwbsafeedit_x86
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
Behavioral task
behavioral15
Sample
libwbsafeedit_x86_64
Resource
ubuntu1804-amd64-20230831-en
ubuntu-18.04-amd64
Behavioral task
behavioral16
Sample
news.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral17
Sample
news.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
jquery.1.7.1.min.js
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral19
Sample
jquery.1.7.1.min.js
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
privacy_guide_children.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral21
Sample
privacy_guide_children.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
privacy_policy.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral23
Sample
privacy_policy.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
privacy_policy_ext_collect_personal_info.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral25
Sample
privacy_policy_ext_collect_personal_info.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
privacy_policy_ext_keyword_defined.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral27
Sample
privacy_policy_ext_keyword_defined.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
privacy_policy_ext_third_collect_info.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral29
Sample
privacy_policy_ext_third_collect_info.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
privacy_policy_simple.html
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral31
Sample
privacy_policy_simple.html
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
user_agreement.html
Resource
win7-20230831-en
windows7-x64
General
-
Target
user_agreement.html
-
Size
121KB
-
MD5
cbbe3ef336ba2a7427ea20ce291cacb6
-
SHA1
367b5f8259e6ad25108c2dbbbdb77f7b034aad32
-
SHA256
3fbddaddea01a3a423cde052c39d245d54d44523624823554ecd642432332a54
-
SHA512
0816a1a859b324b10613f1f47e144813c9cfbe20804ad1aa3a43ed134cf3bb7c297fc3afc374a91e64c5f0f69a0822160d7a6c976e459f349be2785859632000
-
SSDEEP
3072:vPvBDmQjPW5ksiD6peUGgSurJ+40YYpdkt/9n:XvBNjPmEybJOK
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e2bff5aaf9d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf81200000000020000000000106600000001000020000000edd2392cbc65f101c0cac5796eae257a2c06520fa4ad0506c45770449939dca0000000000e8000000002000020000000f0869ccd1c961da77c527279b65b65a4693c3a2ea5d4aaa39833f65084707a5720000000a08feeb35ec7c0a0ca9f2375881be15fb4d9f8fc6b99bfc23157ae177223e70c400000007842ce3f07ae357165ab6b4fe74485e6979e5e2e1b6b1a3dd6d2e8c7ff21d27406b0790aa55ad5690e8eb12e70d3dbcabc3d11752caddc55c3eb744b130c0a20 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402905887" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19448881-659E-11EE-8393-76A8121F2E0E} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007832999c35766c4bae1b34334b3bf8120000000002000000000010660000000100002000000046cc8cc9fa3e7cbdbee8552ea70a6cc16e273d6082e53b0af0672fd8383f47ae000000000e8000000002000020000000fd9b048a296e2712752875c8e2b2235c0b0e31b8ce6381c49a3e7741aff7cb6990000000dbe50f883c7882ac1532f4717731043cac2e659fdaac46424cb197898bb203c83dd46bdedeab488edc93ed669a96e23b1074a58f987612b9b37324fea711cd2259a681769fd7c548f600e4cf64a41b86bf3b5a16b611d5d07fc69605ee416768cf7309756975b018fc1f21e5c0ffd17e66aa57c548ebcf3e291d736b275e8bddaff55c700b8a51f6525519976273628d40000000183c1376a9fd1381b67d763191c83910ba406679ff93e0a545f6aeef42462481b48bd4828056ff65feec7a9fc423ad98846362c0da329e34d4227833d260823f iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2800 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2800 iexplore.exe 2800 iexplore.exe 2604 IEXPLORE.EXE 2604 IEXPLORE.EXE 2604 IEXPLORE.EXE 2604 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2604 2800 iexplore.exe 30 PID 2800 wrote to memory of 2604 2800 iexplore.exe 30 PID 2800 wrote to memory of 2604 2800 iexplore.exe 30 PID 2800 wrote to memory of 2604 2800 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\user_agreement.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50f06154936ef86f56474e00ab578e471
SHA1f76dc279f7588ec0403de9582b9ae9784bb3ac41
SHA2560704e8731db37afb518bbbc1a056e4c01f73f5d0b9334b47810da247214155fc
SHA5124e9e40772bcf2fe6592639993a880012b0e16aeb5d97b0ac1743142e6b6b0234fd1d3a6f1ab8ca369ec366985c91cefb6fc26c5a634b0b035b1d218d7f1e1581
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf