Overview
overview
7Static
static
7WB主题,V...��.url
windows7-x64
1WB主题,V...��.url
windows10-2004-x64
1WindowBlin...1.html
windows7-x64
1WindowBlin...1.html
windows10-2004-x64
1WindowBlin...2.html
windows7-x64
1WindowBlin...2.html
windows10-2004-x64
1WindowBlin...IG.exe
windows7-x64
1WindowBlin...IG.exe
windows10-2004-x64
1WindowBlinds/anim.dll
windows7-x64
1WindowBlinds/anim.dll
windows10-2004-x64
1WindowBlin...ck.dll
windows7-x64
1WindowBlin...ck.dll
windows10-2004-x64
1WindowBlinds/core.dll
windows7-x64
1WindowBlinds/core.dll
windows10-2004-x64
1WindowBlin...ch.exe
windows7-x64
7WindowBlin...ch.exe
windows10-2004-x64
7WindowBlin...en.exe
windows7-x64
1WindowBlin...en.exe
windows10-2004-x64
1WindowBlin...rt.dll
windows7-x64
3WindowBlin...rt.dll
windows10-2004-x64
3WindowBlinds/tray.dll
windows7-x64
1WindowBlinds/tray.dll
windows10-2004-x64
1WindowBlin...ll.dll
windows7-x64
1WindowBlin...ll.dll
windows10-2004-x64
1WindowBlin...32.dll
windows7-x64
3WindowBlin...32.dll
windows10-2004-x64
3WindowBlinds/wbdb.dll
windows7-x64
1WindowBlinds/wbdb.dll
windows10-2004-x64
1WindowBlin...lp.dll
windows7-x64
1WindowBlin...lp.dll
windows10-2004-x64
1WindowBlin...32.exe
windows7-x64
1WindowBlin...32.exe
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 20:47
Behavioral task
behavioral1
Sample
WB主题,VS主题,精美壁纸,电脑美化技巧,美化软件,炫目登陆界面尽在稻草人美化.url
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
WB主题,VS主题,精美壁纸,电脑美化技巧,美化软件,炫目登陆界面尽在稻草人美化.url
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
WindowBlinds/Diamond/NS_Shellstyle1.html
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
WindowBlinds/Diamond/NS_Shellstyle1.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
WindowBlinds/Diamond/NS_Shellstyle2.html
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
WindowBlinds/Diamond/NS_Shellstyle2.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
WindowBlinds/WBCONFIG.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
WindowBlinds/WBCONFIG.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
WindowBlinds/anim.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
WindowBlinds/anim.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
WindowBlinds/clock.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
WindowBlinds/clock.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
WindowBlinds/core.dll
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
WindowBlinds/core.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
WindowBlinds/patch.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
WindowBlinds/patch.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
WindowBlinds/screen.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
WindowBlinds/screen.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
WindowBlinds/smart.dll
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
WindowBlinds/smart.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
WindowBlinds/tray.dll
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
WindowBlinds/tray.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
WindowBlinds/txtscroll.dll
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
WindowBlinds/txtscroll.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
WindowBlinds/unzip32.dll
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
WindowBlinds/unzip32.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
WindowBlinds/wbdb.dll
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
WindowBlinds/wbdb.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
WindowBlinds/wbhelp.dll
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
WindowBlinds/wbhelp.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
WindowBlinds/wbinstall32.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
WindowBlinds/wbinstall32.exe
Resource
win10v2004-20231215-en
General
-
Target
WindowBlinds/Diamond/NS_Shellstyle2.html
-
Size
5KB
-
MD5
094d852d42f1f76504ba2ea156eed7ad
-
SHA1
367c3e1bb3a02c199983163beeb767d405f9fc83
-
SHA256
437bff401f1e7c361b775f155d09f3a68c6cd963cdd7fbd5f86fb5cdd9c4cbe7
-
SHA512
21d76ccf4d2c0e470038fdf22bde84dd5da040204703bdcfd10b353ee3819d95961914d1e5344fe8ea9642cb647d59cde2a397ff536349d5f54d3460f06f6134
-
SSDEEP
96:AxuTg5Bo2CULXpopgH6dLWexLw3M45bFnptnVpeMWSe15lWGCRxQO9SBSM8MdCF5:AxuTqogiuf5bF/WQe1TexQBMRL
Malware Config
Signatures
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000e5702488b7be4f90ac6140f0bbe04dfd1aa26cc5b404788e2a989dc504e34c8b000000000e8000000002000020000000f1a3af8f285a416cbcedf2acd0c19dae1434249214284282dd72bf986d16f7a12000000069525ec06140f2abc89ae5d1ab995cee59ada36e33da041cdf300d56725c2c0040000000184f3025763d588cfbe168040d0955c4e4de5e995a67ba3c35a6cede6b79a54e5901bd7784ebcb5d6bb24d56b6da73bc2788e4a670a4285f64b31fb6c6454382 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{266518F1-A346-11EE-B383-EED0D7A1BF98} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa000000000200000000001066000000010000200000000fb114c501a4fa2e5a90db2269b062c331d34b126027d535680e66501a06eda1000000000e800000000200002000000089052990a04153c4a17fa18ca862c8850ac54bbce29c34611d51089c4ef6e19190000000b4e58c44f880ef2f5c7ef4721f13cef41bdcaf8573888c0ea10b62e47c5e73726794ab947389bfed4676257775ee4b752f5d001aed88580c7cdc1009835751e1b251fcccbd1abac489d5ea77eee0eb657159ec1bac14e68547a81b3e5703db03902e6f94d3f1af02434e374828e5bdf679814e44e77b6bbb2065aec3ead396bb57bf3dcc4452b4f6bb05cd7ed20bc47540000000f03871e680ce0ce93ab8072e393b47ffadc56472aede65fd0a2992d37c21931842d93caf3ad50e7cd09cc3a256b641cfe3b79121c1ae042abd9fc174925e5fb8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003c5cfc5237da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409685092" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2780 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2780 iexplore.exe 2780 iexplore.exe 2812 IEXPLORE.EXE 2812 IEXPLORE.EXE 2812 IEXPLORE.EXE 2812 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2812 2780 iexplore.exe 30 PID 2780 wrote to memory of 2812 2780 iexplore.exe 30 PID 2780 wrote to memory of 2812 2780 iexplore.exe 30 PID 2780 wrote to memory of 2812 2780 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\WindowBlinds\Diamond\NS_Shellstyle2.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5264665d1d026e8c9dcb8050dbd262ae7
SHA1baeb564192de50358c60c32bf5c14f5d4c42770c
SHA25646a930b1231eacdd6b028985d7849f5d6f7b9620b646bc32bf04730573074f9e
SHA5125cd193deae4f33fe91e4ae1a44030fdc2317447c93a3b4a0305dc605a989ed2046a6f633f04c191ffddd68685fcc47729eca4b46b23436bafcf8871fc10c1645
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55985d1f281e18b1369caceb9155b3de2
SHA167c03e1e6251c3e8232779f8cff9a844df922ebb
SHA256c713717623cb83616898e74826e8a19cd9396f530db589174f3c903575a35e63
SHA5126dc70352325c9270bd61125a5ea7147bc404494fe3599e2e04d55ba7a2f24cb5b945abd0bc7a04be701117dc07f2f95f057cd8d4771a9c7b29fcedb700a6a20e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55fb5d7c637630ee8c34a238cdb6561b9
SHA161a08442e541f20aa97b93ce3ad76cfd61eb2fb7
SHA256eddae9baf0c9ffcbda0615f947c9b003fbd8e16af44e1419b6e4a131594cfb06
SHA5121aacb220e28fbd0618688132e15933e078a77b52e623ee94ea4c1a9786aa9c1575344a933b6af87e5f9bdfcb84074a3ba3520111cd7febb2458401565a87be28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527470fc188cf0c309d19ab1f435ded21
SHA1bf0ceb83b2cbd3cdfc798a73b06f4c2068b3d273
SHA25673986de58c6d7bc1e90b44fb433251a0f94d39392ed06e18b2f88e86d425802a
SHA5125ab6c3b225c8b22a6130b0f771c156e68819e57ba52ef5aacd697f2b1507c0611950a4faa93f72601b5f557f12ff0d92fcdf3c8b379fe11b2acfac44da45b243
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50e12102cfa10bcc093212b4a3a6e0f0d
SHA1fd173a2b86012c7ca3bf511770b5f8c717747620
SHA25619465aa1c7e13f1901cfabd30ac4f26959c8b89891abb36e26b0072029888361
SHA512c093725b32921baf2188db7739d03e265e4c319f6c98e821c0a6830a34a50394b70b8ec09e5030d371653b549c6922a1fb2ead2d099772c948bdd60ff096fffe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58b0f02aedf3d1bc0ae05a61b0e80a19e
SHA15294cef22b0114d42f11734808a7807216610f16
SHA256f0e697acbf704819ada2ac44cf5e9851131c307f4087f0e709846ea93afe71d4
SHA512cb28ecbb38be89a306fb1230df1950f52d7df634047e59d90dd0de4d7c34178277972eeb86724513824b0a9681ee5aa2af1a759ee2e853d8cc5ff75e3baefbca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f527f2a519d5b8b95e4be4c7b5a9f081
SHA1b7475f5580ab33aafc180d540f0aefc4c1d15148
SHA2567539e7c869697fa2a6e3982d52aeae3ad0cec0dff12dc316e7d6c023e4c76b86
SHA512e321cc300f2e2876882ad641318da03ccd5c8c5b3fbd2d27376329ab0cb4ded13fff1c3cafee8febe76a21f3633e9526de2fa69bcd5c0ba123665b3e0bbcb48f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b49b48360ffcfad5bbadaccecd357ae9
SHA1862f40df835e1b4eae31da0b1dada2b486c4d1f9
SHA2568854c061424eb0d535633e16b0ef74a43cc856f9889169be38c3baaf3ff03166
SHA512bb2f285748f007d2ddf85b5d5dcb95c1a2160d4b277a923a8e4ccb77bd7081178631d98f78209165c1d1380e9fb04e6b593816319b9ec0570fd3c32be0f9b078
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51f5d8488f2889243c67b718b5d1189b5
SHA1b6a8bbe2dde45cc33585e9a7d7e2d9611d72c642
SHA256fc6763bc5c85ad0e0affddf6b7a8aaa26d653449cf9b626ff89b696027ee2491
SHA512d11c03f68ca4cc731c30d26512206c3337cca52a7861b6e583ef8bdde96b818532664c7c23169c91267a7ceff7448274af6c1049a02ba655e9dcb0bc900f1a26
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06