be5c9e6777d553873639e727b3b98c629f7d8e3fb86d818d1561e055a1557116

Resubmissions

18/04/2024, 09:57

240418-lzcx9ahg47 7

18/04/2024, 09:53

240418-lwy2baah9w 8

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeepwokenMaster/bin/lua.xml
Size

4KB
MD5

08713090c9ca001ca19735d0d23f93bb
SHA1

1731d4f285aad168fb4a802019634ff9775f28e5
SHA256

c1af5d8d18e066f0c2d535b656174ae8cdbe5f0fffe548e96d3fd2602fe7f9b3
SHA512

e048b451e8d65818331c5a9d0bca7aa90b3a532274138e0ed5a20285ae969490c77f6088f25dd6ef85df19e9cdb257f007dd2c4ac8aa08b1aa7ea092ef282128
SSDEEP

48:dtQxg02ZkNYDNYtJzbxb38J4JiFXiDSCEBZl3S5wk:4gJD+JF8JbXiOC2b3mwk

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e8d47b7691da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A633D441-FD69-11EE-B55D-7659DA376B3D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a529a2e22ae42f4084bf8a2f7b0415b2000000000200000000001066000000010000200000009b5903ee980f536035289c545ddd0123493c9c5be932fda9f8b543cd4fa80b13000000000e8000000002000020000000daf01826b7acc1964947862cecf1fa64342cd3aa14a867d8218a01303357d1a390000000ae57775a0a8673bf77fc50ee9a3af6b8504dfa2ccdd5bfd997ec667f3b93d320da1051b00c246b032e660d95dec1fe44624f9365265303e585a4fd2a294efa7bd34c3c5e814ad9797cf45a27ae88dd4c2f92dcb733012382b148e733db16c34859f24c624cc397685aff3ad7de8846b6be9e60426c01073aa23a2bc2af8db0fc3de9296e32653f3c9dbab462c5bcf3b440000000e5a38da431d59468622e9b76e7caca34273d2d66da566ec55a4e2b9a7231f3c69f8f76676300798cef35294ef762351eabdb3e01dc749364974c736e483c7e20	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a529a2e22ae42f4084bf8a2f7b0415b20000000002000000000010660000000100002000000090d06949f5ba3c348447b3c467f7e80943b5eeafefd20ed0ffe22be21e172f16000000000e80000000020000200000006156bf43d6abb89db91b611da5b5e01d79ab978276155984e20cf33e74f764ef200000009e1a9ff0f8169fcd0445e829099f48f8027b62736b4e263c9d7a22207f211c8740000000c010442853e3bb8f8a32ad9436cce1bc48b8fe6351be10f419432fd720418b47b3b710990a9b338c3de40239cdc4ce3afb319b17ea01bb361e085ed32151bd91	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1996	1932	MSOXMLED.EXE	28
PID 1932 wrote to memory of 1996	1932	MSOXMLED.EXE	28
PID 1932 wrote to memory of 1996	1932	MSOXMLED.EXE	28
PID 1932 wrote to memory of 1996	1932	MSOXMLED.EXE	28
PID 1996 wrote to memory of 2172	1996	iexplore.exe	29
PID 1996 wrote to memory of 2172	1996	iexplore.exe	29
PID 1996 wrote to memory of 2172	1996	iexplore.exe	29
PID 1996 wrote to memory of 2172	1996	iexplore.exe	29
PID 2172 wrote to memory of 2984	2172	IEXPLORE.EXE	30
PID 2172 wrote to memory of 2984	2172	IEXPLORE.EXE	30
PID 2172 wrote to memory of 2984	2172	IEXPLORE.EXE	30
PID 2172 wrote to memory of 2984	2172	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\DeepwokenMaster\bin\lua.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca3108b42a92d662c82cf084885eb160

SHA1
5cd15b7bf2bf60faa2ca8ca21cfb7cdc832955a7

SHA256
aff4f551a7c980972023b53613e0b593131f80b76d0da970b05cbf4214b72bb5

SHA512
584986c65f56766e33f3c81dcaefbff57bae4dd775fd04e5bd1266b7cec44c557fac5c3123c9cbe58824a9317165c70e3a12783c82c9194e9ea59e9bd4216587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9747bc732905f898e2902bbbaa46cc37

SHA1
a46ea62dfe3147464127d026abfa8b5a8a494db4

SHA256
1bd91145893d9bb15332038be9363a9d45529cda3105733e42c168c7fe1f5e16

SHA512
2a28b2948b9f62f5cc4718c5597b4ce042875f348c9f36df30a54de94e183142fada2853d1e7bf0600fd8be3011ced8df57f208be1b09136e9299e07514d5d62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86ebb0a872c008641e4d4c5030ad7622

SHA1
593543f8a4614ebdd4f43d93d7404b3aae822e1b

SHA256
83e806908efab31c607b5e48a1b346f1b94ea50746a660e98f42663aba1c885e

SHA512
7f2de7359a148e51569ef9ff36521a8196b9a4d742056f194494eae67860994b16cad4d7167697ab0ed3b21365566dfba056ee8252ec916cc5e245b3cc021bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
935620ef6d33ccf62ad6025fac00b08b

SHA1
eb948e8d4c613a2011414af22e55ed0d7d7e2add

SHA256
281593e0afd8b0a9f85bb17038df385ef110fa55a024645c0ad827fd32b3e859

SHA512
665926ab40fd1dd920d693109b0f1b30ada8196b5321f7ac4dd5bae24b8e2ec472eaaf8bf7d7facda4be55f937f9db5b8a276721f599b759b93c46db0581bdd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cbaa15eed49f7e4a24dc2a36dc2ba90

SHA1
d0d3b284fa02b6aac1f6ef61b6b0c57c6d88d127

SHA256
3ce148aad05b3d2bf36a7830e8b52d5cc83148871123abd1720bb552d94a8d16

SHA512
81a663ab6f440fbce497494c34c9dde92edf1d66214eae09415fa5397aa979ec5c61716a90a556d7b1a0d6d7f6f3dd36fe98e1bf92a52205eabe87786b06f492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecefc7ff07e3c38efccd4518d7dfb523

SHA1
12ef289b37ab887d40ff40c7d8c8948df1968d5a

SHA256
37c39fd0cd1db3c0b388ac45588e3285345a3eb26e411cfc27d7f77a84664b96

SHA512
12f365730c5a578d87933b3d527fdc1cff80431ac60b08d17bddd79ef1445e4bedf1056bdb76aad79db343994d6df5014ca553a187fdda9eacbebd4b8e6b6dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
179e3135bf9b250fc1433680aad540e2

SHA1
b4d4d3504ac169a11535abd9431c209cb9b4d031

SHA256
76bff89a1f582c5063ebd6665d3dc6b7ca2fbe7b4771e4b7d8635331c6305156

SHA512
9d8fc261519823dd40c5b13095fd32b3e1a9c02ed285f338144fcab040fe854853f8bb3dc159267273306b201bd868dfb4e7b823df2d5ed501a3d3bdfd81b1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4c597ed3bfdd0e63cac1d7074117add

SHA1
df7b83ca260739eb14cf0b083f8e52bac8b1e0a2

SHA256
eaea19581a096f5ea67107ade95daa14b2e58635c3264caee7c5d9910d12d136

SHA512
9beb096dd82deda84064663a72e600fdf568f2115139868d6e5c0421093b7b92fb62775148bb8016a9b433f775c32f86696f2808048ee5ab0825d79266cf4e52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94272f1725e9bf228fd0bbba25aa6273

SHA1
6292b581bd0d7dfd78c24d2d9ebd745ee1e3138d

SHA256
358b67385361ac0f1751b58ca542406ae3f3dae2a383d06fe2078e1d75bdc30f

SHA512
c77960b690dd12ede7b3c28af176e4a7d5f50868e546430b31206b3a16600a2fb31c4e4d8eb02046dfa07a5dee2d89956bc41f3ce4c499c2babdb9cf13cb2142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab760D.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar774C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF3B52EBC6D5F4F3AC.TMP

Filesize
16KB

MD5
c941155ae7e350e22f8ff3cad1b55b86

SHA1
9ad05e6e22c7d80b25ed2ae8ebb66b5526c8e022

SHA256
2ffb74b6164f5157df528121aa86c87f3557183db69d58c088f61a1b3a487e6a

SHA512
940b9337fbda059b9768fc994012661f7909369fc40bc1278c1d1c2a8b28275361f0d9884e846a1127bbd369923ea8d704a60340b7f3cfa1c60a2b2a6c389045

Download Submit