Overview
overview
3Static
static
1AJAXinfoPost.asp
windows7-x64
3AJAXinfoPost.asp
windows10-2004-x64
3AJAXuserReg.asp
windows7-x64
3AJAXuserReg.asp
windows10-2004-x64
3admin/FCKe...mon.js
windows7-x64
1admin/FCKe...mon.js
windows10-2004-x64
1admin/FCKe...eld.js
windows7-x64
1admin/FCKe...eld.js
windows10-2004-x64
1admin/FCKe...t.html
windows7-x64
1admin/FCKe...t.html
windows10-2004-x64
1admin/FCKe...l.html
windows7-x64
1admin/FCKe...l.html
windows10-2004-x64
1admin/FCKe...r.html
windows7-x64
1admin/FCKe...r.html
windows10-2004-x64
1admin/FCKe...n.html
windows7-x64
1admin/FCKe...n.html
windows10-2004-x64
1admin/FCKe...x.html
windows7-x64
1admin/FCKe...x.html
windows10-2004-x64
admin/FCKe...r.html
windows7-x64
1admin/FCKe...r.html
windows10-2004-x64
1admin/FCKe...s.html
windows7-x64
1admin/FCKe...s.html
windows10-2004-x64
1admin/FCKe...w.html
windows7-x64
1admin/FCKe...w.html
windows10-2004-x64
1admin/FCKe...d.html
windows7-x64
1admin/FCKe...d.html
windows10-2004-x64
1admin/FCKe...h.html
windows7-x64
1admin/FCKe...h.html
windows10-2004-x64
1admin/FCKe...ash.js
windows7-x64
1admin/FCKe...ash.js
windows10-2004-x64
1admin/FCKe...w.html
windows7-x64
1admin/FCKe...w.html
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 15:18
Static task
static1
Behavioral task
behavioral1
Sample
AJAXinfoPost.asp
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
AJAXinfoPost.asp
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
AJAXuserReg.asp
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
AJAXuserReg.asp
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
admin/FCKeditor/editor/dialog/common/fck_dialog_common.js
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
admin/FCKeditor/editor/dialog/common/fck_dialog_common.js
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
admin/FCKeditor/editor/dialog/common/fcknumericfield.js
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
admin/FCKeditor/editor/dialog/common/fcknumericfield.js
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
admin/FCKeditor/editor/dialog/fck_about.html
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
admin/FCKeditor/editor/dialog/fck_about.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
admin/FCKeditor/editor/dialog/fck_about/lgpl.html
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
admin/FCKeditor/editor/dialog/fck_about/lgpl.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
admin/FCKeditor/editor/dialog/fck_anchor.html
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
admin/FCKeditor/editor/dialog/fck_anchor.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
admin/FCKeditor/editor/dialog/fck_button.html
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
admin/FCKeditor/editor/dialog/fck_button.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
admin/FCKeditor/editor/dialog/fck_checkbox.html
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
admin/FCKeditor/editor/dialog/fck_checkbox.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
admin/FCKeditor/editor/dialog/fck_colorselector.html
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
admin/FCKeditor/editor/dialog/fck_colorselector.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral21
Sample
admin/FCKeditor/editor/dialog/fck_docprops.html
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
admin/FCKeditor/editor/dialog/fck_docprops.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
admin/FCKeditor/editor/dialog/fck_docprops/fck_document_preview.html
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
admin/FCKeditor/editor/dialog/fck_docprops/fck_document_preview.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
admin/FCKeditor/editor/dialog/fck_find.html
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
admin/FCKeditor/editor/dialog/fck_find.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral27
Sample
admin/FCKeditor/editor/dialog/fck_flash.html
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
admin/FCKeditor/editor/dialog/fck_flash.html
Resource
win10v2004-20240412-en
Behavioral task
behavioral29
Sample
admin/FCKeditor/editor/dialog/fck_flash/fck_flash.js
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
admin/FCKeditor/editor/dialog/fck_flash/fck_flash.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
admin/FCKeditor/editor/dialog/fck_flash/fck_flash_preview.html
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
admin/FCKeditor/editor/dialog/fck_flash/fck_flash_preview.html
Resource
win10v2004-20240412-en
General
-
Target
admin/FCKeditor/editor/dialog/fck_docprops.html
-
Size
21KB
-
MD5
ddc125e1b2c3ec3810c6b19b8044b337
-
SHA1
ab3d808039edde18dcfa23aaf785d5909732651b
-
SHA256
9126f02f587017c59a3c9e852f3f298308e52d06d3ae056c8941fe343ecc4758
-
SHA512
01d08d6dd69139e8608f96f164e797664dd7f0761cb748630fa529d46a5ea859033d557254c958be1ef560e399877aa7a0f9f1feb3c4c177207092bde3be660c
-
SSDEEP
384:r7pRsezriDSOrg6DD96BDmkHz1WwuYL2etejS8iPqLy+ExV/iw12tayWJAUU/tvd:r7pRsez30cWw/2etejS8iPqLyBV/iw1m
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419874580" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000dd7fcea590b56868142ed26f527740afad8f986a977f1b2c9c2b3c02209a3eef000000000e8000000002000020000000b5253298f29f2929875f0b4d218c6c45019ec31df6420aa30316f4e6df6e1e11200000004b431a8f33ac133960bc4f2fcf8c472ee884dde002578d8144af893e5516cea4400000001dcbfe88ca5225e3704b7269c54e2a36407c029dd4f45fa993ed91e4e625af1a247cc9e41c0e18a1bd4529bf054fdb67e93afa0f581c30a62677b767d24c4154 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{648FDB71-FFF2-11EE-ADBF-FA30248A334C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b21939ff93da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000385480df1ed1649ff7e93feeea8b3f9b839e6a3776c8489ff0f360e0fa12cc2f000000000e80000000020000200000003b44e03132eeba9d5849c90cc80f3ba70c6dedd4d3cc28b71e9b34dbb382bc8490000000c2edc42c573e87171659ed5048fcd26f854a94ebc8f061fa24d163b12b7acbcfa56d6a104c0cf23c420ead07b19447beba55e843a8c8dec011d85c809648dbd1015f5f4ab7d54a4ff4178c7f51c4f2f369cd39f3dd40df9d05448dde3e1c25734d610d14a905ad150fd8cff5942b8e22e2a0f791878990c65cbc4b148283a80f40f1a79b4905a3056662303044df6cea40000000408ad3e7ac0b038a5e8f084bc70595b4abbc405b6ffe91d61d682b2750cb033f62321da7701e68bca60246b6a81e1a11ec095f95776ade1c34fe95d1e0074a98 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2384 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2384 iexplore.exe 2384 iexplore.exe 2752 IEXPLORE.EXE 2752 IEXPLORE.EXE 2752 IEXPLORE.EXE 2752 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2752 2384 iexplore.exe 28 PID 2384 wrote to memory of 2752 2384 iexplore.exe 28 PID 2384 wrote to memory of 2752 2384 iexplore.exe 28 PID 2384 wrote to memory of 2752 2384 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\admin\FCKeditor\editor\dialog\fck_docprops.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD598c96318e4361b8dfc3670bc4b5031b0
SHA1ccf7041b5c7b91080b95df808d77e46833e9aef1
SHA2566bced29633265ab3aa066d8f7d92e657dcc6a5039ba04dff640e3c42b26607af
SHA512c40f224cd483e6260a935d7ff977fd2ed3586ef1b5f1c203bd3f96eb0368aa5602405ce2a4e408b345a026d5bc78d8933ad126fa483bddc32484f022ac5b98eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54928b0e62575138b2ffd21734151314e
SHA161a2dd73e5220885257749e0175e5bd99db7cf29
SHA2561679e131228b7e73f1f2496e0e3a385baffd84cea1085b9cd6a2a92b9e6c516c
SHA512b2bd9b589d05e24cdb365b5415870b6751a87292c7e8975b904fb89f9c23910271cf98cf4b7f4817b42a9c7791abf7d08b744be5444b10c9b465afa2857a8d9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f4cc9d102af3cddb81ae4292f7700a46
SHA10455ca56d6ec01a2e960b56cad77cfba7fcf99c0
SHA2562f8ed2e4e85e70242998adf47ddaa5e59007816c2a4e08a09ff60bd765183dc0
SHA512666c44379759bf1423862896d63e0c1c03c84c3e57c5436047b693f6abd606a44e01ac9a59ec91deec78a144b190467ddb376ae478382a037b9cf1057d0f9257
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD544a4c7e1034e00311770f09c0b4d9193
SHA1b18732c2f5407e4b3c537accbb091ff85191f6fd
SHA25660615dc6bff0d26d2df4c2e0350fc68ce266dee581ca4fe83f2f82b27948633e
SHA51289f903d3aeba16763b9285f95d510a252dabcd1baea4ffe673a310cb6a7fcab98bfd580c2d7890f7f4e122169af1212bbcbd97b64841770df97535804cf71a10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c3cd5a327077af8e3ddc606ee8658fe8
SHA108fbca807756c38f0c3df566f3c8e23845a863fb
SHA2561d9fe51fef6acfeaeeeb80ca6bec85bc5a5614e0a9b21e4d23520d47de673f54
SHA512373ced1c824c2205c626a08f5828052910665138830ba4f483020a6fa57283b4a42d17bd1e81761e0b8615df27ef7f5d0afdf3da9017dc06a8afa782987ec49d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57de592593f753ca116f093c6f7138dcb
SHA16eb520b12c9ba4efbe4b0715e188d2d6ed8b9e93
SHA256c6f21a9bd8636278355a01d7fe3c77f87d46801a5fd2d921b03c6662216a59e9
SHA512c6c916a0530c4b61ec07bf99d7af70d30f1dde2792ddcd8f35514dee6cdde981e0e0053b629ec8ca8e22ec3b9e62af8af2380414f79b58bb5e0fe23dcea28648
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD588fb6f01481c3d68bfdd2fda37ae848d
SHA1687672a3d441427072bb7a83e0d8d647707503c0
SHA25663a7b79c05619880bdf8f8571448ef0c669f3e370520db029b70dcf524e80798
SHA51265001aaae5f14a2400d6aeb02251ea6f5e33a2b0127c7015dd53b4f85fb99bbcdaa12ef7c146f9e3fee466dcad9802cc7a9b7ddeaa57b3e6bf5d1c604bd7e752
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a