hxxps://secure-web[.]cisco[.]com/12P1Qcuzq1pIKjXJe7oiu03tMS3Z-cSKGyRe_g9v5Jpm5kHCFN9-TOiDjtZmG0VlZG4HYYndh_sv3JmPsftHegYUlG1bDhLUJFBD7N8qzRfBirLnvooC2-SMpa1HbbelWUA6mFCMz2HxDeFB23zhhbL5RVQAHfusgFfDEHQN1Tn1CXv3sjUzMTSi0i9rHM9KSxr-1FBUjFcp3W2JfcTCn-DJT_5dTs_4Jl7s1bvNXOOz1tBU3tmCOucmHnrhF44YNMlJ0WWzeVfcrJe0Q6AQXz8m3RxaMhtQHJ_eE4Ng06snLnFspPPWrZd6tzMWlIjSbsVZ9p98vTVSW04CobpIwCQ/https%3A%2F%2Fwww[.]contactcenterworld[.]com%2Fmessage-center[.]aspx%3Fnm%3D9754380%26tk%3Dh96d18a18

General

Target

https://secure-web.cisco.com/12P1Qcuzq1pIKjXJe7oiu03tMS3Z-cSKGyRe_g9v5Jpm5kHCFN9-TOiDjtZmG0VlZG4HYYndh_sv3JmPsftHegYUlG1bDhLUJFBD7N8qzRfBirLnvooC2-SMpa1HbbelWUA6mFCMz2HxDeFB23zhhbL5RVQAHfusgFfDEHQN1Tn1CXv3sjUzMTSi0i9rHM9KSxr-1FBUjFcp3W2JfcTCn-DJT_5dTs_4Jl7s1bvNXOOz1tBU3tmCOucmHnrhF44YNMlJ0WWzeVfcrJe0Q6AQXz8m3RxaMhtQHJ_eE4Ng06snLnFspPPWrZd6tzMWlIjSbsVZ9p98vTVSW04CobpIwCQ/https%3A%2F%2Fwww.contactcenterworld.com%2Fmessage-center.aspx%3Fnm%3D9754380%26tk%3Dh96d18a18
Sample

201120-74e6rq5e7n

Score

6^/10

Malware Config

Signatures

JavaScript code in executable 1 IoCs

Processes:

yara_rule

js

yara_rule
js

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312669466"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000d29b649cfb537803ef09aca3f026f40387ce2890ab07119a4bb3bf487d673cb7000000000e800000000200002000000019fea8f8ddcaf52233cfcd6038412fdaa418f1db265ab5736fd60b322ab481eb90000000fd94e04a48c7e93567763a9f9f59d13375286bc6a9db69b348763670713f4d0ef20249597ced26724875952f294ea1e213a81e8c8f1ebf3341ddec70ee9f8dbde82aba8c54aee44c01c2d9fa2887be59151f94c5e58420de4fbeb2d78e3c16fd7a788c5cdcb322674d77d731aaecc3d73d84e2a402030993e369538ddfa38b69d89dfeeee226695910c259a98c75bec740000000a1cb06b19bbe1a29134f82ff977f97b39f52b0058205155928d7b990fbab6a7903ab9494a901303f51941da19815c2692299d1565254b6d5fda769107e37b1ce	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "125000"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\contactcenterworld.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.contactcenterworld.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "300000"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000406fdfa5ef7a4c3701323f6386a0997a9da5269d06a1df953bfd6e024afacadc000000000e800000000200002000000025ca669c372667d0b4131a6b5ac184e4cf5db0ba259a73b91a349f1c347564ad2000000012305037a02b5ea32516550f260d1421bcd30f130dc4959c65b755fe9be44fcc400000005d00375ecfbbc3ae0d008af2321e4d7539fd7dcda8ba254f8bbc35a4fe07972af2ce2b3fa16e719508fd4e443ebabbb05c309c1772f5ef65630b8edfba515ccb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "200000"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\contactcenterworld.com\Total = "18"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "150000"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b4cab17cbfd601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "175000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D6BE1FC1-2B6F-11EB-B2E7-DA78EDA9FF87} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.contactcenterworld.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\contactcenterworld.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "275000"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "225000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.contactcenterworld.com\ = "18"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\contactcenterworld.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "250000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

292 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

292 iexplore.exe
292 iexplore.exe
1780 IEXPLORE.EXE
1780 IEXPLORE.EXE
1780 IEXPLORE.EXE
1780 IEXPLORE.EXE

pid	process
292	iexplore.exe

pid	process
292	iexplore.exe
292	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 292 wrote to memory of 1780	292	iexplore.exe	IEXPLORE.EXE
PID 292 wrote to memory of 1780	292	iexplore.exe	IEXPLORE.EXE
PID 292 wrote to memory of 1780	292	iexplore.exe	IEXPLORE.EXE
PID 292 wrote to memory of 1780	292	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure-web.cisco.com/12P1Qcuzq1pIKjXJe7oiu03tMS3Z-cSKGyRe_g9v5Jpm5kHCFN9-TOiDjtZmG0VlZG4HYYndh_sv3JmPsftHegYUlG1bDhLUJFBD7N8qzRfBirLnvooC2-SMpa1HbbelWUA6mFCMz2HxDeFB23zhhbL5RVQAHfusgFfDEHQN1Tn1CXv3sjUzMTSi0i9rHM9KSxr-1FBUjFcp3W2JfcTCn-DJT_5dTs_4Jl7s1bvNXOOz1tBU3tmCOucmHnrhF44YNMlJ0WWzeVfcrJe0Q6AQXz8m3RxaMhtQHJ_eE4Ng06snLnFspPPWrZd6tzMWlIjSbsVZ9p98vTVSW04CobpIwCQ/https%3A%2F%2Fwww.contactcenterworld.com%2Fmessage-center.aspx%3Fnm%3D9754380%26tk%3Dh96d18a18
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:292 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
bda433eaf3ae4755977c4bcbffa8a2d7

SHA1
2938c392a0e99476108def141898ecdc39dbbd4a

SHA256
9696202287b30e31875a40f51ffe4257b08f52f6abdad71fb1bc39147214a01d

SHA512
3d2333a7b008bebb3ba07c1c07ea2ed60765fea0ccbc85d10f13f3a4b1f44263a56356ee0af3a51638b86d3d975a4be7fd7f8e9389075c23cbb473daf0b5c580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
d59e820f888eb4c5b867d1bda811076b

SHA1
742417df4bfa9d3a5cfd1220b8a1f6569a700ab0

SHA256
5edfbc02fd7d2a06bc63ca78ce628a1313a000ece396921f0c4a4d8761b65271

SHA512
3bb64c02298b23557fab1fc56d2f207850c5bc27f60ceaba67435e9e94d739c929b94d79fbc0ce647ec7a11eb4b2d427fab2d3cbd33e1ed736b56b9c045a4d0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BMVQ5B7W.txt
MD5
8437ded2adcb79d28df5734c18d0cf1a

SHA1
d9ab35ecafe8e66b92073397fea727a5cbf3a7a4

SHA256
f6b1f41685ccb65fbdf796fb22c896b28db9eadcefc9990dccbc3137e3ad2bd2

SHA512
df6c96c50950957d5b7f5490e8057b15e7329b895298f3ee80628b5d5b84c9ea4c3579915c198c1c249999b78f053a2d955d9cfb0d52c4e873cd533ed022e62f

Download Submit
memory/1164-0-0x000007FEF63E0000-0x000007FEF665A000-memory.dmp

Filesize
2.5MB

Download
memory/1780-1-0x0000000000000000-mapping.dmp

Download
memory/1780-17-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download
memory/1780-26-0x000000007EEF0000-0x000000007EF00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing