hxxps://www[.]google[.]com/appserve/mkt/p/AD-FnEykFb2imDxLt32VDbOc2msZxjzEb_X6p-Yi8V GaA7FfEH7VCKYFhoLcLXtK465S-Z6nmmlizqXIc1U1kKun7PArD11u_cEQrxQilQ-k6KbrFWvB

General

Target

https://www.google.com/appserve/mkt/p/AD-FnEykFb2imDxLt32VDbOc2msZxjzEb_X6p-Yi8V GaA7FfEH7VCKYFhoLcLXtK465S-Z6nmmlizqXIc1U1kKun7PArD11u_cEQrxQilQ-k6KbrFWvB
Sample

201120-qk258darys

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "327070873"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c64a1571bfd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30850929"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "337227442"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000005dbc01ee6581f34237fc6273f213c5e91f0d90659b226fe3226c2e9bf7e12c19000000000e800000000200002000000042afdcca8422d5df7f8626de327716d547f4929c8cedd66d3293b456f2ba11f72000000089e6e872f9a5f10f3878c45847c14d463150e61b091bdadd500e554be954a9b240000000abde417a909498ed38b4e8df1953c4051c085852e8155e6443e2c79e3b6aba511e8cc26eecbbc344d2b3585bfc9ec1a7a44cf83f6b3d85b8f63c12d51f25fcab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "327070873"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30850929"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30850929"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0df3e1571bfd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EC5B4B5-2B64-11EB-BEBD-CAD1272A8716} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000045c42f452ab458f390c7484989e6761fdc899771ad4c714dc3b892ead0ac7144000000000e800000000200002000000004716685c247cdacee5fc148c74e49694ff72a4ddf8e2b5c7f3cebf731532eab20000000ff2331da9e4399e430742636e8efda3dea02d2ea685d6196ba43c7d7e2315491400000006deed1a8896c837a8cdf472ab5f9b4055ea2b69e949e33fb081601bdfcc4789a76ce866af97ed266d5c39d1d81cce4c3c7f14267c3ae38df0a4a05ef85d5d983	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312664487"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "312713072"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "312681081"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3968 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3968 iexplore.exe
3968 iexplore.exe
908 IEXPLORE.EXE
908 IEXPLORE.EXE
908 IEXPLORE.EXE
908 IEXPLORE.EXE

pid	process
3968	iexplore.exe

pid	process
3968	iexplore.exe
3968	iexplore.exe
908	IEXPLORE.EXE
908	IEXPLORE.EXE
908	IEXPLORE.EXE
908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3968 wrote to memory of 908	3968	iexplore.exe	IEXPLORE.EXE
PID 3968 wrote to memory of 908	3968	iexplore.exe	IEXPLORE.EXE
PID 3968 wrote to memory of 908	3968	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.google.com/appserve/mkt/p/AD-FnEykFb2imDxLt32VDbOc2msZxjzEb_X6p-Yi8V GaA7FfEH7VCKYFhoLcLXtK465S-Z6nmmlizqXIc1U1kKun7PArD11u_cEQrxQilQ-k6KbrFWvB"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
MD5
86c870fa0e077109a2b3608a8334a07c

SHA1
607491bce4e1217c4dae1a11175a7dc6ba9e1200

SHA256
d7ae63a43df14462912cd0740c6fcf6601f0c862e77068bdcd8304e1d2c5a0f7

SHA512
f75273ddaa36a941a5a23f92f7d3ac1f3a8282d30a842e1edefbec2b4add27d563a3c9b8bb1be3df52419920478b0f45862dfe50162d1c5f7b7ba5334e574a6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
MD5
b612d90ca9d7bfef6c37e65a7e35cc3b

SHA1
e22fb7bde2b507dd9719c4d435ccfd115d590b11

SHA256
6e734405c6b8e3e5b7998260de57833a7968d2b874d0acba2d7cd834011ffdea

SHA512
e7cb456a62c684e908abe34fbb6be260f87d18f6987fd324d075083aaa4e7cbc64789626a1e4748a86633d23576da07691ffc3678f93bca2d8bb73a8f030cd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1LN4I9FC.cookie
MD5
3290f3197cb44b9ca9817a2d8d84a060

SHA1
84afd694f2fd739d2ae27207a1bdefb189291e5c

SHA256
3088e69ea4796ce78b69af1f66aedf602f9f5fd0d1c00a029661a7f052a1d2e4

SHA512
a32738d8c85bb1fa7dc11f02d16ffe4ab5d9217af6da9f9c5e63f76454b1834cb696f418604fc6ac3e158f2e6a5c7dc20bad7a5ee6e1f8c5bbed63f00dcebff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ODXTH7CF.cookie
MD5
5700c4b5b1ff7ef34b2348e73d3d9dda

SHA1
8a39c4934903910f1a5ab5261fd7b6060a1e8ac2

SHA256
7bd8d755f9ed4f9bafbda084712a45cb3aa0a78d09cb735232b36452e6fa9fe8

SHA512
6d36a710f22acdde1af85a71d1c3ee41afd8ac3910d1fb628c2f33bc8f4853b5b6d4314fb3dcb24689ea2c576116ad0d01a339df41853150d8ded6a4295d7f3f

Download Submit
memory/908-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing