hxxps://sunriseerectors-my[.]sharepoint[.]com[:]443/[:]b[:]/p/kcummings/EUeNZ5mxjcJElml09XOedNoBfuqJQy2ruQ-BrFVgKkCzMQ?

General

Target

https://sunriseerectors-my.sharepoint.com:443/:b:/p/kcummings/EUeNZ5mxjcJElml09XOedNoBfuqJQy2ruQ-BrFVgKkCzMQ?
Sample

201121-ej5z3ev226

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A51EF561-2B92-11EB-AE0F-E67B5CAEC115} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000060c21fdb0b19975f2b2909fcf40733c98a9d1220d4ea1399a07e716df1c36691000000000e80000000020000200000006dbf7ef8717497a79a0457827dee58d14524d3d5e3d64b55fb27f040122f9c9b900000006ca6bd102f3155c4d988e0308510bb5bc636da130f08db50c0ac7ed3ce56d8156dec33a36bab404da18f42dfe8019219a382c7a9862ba62e4b0f8ccac2b0755c365c3540f4e3b460a6ba28f7b25318442eda9ebd9182c57e1bc603c0c64eaa6c51d388814a63376d01acc0bfc7ebc0938fced3a3857fd2b38ac76cddb78be8312f0cca29eebbd83929fd017ccf347214400000009e3d8e763f79e40536b0f4c52e0cf2dda4b245e186713759839ce18a47d2ad5c93ab68b1754fdacd81895788d958d3e9703c4587ea145cf2a733bb0a127a67a3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312684415"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sunriseerectors-my.sharepoint.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000cd864100d79e2d36ade705154e017bd2cd1d49abbe0055f1ff1a896da7b63ae4000000000e8000000002000020000000c987b83277f046f9cb23180dd572fa180272b8a691d0de91850a669ea33d354020000000b4f5ff6f2a8624ac190f8690a9f07f0f5aa7f5d155d80cd79f08a25c9b95bf8e400000005f183ca8cb6452318c6f74810c5d3a9f5999279793d307c217d9e4504e80ac01d00fdaa6961416c713f8bb0ce29050b4b5c578b7edb907848a7a12ae34cd5be8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sunriseerectors-my.sharepoint.com\ = "19"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e74b7d9fbfd601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sharepoint.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sunriseerectors-my.sharepoint.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sharepoint.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sharepoint.com\Total = "19"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\sharepoint.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "19"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2028 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2028 iexplore.exe
2028 iexplore.exe
1896 IEXPLORE.EXE
1896 IEXPLORE.EXE
1896 IEXPLORE.EXE
1896 IEXPLORE.EXE

pid	process
2028	iexplore.exe

pid	process
2028	iexplore.exe
2028	iexplore.exe
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2028 wrote to memory of 1896	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1896	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1896	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1896	2028	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://sunriseerectors-my.sharepoint.com:443/:b:/p/kcummings/EUeNZ5mxjcJElml09XOedNoBfuqJQy2ruQ-BrFVgKkCzMQ?
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
bc94d23c9480a35facb5e50f2ab187ef

SHA1
7b677b8bc9704f369818ba9aaa86786c3735a602

SHA256
69e4bd5ed06087fbf1faaa02a868325de2da88a33516e285389de9ecfdb2543a

SHA512
40c607b9fbaae5ebf899b7b6bd90db649968526b91353e30ee32d28aa02107bf8b10eb1aa56e8859764c235227b2ded7b8b8f013ad72bcab86b7b52c3769675f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
cce6ac5085b23a575361dc2320ee88b5

SHA1
2446f7db66f2d91ca6ecb7b9ed8b6706a967fd2f

SHA256
497ec2421511188a624eb4493fee5c3d7fc7457d8c0bf53518ec663c9cf0032b

SHA512
767738583be07a38ae7caf5e0b05fddb1ef6bd7804ba924989a1863dab47796ffacb23c649291d98b3cff34909b473905e5575d7ad2d8e730a4d577c258c9329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2102949873d3bd3768bb1baea3359106

SHA1
28c3746f56e99a4bb19a764b095f07167ae9ea60

SHA256
daf08ee6bee202f2b03e4292211f9d198cc6f1e89f639539c685185a4c7f809f

SHA512
981a701bd46cc69b29111eda863e6cca8edd2ff74b29f842c9fc2b2eadd8ae700cf97c26020f8df1f2f45720573ae6d85f5d0b1482a3212c528f458bbee43180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2c84856c549ff16caaf735c9886858a1

SHA1
8bc37d8adca89a203ad3bb086765520df8f03bf4

SHA256
5840ed450487d0e426ae28e1dcb8be492646d332bf029f103e7f3bf5adae6582

SHA512
f855018edc5c0dbf60a202d08d24acfad14bf2c481117f3aabcb4f90d1f84a3f11476a70c4205ed40c24bffb3427541d558b9221b72e6056ea5412e374a0f6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
356d0a99a33879f33b4ac3e74d8a0ec0

SHA1
01da2fd29b38f107670277d5d1dbbff96fc9aa85

SHA256
95716baf2413c16c6e576a4a180ad360786fc395ee6a69ee03d3ff2b1d752bca

SHA512
19ae58fd003f167e6a96527c38261f74eb5635bc5dc37ca3c3d9a83fc73ce75c5ef01fd29961d2f1a31b5aa4175f64cc43ee32ebcb4998fb878fb00f90f4bd37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IB6SNYF4.txt
MD5
d9ebb7bb71e304ca9a36c70d1a0c9e8f

SHA1
385dd0c95c577adb45c9b7c5527999e870d90f89

SHA256
0f4cd11203ddf6fa12da77546348216d1b20ca1ace3cd518e77aa7a0c896e890

SHA512
a2cdbf72dd933e5e2e53720345687a48ef963171be23563ff805f714ca61cdc112887bc22bf0fbbbef195fbdefad8c2d59a495e56f056b9aa0134cca15c8fc25

Download Submit
memory/1444-0-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1896-1-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing