hxxp://arxiv[.]org/abs/1002[.]2454

Analysis

max time kernel
115s
max time network
144s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://arxiv.org/abs/1002.2454
Sample

210113-6k4zclpavn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 80 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3420609476"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30861682"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "265"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "201"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3429649008"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3420609476"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000065e7432eb4ffd0c0544cd576f2e4b5ca4ec028a70c4fcb6bf0fe1144a08ef292000000000e80000000020000200000008760c7cd5c82a2f2112cb59fc33e9b88cc52c6d798d9a8960c1015adc7dc2c83200000001e0545801d325a1c9014df40b9f7f5492618838aaaa1b56105c939ca7056b9f540000000c17b8d492556e5f00b2e4856c93cb94af273d94c3395cae7b70e7b1cc914b5f9f9be172f23e9e95b5f0684e66f5422299aab4deb9c52878b408818e4d32cdbe1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "317331760"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "175"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F70EB663-5565-11EB-BEBD-CAD1272A8716} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "143"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "265"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30861682"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01aedcd72e9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30861682"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0eee5cd72e9d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "143"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "265"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "317283174"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "175"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "201"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "201"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3992 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3992 iexplore.exe
3992 iexplore.exe
748 IEXPLORE.EXE
748 IEXPLORE.EXE
748 IEXPLORE.EXE
748 IEXPLORE.EXE

pid	process
3992	iexplore.exe

pid	process
3992	iexplore.exe
3992	iexplore.exe
748	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3992 wrote to memory of 748	3992	iexplore.exe	IEXPLORE.EXE
PID 3992 wrote to memory of 748	3992	iexplore.exe	IEXPLORE.EXE
PID 3992 wrote to memory of 748	3992	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://arxiv.org/abs/1002.2454
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8

MD5
9b81e0d7b3f90c25b8d547f74009585a

SHA1
01b64da0c697ab200a93f3594d44f264b0019af9

SHA256
f7283b6b932d8e7c78c1317dfd1dc03c7c4893f31e459e43a3c737aeaa7da0ab

SHA512
a69f3b389738aca0b43f9999af664f849185189c9414a085f990120211434a89f6d1bfb939170307de2e33c4c873048ec2b2628ee8435f71f2bb703a6c069c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
9acb213e3098eea544dbd6f9dbd77033

SHA1
afb03453cace0199d37c64834a0a5c7d2aecd448

SHA256
8b52da8ad7d7e19495bbdbb6930ebfddfcec187113d6d38fc5f32bebf994de6d

SHA512
ad8bb5d6d24df0c628246e5bd82ca9094ea7eddbe1105f0410e90e6f5a4a997dedc3fb2db846f1275b85b28e30e82234f7b97706df0a13a3f2c948ccfba703c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
515c738cdc665a3e21bc5fe4c09d37f5

SHA1
6d48f051ffe67270efda61d3d848a5dedb79646b

SHA256
186b3816e5fdabc00b8d7045acc8f4e233e553b43fa311103ae6cc458a628c4c

SHA512
0ebb98cfda1d58012cc112dd1ce2f11a6b99c2bcc9b4802cf13fa7f8099036f94dafa9a8ac5c35be67f8bc4183fe0120568d55e436d53679d57802d0060f5cee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0DD30266AF9B4A57FF10335BAF014F_9F9B4C41F24FFE47CB703486CB505815

MD5
1abd904eb18b459c0b56d435f5b2651f

SHA1
374bfadb1c16e6cab8deee81fba9a7292251200c

SHA256
d8566b3eb67ef1b5374b2a4b79547db9894ddaee4822394be4e5e6f67264ceae

SHA512
a82c43cbf6b52ffb30b02c0a2530332c9c9497f3542f3a74dae3a1460c4942da9649e255b4770cdabc883cbafa31934e6503da98c0a91597fefa2ea0c0c0a154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8

MD5
59ec5b826507e90ff2095fc18f96202a

SHA1
a0b2df60725c1ef606e32841a88cf5933781fdd2

SHA256
cee69e88a16b2fc990e9457a84dd4a3e34e9995cffc95783a402141aed53403d

SHA512
da71cdf188c87212c5dcc20ae9f149b70264b858e571a9119ea8d52c004e90969c0cd1569daa0994566a4683a3fb486ba702c4a146b92358797e3e979f1d2868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
14386661f8166c3658818ccdf818d157

SHA1
121f1fa66a04cd4dc55c74627a73d45228a11e2c

SHA256
1a9ff19fa6ba15730d81d962f7091c62841c5255756eb27196e8d37e66fd316c

SHA512
92789253f6485b5856090bc71c50c403631ca79c7dd8e63075aad28c353534ad8ce9530d798bd5d0b26db212ad0054eeaad574da3110227af795cbf8625e4f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
bc525b71b8e230601e2d10d113550276

SHA1
e8ff8cf3fc6174ee0bf28e24c318219e247bebe1

SHA256
90a63c0403b9c75f6686f6e983012471a259c279b1a05572f61b400fa7d7c224

SHA512
8b41aac5858939e72e3c7bc59c9dffe7041b36eaf69ecd408e962b9b7ad11d35cefc5dc23be85fc2f7e3c656b56c7af1380294f52f8433b7bc7fdf2dff93a21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0DD30266AF9B4A57FF10335BAF014F_9F9B4C41F24FFE47CB703486CB505815

MD5
fa9b03883d08765b9dc4036670d91fc8

SHA1
3a0af9da6a34d6e673c53e233c1961e17d9f525c

SHA256
625b5a982353e3a09b1bdc074f3a8cd55af876c33589314a99b47be0bcad5e0f

SHA512
811248cfafa7ab1a41f70c6dca7a6b5ae6b340cc230346fe53e21b94637012eef40983a79cc33e59dab0f923f6cec0817e4e0711bac6ac6a0617a897aec3cba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\I7WK0M57.cookie

MD5
009333e2cd09c3d8ce9427e55a260197

SHA1
b2313fb34cd4ea8506815b0470053f2e296d0fcb

SHA256
87ea6d0472f9f0331dc0c41dda9ae800c976d701468480b6bdaf917d0595d527

SHA512
11fc57e54be41c5974d6b0a388fd16fa535caadd3c53ce9fed11dbe09279fbf6a8880c09a78719f7dd61dfe8136ce3e0c36d95d1a93105ae62a5090255ad8e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VJQSJAIA.cookie

MD5
772cd819dfa89a91fbcedb22350f5243

SHA1
52c4a84e6594050cc5e6cbf7c1677624c191b398

SHA256
38a741824a28b56c52a6189ffd451c2f7e442229e0520810ec4ad57c0a9fdc74

SHA512
dffe8ff5030e6273f341283f2697802553fb6e90c62434cf702f0c749623bdc92ea123abd71080b7e3fa293f4df6dd4f623741459bc4da4419e1e3078d9c2338

Download Submit
memory/748-2-0x0000000000000000-mapping.dmp

Download