hxxp://arxiv[.]org/abs/1001[.]4538

Analysis

max time kernel
71s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://arxiv.org/abs/1001.4538
Sample

210113-hmpe695lx2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 80 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "175"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "201"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "317286316"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "175"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45E494A6-556D-11EB-B59A-DE6DDC9D1B26} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "143"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30861690"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "450923973"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "450767605"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "143"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "265"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "201"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000031eef67aa8030fc98b1e3f36eebb886837b8ddd040aaf2c88728de3e24fdaad8000000000e8000000002000020000000ba170817514206b8c34aeae23d48413a4e515147fe5cfb9150ec464acd8cd14820000000ff23aef85359e685e5affa45f5170decd9dae8f68684658364c5d32369f98f32400000006a0fb6ceada364717e98f562f26843b7a058c7773e6831ba734388c364c1e8fc36c8547a5c394f5cfc6c3e5de82334f6c8d13cacf8648df4c5a8f37119252a9e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "317334901"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "70"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "317302910"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "201"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30861690"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "175"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30861690"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7081f81f7ae9d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DOMStorage\arxiv.org\Total = "265"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

500 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

500 iexplore.exe
500 iexplore.exe
3252 IEXPLORE.EXE
3252 IEXPLORE.EXE
3252 IEXPLORE.EXE
3252 IEXPLORE.EXE

pid	process
500	iexplore.exe

pid	process
500	iexplore.exe
500	iexplore.exe
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 500 wrote to memory of 3252	500	iexplore.exe	IEXPLORE.EXE
PID 500 wrote to memory of 3252	500	iexplore.exe	IEXPLORE.EXE
PID 500 wrote to memory of 3252	500	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://arxiv.org/abs/1001.4538
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:500 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8

MD5
9b81e0d7b3f90c25b8d547f74009585a

SHA1
01b64da0c697ab200a93f3594d44f264b0019af9

SHA256
f7283b6b932d8e7c78c1317dfd1dc03c7c4893f31e459e43a3c737aeaa7da0ab

SHA512
a69f3b389738aca0b43f9999af664f849185189c9414a085f990120211434a89f6d1bfb939170307de2e33c4c873048ec2b2628ee8435f71f2bb703a6c069c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
9acb213e3098eea544dbd6f9dbd77033

SHA1
afb03453cace0199d37c64834a0a5c7d2aecd448

SHA256
8b52da8ad7d7e19495bbdbb6930ebfddfcec187113d6d38fc5f32bebf994de6d

SHA512
ad8bb5d6d24df0c628246e5bd82ca9094ea7eddbe1105f0410e90e6f5a4a997dedc3fb2db846f1275b85b28e30e82234f7b97706df0a13a3f2c948ccfba703c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
515c738cdc665a3e21bc5fe4c09d37f5

SHA1
6d48f051ffe67270efda61d3d848a5dedb79646b

SHA256
186b3816e5fdabc00b8d7045acc8f4e233e553b43fa311103ae6cc458a628c4c

SHA512
0ebb98cfda1d58012cc112dd1ce2f11a6b99c2bcc9b4802cf13fa7f8099036f94dafa9a8ac5c35be67f8bc4183fe0120568d55e436d53679d57802d0060f5cee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0DD30266AF9B4A57FF10335BAF014F_9F9B4C41F24FFE47CB703486CB505815

MD5
1abd904eb18b459c0b56d435f5b2651f

SHA1
374bfadb1c16e6cab8deee81fba9a7292251200c

SHA256
d8566b3eb67ef1b5374b2a4b79547db9894ddaee4822394be4e5e6f67264ceae

SHA512
a82c43cbf6b52ffb30b02c0a2530332c9c9497f3542f3a74dae3a1460c4942da9649e255b4770cdabc883cbafa31934e6503da98c0a91597fefa2ea0c0c0a154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8

MD5
d8fc09cde8d580bfcca59ddc7af409d8

SHA1
3fe9c7de2e9f96907860f6b0a1c7639a1c925bf8

SHA256
07c7fff574d4ffe2d859aa43a8089dff104aa4c753b69bf7792386421b408c91

SHA512
0a8546b6c999671a86d84c712a0c45da2444f5532f94e981e7b98ba718d7b1723593e7ad2b8cc452de7f33e212f577020f572dc2853ec0d2a9ca094fe9f2f80f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
531616bee5e7a04d57746aa6be004fca

SHA1
99723567586deb72a60ebbfb427f8216eded512f

SHA256
5cee7bbffbeebd3254616c1570dcc3a4235abbd60964928b05bb35fc1edf81d4

SHA512
a635d16166ba7474208ceaec1a1e4d6201df5ac3f12c33e23bc4ee245fc6bbb875eaf7b0c049ec128ebfbb999ca38586ad60a1a82d3dec1dbb0edf2c179c45f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
fffb8db972995098244795e8f7356a2f

SHA1
4a2be424f32d16f83481c69c44689651a1ba4a29

SHA256
f9d17271ba64350e4950de0185bf9b9c408c8ab217f01412efcbe3f42a7495ea

SHA512
eaa885bcda9297888422020efe7b75cdefc7d1cef5d6841e7ebf85aefbd604ba696c65b7e5df8df7a2dd198df955cd4139af1e5d95a7ffca78113f1030fa8316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0DD30266AF9B4A57FF10335BAF014F_9F9B4C41F24FFE47CB703486CB505815

MD5
a10f62042d2c2c7ec916c8a47c0927ba

SHA1
3a2ebc980fbe084172770f36e03b34b82715720c

SHA256
78cfb2b95d0b1451b0b01db91a188c086bfc3a2ec28bafce15133af5abfebab5

SHA512
27ab019a14379522ba2dfc8308e315cceb119912082682894ff323958e9bd7a57f088c95f3c30ccd6432359f9ed876791b422b0c8c9601f9e539407b7818913b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HULCELDX.cookie

MD5
6f1786d28738ba9c8c1ed07b7b9bb16b

SHA1
4b492162fc4fe97d48ac640470601d3c8bc666cd

SHA256
8612fb330c8d5f039524467823252e565b796da51412db9c3ae1d87fa58b5872

SHA512
12ba12f2a4df69d317524fe299fb5efbc626bb432c2f26460905424ee872fee73a37faf555cb949222ad410d8927834a75f3664825a98c1e84af885cf844b56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QAIHA118.cookie

MD5
6abe1cd481cc80d6b442af4c847fd06e

SHA1
1d4df20018175b7db8f017ea5db71f3d04acee65

SHA256
c858c256baaf040cd4e0719701cfe99d55b7897d0ebc4ec14e52acb4b933aeba

SHA512
1641f27d33f388815c5337c87037031d0ef8dda680ea959108eabfd6588c6c97404656f21576fa27d3e6581ab8a20cd3dfdb7e59259ef8e1bcebfcf7b50fa4c4

Download Submit
memory/3252-2-0x0000000000000000-mapping.dmp

Download