cafbc585e0e6bb529bed5212a3d0a2503f2f1a6e9fce3913d7694c501aeb0ffe

General

Target

Paymentadvice.html
Size

74KB
MD5

a3499a6bc97a24bd03b42849e106343e
SHA1

4c4d9f77cf64aa7d102fd4e749fd01b128c548ea
SHA256

cafbc585e0e6bb529bed5212a3d0a2503f2f1a6e9fce3913d7694c501aeb0ffe
SHA512

66e2bfcc0e23ef530c9231489a36ac8f7d65da08046d02c5d7bc77083bfd6f5f084370a8b8a2c4c6263ff6a8b25a18bc833af1e1fb6adb4b4811b79be74113d9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000c5d43ba18dd2629920f5def2a975a8ed17197221fd3ac828d80d6cd86527cdff000000000e8000000002000020000000e930666326b747b4e5ec77e98984482cbe8025b9a4aac1f69f0d3504de61023f90000000edf4919fcbb15e84068eb7093cdbdc45b50f09af1be443f03debebd23073cd628cc344caa394d7e4b4356fa27bca53bc9827ff1ced1e68a9e07b147d1683f9674f6db38953510efb2b03838cdf50e102cc27c539688c1eb9a98fd04b3f03dcafcf8a7fa350eaeefa1f37a08f3689e8b70ce9e749cb5f4809afa2354632ad241a75b6e3e0a3c0a7957a4feb467df59c7a40000000f869f87d9f117d50f3b2b32d78c8d900577f3ff0e649878fac84781635c7fc834c41fe38473b6849ea3fd6e12e871a3365220d99ef17b641a49f19d4c868e2a3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\132FE0C2CE3AC1E091379FC6544AB0447FFE71ABE5 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000de55445048732e288f841da5bc8e5e85f59ef4fb11aec2d4868a0ead41b1b285000000000e80000000020000200000005448a3125a40d94b07d0c6593b31c81da5d225ad61b534c06d3979104679d01270000000ed275e35465175e6604ae10123efeea8c1d6219023d909a8a4db949a9288d3877e66c36738b3f1b0f707b546014c9581e46f1c8d8a16e82c050c68488a1d99a8cd32acc132c3d90494aff675c280988bde3b11e80d30908ecf542e59ab0a13bfa4599c2aa7785864a1abbb439480073740000000406c07a342758416950e0f22e3c8fd3b089ba512cff1964debb81fc4b40f316960361646c2c083271c8ed25a8e1ee2c31feedf831e957ba287bee97469d81f82	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905fd6be03ead601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5D32F31-55F6-11EB-A2D5-E67B5CAEC115} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b660000000002000000000010660000000100002000000041f618becd32abc875880cf4f4826a8c80ccc17e0b2b100d744e6e7ff96618ab000000000e800000000200002000000001c6e82366bff6f9506042e500801fd48fede4f741b007e21bc0317b93dc39df200000005259a2244b1118bee6c57ca6272bcb82d45a19d50c6fd38e63e1b9493d6ab8d9400000007c7a6edac8aab664718e64dc80a9c38c8a8df87b8cb6924eac2b656fe5e1b2c57694145a8a8993a5d34e4f62603d6075abda31c3d7a9ce556f6154c78cd11937	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "317345423"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1048 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1048 iexplore.exe
1048 iexplore.exe
1988 IEXPLORE.EXE
1988 IEXPLORE.EXE
1988 IEXPLORE.EXE
1988 IEXPLORE.EXE

pid	process
1048	iexplore.exe

pid	process
1048	iexplore.exe
1048	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1048 wrote to memory of 1988	1048	iexplore.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 1988	1048	iexplore.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 1988	1048	iexplore.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 1988	1048	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Paymentadvice.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
3286778bb5719872f02def7e37b9d788

SHA1
571115bd18e55ccd05134e200d5039e862df1c91

SHA256
abe27f55878c5fbfc133d1ff64ab8943d295cfc6ead54e031fd9a442e660e068

SHA512
5bbf8fcb26ae3ea8553562ea9bc94c7fd753dad585a810969916d8ecc304d4290e21cf7ab56a987706d686a1e42b9a1215a62af27e5eea710f86038db49a43da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FE9PBLJX.txt
MD5
7c992dae009544cab8a2f7764d0181a3

SHA1
717de7d6026c267c69ef660e79c2ab1175ab73ac

SHA256
fb1b2c2efb19050a87b17fcc93d6e130c8f2b43d07199248212b7d3a07624c9e

SHA512
eed22c45399887ce114553c8742d7603c1c918f5edbd8f9ec5022ab487d9a2f63f08983c3f6eadf0020e3dac12e1a4e774b8c199811bb45e485692138c7be414

Download Submit
memory/1504-2-0x000007FEF71F0000-0x000007FEF746A000-memory.dmp

Filesize
2.5MB

Download
memory/1988-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing