hxxps://serviziamministrativi-infocert[.]enel[.]com/terms/9a43fc658f29e20331c80f9796fbff52bc39ea71beb6023c9371f1d065cd0efc

General

Target

https://serviziamministrativi-infocert.enel.com/terms/9a43fc658f29e20331c80f9796fbff52bc39ea71beb6023c9371f1d065cd0efc
Sample

210113-pct83wp81s

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7F8C3F1-5576-11EB-BFDD-F65A7312C48E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90bb57b283e9d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000f04532f9ff75e1e4350334315e0d4a4af50cab060706c797cda37c4a230f5cb8000000000e80000000020000200000001469ee318d548e2611ed6ffae51c7cfd6fdd4f226fd6b44d9670eeb6906b65ee900000009e99bcffe3c01695a876ad456dc63f17542eda747f4af7a0bf6d5c5f8121cb464c7d53da9bdcaad69a8007c2af413a158291784b12675d00e5d5f5607c82cc72f1c94fdaf36b355f8be7563f7b13717fed9c9ca2035a240d2e2385e9f185003536f22ae4b29457737d48e8b7cb24c43447414e12deb682b1bef251bd7203e4968f04b41598585c801b28a506a4912e9a400000000ef70c36a822932b3cbcc33354c846e7ac8b09316ea2e372190aa6b50c1d256306877d5d7b238803997d6399801dd7772f9a6b947854b0131d3c91406adf3e9f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "317290424"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000a25976872e209e6bbd148f45f1df4cbce3cc83d5452231cf6959aa440507f2b9000000000e80000000020000200000006a8d23a4f0921f5fcab53bbe5e3c2fc0f97f09d6fabbe1b6bd55f93b728ff9e620000000b95f19126a34a3cff301086e1541067b58e9c2593ba6faaaa125a99012827e8c40000000192d72ad503f9165ee2bbc8bc93841f7501475b8c78073882eec6257d9aa0c4596fc158a43a1a002da326ef980a5a17cf9a3f6f73c08b8012d3de595d60efaa1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1656 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1656 iexplore.exe
1656 iexplore.exe
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE

pid	process
1656	iexplore.exe

pid	process
1656	iexplore.exe
1656	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1656 wrote to memory of 1944	1656	iexplore.exe	IEXPLORE.EXE
PID 1656 wrote to memory of 1944	1656	iexplore.exe	IEXPLORE.EXE
PID 1656 wrote to memory of 1944	1656	iexplore.exe	IEXPLORE.EXE
PID 1656 wrote to memory of 1944	1656	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://serviziamministrativi-infocert.enel.com/terms/9a43fc658f29e20331c80f9796fbff52bc39ea71beb6023c9371f1d065cd0efc
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
bd01d3791d9c9ed4d27f448cc5e6e556

SHA1
3648c640f42267b6379cb23a5c03c986225d6105

SHA256
ff79adc68ffa195f1e46bea7a57037f21db3330feed65ef8670cb08de8c782cd

SHA512
a4903eefaaf93e559635126904510839f2f8bfc8a5bae467387335b9f31432004801f9ea2446bea07ec9c7f8e019262f16d4fe32b2c532d291bd7c68446ea354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7HIG5DFL.txt

MD5
1ab3879956e8de5b3374e13a97ab5e14

SHA1
75133cf0503082e06b4dcf761d1709b26d1fdf84

SHA256
c18d1a059fa923c5a3e0a895e474f78e409f49424b96d4ea2c268c5b61b325a7

SHA512
4622c69c2b9c06e4a96aaab6673e0afec18e248a543053ee997f5190dcb534cf25cdffc2d410d82df5477312532eb41c2f1674f4006109c684e82fec4b21709a

Download Submit
memory/1236-2-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download
memory/1944-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing