hxxp://url9966[.]communitychristian[.]org/ls/click?upn=rJAiD0atp2sVWwUFmf6UUa-2F-2F22YK-2BZJcRzS3Ulg02FTRA8spAQJ74nhYLWXnqJyZHpk0PsnxrRz-2F4OmOIj9WdKpRopHSDJEByVknOFzTLAeURQKq70ylAsM1zFbjzG98HTfF_RRiReq3CU2dpnrz7O9NSgvs38a37iD1mMdgQXyXAOenj-2BBdbuMGYKtbKsIse-2Bs5u3OhrL7fFG8xeBSgCCyjIQ0PQ-2FG2ihVg5Wvzdo0TZoTaaG-2BHcTY7n1FHP-2FQsRcXG6RZ1bCzjO-2FUi0TjpsINXvdqfjYvR-2BamGx4lB-2Fyq-2F7tQWD58SdRDH6U7tvSXOoldlQggVc55Qqw0ueqYJr5nC-2FfY0I2neMm-2F4UZ4UGuZpW5F0-3D

General

Target

http://url9966.communitychristian.org/ls/click?upn=rJAiD0atp2sVWwUFmf6UUa-2F-2F22YK-2BZJcRzS3Ulg02FTRA8spAQJ74nhYLWXnqJyZHpk0PsnxrRz-2F4OmOIj9WdKpRopHSDJEByVknOFzTLAeURQKq70ylAsM1zFbjzG98HTfF_RRiReq3CU2dpnrz7O9NSgvs38a37iD1mMdgQXyXAOenj-2BBdbuMGYKtbKsIse-2Bs5u3OhrL7fFG8xeBSgCCyjIQ0PQ-2FG2ihVg5Wvzdo0TZoTaaG-2BHcTY7n1FHP-2FQsRcXG6RZ1bCzjO-2FUi0TjpsINXvdqfjYvR-2BamGx4lB-2Fyq-2F7tQWD58SdRDH6U7tvSXOoldlQggVc55Qqw0ueqYJr5nC-2FfY0I2neMm-2F4UZ4UGuZpW5F0-3D
Sample

210114-tsnxnhgs86

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3867139885"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30861948"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3901377497"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "317446053"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000040bcca358b7a6f41bbec4146a35aec031ca80fb656c755ec96f9d6af9bade3f2000000000e8000000002000020000000e5a14b72eea2e44542c211f742aab5946e3011ace11b266b6d1aa92f17e47d3120000000db23f38dda8a10d4d9ad9e9ccf73563292ea7f5d098e6ab2989a7049e258ba49400000003c3102d765f43a1998eabec4296ece062213e5cbc5883793c4e6dcaf2274cb8326d1618acd27f4d32ef50bebfedb98b51d6311ec80825efcc4e235ace014a07d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208b3eea7cead601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30861948"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3867295074"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30861948"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70911fea7cead601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11539F72-5670-11EB-B59A-E20E4CDE0AC1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000ec5832feb7e7076d84ebc027ca1b14483018ae969a93b9b0e7615c5bcff6d031000000000e8000000002000020000000d3ee54938439477d4668ea914d9c9a102216232ca0bb3b206ee1ca6ce330e01a2000000006facd8238498f24133c4fdd3b4fe3e6fec2c12e29e4faf24a194c5b6c06a76e400000009936aa6104370864d24ab15f580aaa332b92aecda8a799f574592af42006ffb8bc05f9a110aecc03041803826cbf86cf652a88e9020b1cd60fb44dca57a27274	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "317397467"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "317414061"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

828 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

828 iexplore.exe
828 iexplore.exe
4044 IEXPLORE.EXE
4044 IEXPLORE.EXE
4044 IEXPLORE.EXE
4044 IEXPLORE.EXE

pid	process
828	iexplore.exe

pid	process
828	iexplore.exe
828	iexplore.exe
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE
4044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 828 wrote to memory of 4044	828	iexplore.exe	IEXPLORE.EXE
PID 828 wrote to memory of 4044	828	iexplore.exe	IEXPLORE.EXE
PID 828 wrote to memory of 4044	828	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://url9966.communitychristian.org/ls/click?upn=rJAiD0atp2sVWwUFmf6UUa-2F-2F22YK-2BZJcRzS3Ulg02FTRA8spAQJ74nhYLWXnqJyZHpk0PsnxrRz-2F4OmOIj9WdKpRopHSDJEByVknOFzTLAeURQKq70ylAsM1zFbjzG98HTfF_RRiReq3CU2dpnrz7O9NSgvs38a37iD1mMdgQXyXAOenj-2BBdbuMGYKtbKsIse-2Bs5u3OhrL7fFG8xeBSgCCyjIQ0PQ-2FG2ihVg5Wvzdo0TZoTaaG-2BHcTY7n1FHP-2FQsRcXG6RZ1bCzjO-2FUi0TjpsINXvdqfjYvR-2BamGx4lB-2Fyq-2F7tQWD58SdRDH6U7tvSXOoldlQggVc55Qqw0ueqYJr5nC-2FfY0I2neMm-2F4UZ4UGuZpW5F0-3D
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1c719258028a30f4c5c4b9927bca78b5

SHA1
74876832f8b66db34beda49067d1cdcb54a809f8

SHA256
c6a5befebb221e5937f4985c5aee4897942e9469ab7e93a11b7d05c33cfc57a5

SHA512
0c2059b78f00f5dbac85f91e6661734e9de9726948edbaf1ce1224a3156203072c40f61e00c0c5bbb5cab937e7026e4e90446e941e2d504ebcf9b877ab28e493

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
3d41c8c7faa1716f96c39c85b3617186

SHA1
b253a6cd9e163fe075698b7bfb7d5aaed24b49af

SHA256
c2f910746f3327c34e11b333627d4e7daa4a89de96890bdfca9bd7dda0da5cc2

SHA512
2684bf55ea9c76d111ea8d1297577ee7e9dbd34b33c5ccf4ec8f19c57d743be61fd5e27e85ee4d98ab6d93136fb0abe0d552801caaeb6ab460de3c23bc070e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZRPGKTNT.cookie
MD5
10c037f346cf06c3aa6dc72fb97c0494

SHA1
5ea994707bfba246950bcb579aeb56ea77b8bcd9

SHA256
45081f4a8ad68481b684a8a85d8f189e57339c269998f8be1c318a5a6e0f769e

SHA512
ec1781c29e4c45c30d7b8c6dd20526037c4876b2b05b68654c39a86008dc21aff41390f7c1bf4ea6bf7259a9e02563387c0aca56c0aa34d24e05c129724898b2

Download Submit
memory/4044-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing