e1da5cd02d74bb5ba944e3ce44037860ac9f42392eec6c99b9543910e1a3a5fe

General

Target

notification.do.gif
Size

43B
MD5

ebd4c7248ac9be0c41d02060e3430a5d
SHA1

eabc59bee6a7ff007a1dfc3da3b5493143c0d087
SHA256

e1da5cd02d74bb5ba944e3ce44037860ac9f42392eec6c99b9543910e1a3a5fe
SHA512

0f3b6529892aff05bbddc7614faca83f3651f4b14c107853d2cd502391c35f5e26a41af31b5503d68c77264cda24f616aa9f9655fe8a79e975090365ac38ea71

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4007169ab50bd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2540760704"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30870453"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30870453"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C05DC4B5-77A8-11EB-B59A-DE952F11802A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "321098787"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000667a6c1b412f664ea3b91227518f04a000000000020000000000106600000001000020000000b8cfffa0bd5c845639b96d148a6fe7a416552f1b3b21ce6876aa0631235ea7ba000000000e800000000200002000000020ffdc035a5e33d395b870d467a8a02b7c4cff86b302c4b823cdbe56c0a377092000000088d3957c9ab045705a9552cf9b2a0815af800eb1283c4874de9b4d37f22af3594000000044b1c94072a56292c2cb4ef5ce877b764ce98ef7527b99870c2b1611b3482cc79ed23c74d40eba5f144918d773a791620cc5327665963e543844d38aea238c2b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f005cc99b50bd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "321066795"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000667a6c1b412f664ea3b91227518f04a000000000020000000000106600000001000020000000606da94d07727c6b7ecb6390bd21a0af8ad360283857c90e25854a639c8787ad000000000e80000000020000200000004a27a763afcc39211f0c89abdd5b17c33f11b9ecaf4ef995e0f39f3b0ab93d4620000000879d0690567de3ad2f974f80a37d9e812930d5dfa3a6e7fa9d38edd4b5a7ffd4400000003e8eb878a877ea0f35617225c229e8c1d8158d5486cadd86f4ad6e9ce6643df41c94c9e2f9b1970b745b11cc46f85bd34352c08858da478106951ebb7df5960a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "321050201"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2505760547"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2505760547"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30870453"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

700 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

700 iexplore.exe
700 iexplore.exe
1668 IEXPLORE.EXE
1668 IEXPLORE.EXE
1668 IEXPLORE.EXE
1668 IEXPLORE.EXE

pid	process
700	iexplore.exe

pid	process
700	iexplore.exe
700	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 700 wrote to memory of 1668	700	iexplore.exe	IEXPLORE.EXE
PID 700 wrote to memory of 1668	700	iexplore.exe	IEXPLORE.EXE
PID 700 wrote to memory of 1668	700	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\notification.do.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:700 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
67bd06861f9ec8e7155847556bd73f74

SHA1
f216e7c22d2a2ba92cd7c4b7d0c9a1f96ef84de6

SHA256
65b53e1100862577c9d25d06eb8f49f6d3b9621678d83d1d46dab0a29a7b4bf2

SHA512
111c807cb2588ff386053ffc4356855aa8f8f9c08f88c2367332544b713a31e65a7cf048acde23316302d2550223f0389fa943fbcb757e77c8bdc7b4b83f3e41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CCFEED7EF3CD3BBD21329435542A98D2_4ED054BE4DAD0A46374C8C12BCC87DCF

MD5
be99fff98039b8ef7889a1a87f15b4c7

SHA1
16945fd1faa3be6164d09b6e12bb7cad6c6f5138

SHA256
684f1da8ebe519da5c4ee54e06b3e8b1b769d61ed12df66b1beb6ed8c3afdd33

SHA512
f29c3e3d5a4099ce404d16264e26880c6bd9b39d09b21cf5236b00c276f447275c2cdcc6b01203262e0b79d0d651ec89e2651385447c192dc3e64ec4b2b33bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
8ae33d7c28febdef62ba7bc85c39b1af

SHA1
05b409581cf3ea56cdd697824524f5da82b27755

SHA256
d2f968159f17693afd6cf3e7d57d9075869047afecf6e3f81b51b3a4d272514b

SHA512
982bd14744d27e8e57ab6ec9db40f8e8bd60bea7cd9282c56e32e21d838260bbe73f301454a7cacba8912c981b990ecf7947a5a42f413337e171f628ee09fde1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CCFEED7EF3CD3BBD21329435542A98D2_4ED054BE4DAD0A46374C8C12BCC87DCF

MD5
53e595dfe9684b234d99cec8750163fe

SHA1
ce1566f4ce9916e59c2a059553ff966d8050b4b8

SHA256
8d6ea4580afd7077eec1d2435cf38f9a7ddbce6c0950a43464f9cae3bcffcfd4

SHA512
f1dd3a2310d7b33ce92b761df33fff64c4e84f528807ded55ad28536dba1d6be4ae75a060cae885f49530200ad36d06d6280d16996ad404668292c1482c1ae44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QED8ZO2B.cookie

MD5
8e34e71e0fe2184e6fe77a9068172829

SHA1
864e53b22ff48c72847838351d2625542c913298

SHA256
9e2900b8f0a21059c0777a1403d84984d6ac1c30ef4d9316604f8cf11f9a5f0b

SHA512
38da0e529569c5088ff8b96896b97436c75ed7d7b4d4b9895dcc7f2cb67829bec4665f6c654fa7b3236955b3af6c08c80e1cca4e5d093f535355700ec8dfe63b

Download Submit
memory/1668-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing