hxxps://mycraftssale[.]com/Docusign/wap[.]php?wap=4UY432

General

Target

https://mycraftssale.com/Docusign/wap.php?wap=4UY432
Sample

210504-ha61mje38x

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884087"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19FEBA7A-ACEB-11EB-A11C-4A85C7F4578F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad98e1c4c5c1f64cbad3c833b8884b2700000000020000000000106600000001000020000000d44e9985816940aca160b200e6d465db1324577b5065139f322965e9769e7a42000000000e8000000002000020000000d2a1133b66b39cfe9b703968ff2c99c21126f094349eaa4aecdd86e69726f365200000009faa0c90e232f35762e5d6b387769a3bbb199947e41ba887cee2e2529d5a98cd40000000a8357340d7ed452f419fceb7825be92afd9ef46c0c0901b32ea6080d7dabe8589f6a3c8ae8b2ae91dc19b74eaec7929ec6481615f7387cc7d0e323e183b73e8c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04669f0f740d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "326922701"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4003282291"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01a62f0f740d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326906107"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4003282291"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884087"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4018438608"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "326954693"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884087"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad98e1c4c5c1f64cbad3c833b8884b2700000000020000000000106600000001000020000000934797c412383fed8f020e53f2381c1b8e800b2ad9722265dfe0d9eff99a485b000000000e8000000002000020000000d1dc95e1a1754b8d3b91ec90f575a73adb68d088c60ec41ea3b4304aba9612182000000025ba3cceef6da09ad11c4e10f92d729fc5bff693f17f4361ac1a43c4c5c38db140000000a4be9daf195e010d12e40777433f2d8c2361dd40457954a4da7b88238e0a9aecb10ea6599bbceeb7b12cec1ba9837a75c84eb091700d043566403f046486973d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1016 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1016 iexplore.exe
1016 iexplore.exe
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE
2920 IEXPLORE.EXE

pid	process
1016	iexplore.exe

pid	process
1016	iexplore.exe
1016	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1016 wrote to memory of 2920	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 2920	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 2920	1016	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mycraftssale.com/Docusign/wap.php?wap=4UY432
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
9b2fe804c2e683924c320febb72f9437

SHA1
4d7fa6ba3c27e782e7afc5056a1842adf51256f6

SHA256
67e1ef7f112049a21cba0ac752147630f96364b575f0e8f9d57fa8ac2851633a

SHA512
66ee825ea8866bcbb2044d93d2d7d1943cb308959b62f454a7f8568bd0c8ea1a10bc822c463a2fec1806474c6ac181853d897f585f943fee008851f273c94543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
c80a58be9c7f861bc456c88b061042df

SHA1
4401eb16657f68f905edcb0399f68dfa39327e75

SHA256
dcae4422d64e3f97ba37060fba096d04dd014e5fb9c8918dc0cbef1bc9cf137b

SHA512
d5dada19ca3393f837b6fb3e2bdea5ef3e9fedee7a0c519b54cd3795d7b098ea39a27c53b34b4240617373b712da3f1225287c9a0180520986ca23e41aecf53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
4c3f24252ac9d33c8f9b712744b28335

SHA1
4ace6ec1476c0d0c2aa45745d0ca457261f39387

SHA256
a83c3a4cd865b7350782779f2fa11f94a551c7e615f68054f78208610b74456f

SHA512
831619c05cbc65955648b4f1e9f66033ffafa5772d538dae8b008c5fb7df07e941b5a1990fdef093fc488ed275d44f63c8280ebd86602a849a533c731a392f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d6254f6adc9ea564110ce22e1d788a36

SHA1
86ad386447bfa1874660b953d62c54c10ca29bce

SHA256
e1ecd6d4ea2895462acf1990cfeeb81f7e12e82a4394b110c9600a12a44fb5b8

SHA512
ad37ed714c54992f5773475384f12baddd9beaa5e447f20c0aa9435289a4d9d982463863cf04f4a1ee3479581e9ca338db3022f3945a21d45313bee7e8a5c001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
81753f47af701e06be5dfdd9988c6377

SHA1
bac4c2cff66a87def2e0798b0699fad87045e272

SHA256
a343973b33c14a480040dedeff11165c710c54f9b8a52398af0d8df72dcfc3f6

SHA512
2f2f3e4eb3bcad5e964b245bfe64148f9acad0016c60125068f57603c4fe654190f811de7a1c2e1c208813d11fc9269eca11b907da0e4406c71313fc051e22e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HYETF24B.cookie
MD5
e48c120fbf24331832d0f46f8ee89d22

SHA1
305edf21b30bf8d3519ae413023c620af44c7769

SHA256
a973bded0f22b8e54d3c5940b8112828d11502633d78e08c8ca98b3aeca98370

SHA512
5022853d1184a12c5e7ee7f6559f692eef82d6e84bace67b8b610c6d7cb0a5340c03fbde66a4ec1d74fe6a1a6465280fe94f749d9e8f3ac2f04313dc9a8164a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OLLQGECT.cookie
MD5
6cab1345876d04172e85727f05035c97

SHA1
5f179cc29c18340797455b4c35199c3f7dfb39f6

SHA256
dc9561aa56e1f07c2c4563f37b86d6b9a67680c48c0e8cf1bf01327f3737e0cf

SHA512
349a45eac5f7ac8f4091e3fdfd47cd65d30706229df3bb4b0283e2ca58885ec5ed481c30724db6bcd89ac47abb209153c792665f473ec18fe36e6e69adea8b6e

Download Submit
memory/1016-114-0x00007FFCCA6B0000-0x00007FFCCA71B000-memory.dmp

Filesize
428KB

Download
memory/2920-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing