hxxps://jzt[.]short[.]gy/6uOJZU?url=aHR0cHM6Ly9maXJlYmFzZXN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vdjAvYi9mZ2h5anVoeWctOGRmZGMuYXBwc3BvdC5jb20vby9jcnNoYW5lbi5odG1sP2FsdD1tZWRpYSZ0b2tlbj0wOWM1MWU0Yi00MDUxLTQwY2MtYmI4Zi1kYzFmMzlkODQ4NjYjYWRtaW5AdHRyYWNjLmNvbQ==

Analysis

max time kernel
131s
max time network
141s
platform
windows10_x64
resource
win10v20210408
submitted
04-05-2021 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://jzt.short.gy/6uOJZU?url=aHR0cHM6Ly9maXJlYmFzZXN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vdjAvYi9mZ2h5anVoeWctOGRmZGMuYXBwc3BvdC5jb20vby9jcnNoYW5lbi5odG1sP2FsdD1tZWRpYSZ0b2tlbj0wOWM1MWU0Yi00MDUxLTQwY2MtYmI4Zi1kYzFmMzlkODQ4NjYjYWRtaW5AdHRyYWNjLmNvbQ==
Sample

210504-rywj53gqc6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884105"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884105"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "293625464"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "326962055"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C6C7CE8-ACFC-11EB-B2DB-D6D45E2F03D1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326913469"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006fea050941d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884105"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "328469396"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "293625464"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa00000000020000000000106600000001000020000000d516fff57f67aba7c7ea026245d82053cac6b41e41cf54b290f202cc7d69de4c000000000e800000000200002000000005ea2daca55b68a2ad3016313c11427b31613ef20be8483b85fa4458b68844dd20000000dbf7c1944e241be98756fc9d4b39c479fc9b6fdaff0114a960296d5abeb7bb564000000044e4fe92266bdb8a571f52de08776f2b1d138f40fa1027cdc83e50e4832255d3866e3b1f8f7fbca3ac85115c5f9680fcbd6fb29a556668011263c6481d94fb9b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "326930063"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

784 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

784 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

784 iexplore.exe
784 iexplore.exe
2672 IEXPLORE.EXE
2672 IEXPLORE.EXE
2672 IEXPLORE.EXE
2672 IEXPLORE.EXE

pid	process
784	iexplore.exe

pid	process
784	iexplore.exe

pid	process
784	iexplore.exe
784	iexplore.exe
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 784 wrote to memory of 2672	784	iexplore.exe	IEXPLORE.EXE
PID 784 wrote to memory of 2672	784	iexplore.exe	IEXPLORE.EXE
PID 784 wrote to memory of 2672	784	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://jzt.short.gy/6uOJZU?url=aHR0cHM6Ly9maXJlYmFzZXN0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vdjAvYi9mZ2h5anVoeWctOGRmZGMuYXBwc3BvdC5jb20vby9jcnNoYW5lbi5odG1sP2FsdD1tZWRpYSZ0b2tlbj0wOWM1MWU0Yi00MDUxLTQwY2MtYmI4Zi1kYzFmMzlkODQ4NjYjYWRtaW5AdHRyYWNjLmNvbQ==
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:784 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2543B5AF7D46D42E6CEED21F85143F6A_C6DB8A7E34E80B3C8E2750BB535D15BA
MD5
c46e49d5c16736579b77be74a377ced1

SHA1
a825e67535f5cb0cbeef7e681c7b3adb4bb2e358

SHA256
f37f3cd11ac03ea8431f9b31e73ae92ef001d91c469f1ddae06fa3dc2f71bb00

SHA512
0c4323c78e10ce243edb32ba4adc834d0569efd0163ef2270c080df5c8573ede4328b8fe9535a1b4c96f6bfc84ba020e75e98e0ae80837c15abc8c7153baf74c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
MD5
4a94a5fb8dd1f31bd3f466cb792f5430

SHA1
d2de2f1826d8843ead908f70e77c877a307eceea

SHA256
50f9fc87d00027d59b1fa78b4aa8dc0eb70b45ec7eb2d30ffcb6c0f6ae00b771

SHA512
a7a9150abc4da8ce8a056c41491fb32361f9b5818c555e095d60812d3b4502a02082ea67f254b3999a0390a2241776906c6ff691ec3526dacc5ce743ec8d77f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_12581005FAAA458AF2B26E11159E6E6C
MD5
179a2794c720c56e12dffeb6f0bc64d0

SHA1
a240b6029d76ad5bd3a01cf919ca7738e9a99c4e

SHA256
cf1d6bd264038f3a5c27cbd36ebcc76b78e36c6e32f3cdeba9533d10ff128b5e

SHA512
8b030bde700bcbf6441595e19d7c770467a6a6a17d7e9eb0a3eee860a46cf0b493590f44eeb92b4d1d81b7a750467c3944a96ec2242f0efcfc7188525d74a1d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
4f914d6a12b48374677859978d3def97

SHA1
d29a1ff9bc1fbf5c4c0cf3210c9aefe33fc8e5a5

SHA256
eb9ac8c88c0857b9588076073491eec79f4725aa32bc7af00c20ef31095d1d68

SHA512
ab9cc44820d05b5207d1210e189041f3df258346619f05ae1b058de8b358438095a09b0fed26fcf09d7d08caae353f680936ebe24fdc94c18411463d5ecfbe61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2543B5AF7D46D42E6CEED21F85143F6A_C6DB8A7E34E80B3C8E2750BB535D15BA
MD5
5d6b3ef7546c4999d45487e2e241280b

SHA1
5efbdc1ca1839e61ae7883c6553476d3b8ad20b5

SHA256
907a461b8c2ecb8c7692284886fce2b07a40546f97515dd59aadc82a6bf2c693

SHA512
b97782689b72aec8efe4db9fbd3ebefe616d49063af7267426f317483dcc7c4cace87c5bf64870646b05d4a93cd446f95661a891375ad0cf25c50c9379cdcf38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
MD5
ea9cb1a4a3a6d26b861fae57488cf448

SHA1
487df532798d227efac7a03fe8321b9a1795b1e5

SHA256
1793e7c49e1b9e78b1acb5ff3877f5ea246905cdf03de468fd94214bc88715c9

SHA512
d2efac7eb0acbe4e6d478f0edb660bf8118c52237044b981cf065d2313ab617f35245dd64182d0b446f91a399563bc51a0eaa172d84bf0d019120611678a6fa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d5242c4efd264c37ebc1388280134229

SHA1
dba155a779d34556fc730e2c8670b104e7ad75e7

SHA256
487d7efb38b8f5f6a8d07db59b7a3349489fd72d6dfcef11b2620d16964dedfa

SHA512
8817e3dbbe322e938e4ffe980c95155d8f803f56cbae473be171c485e0d2ee27e7cdb1f6364e0b6a168617e4fda750f42cc92e083e0599f4048425dc1dbaab31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_12581005FAAA458AF2B26E11159E6E6C
MD5
c4c971c04d43c7afd4d83944588d7ac5

SHA1
84a2253be874b0cf57a9317891a4994539733434

SHA256
88f922c9c98854ad6dafd6c9a72d79800e01f924a07f7ab4d5ffd2fad121e255

SHA512
3dd49532bab6884045e2da0304ef18c4db3cec7ab59478ea3ff2a866ac28896734b3e5b4d4a4d7e2b3ca187a8fabd18efa70c254a0125dbfaf9e6c4f23b73d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
98e7d1d0cb89ee6126f2ee126ca4a216

SHA1
2d75095d0210463cfd4c7a68668cc4790ed1e63e

SHA256
d997e2f414161b75a750d4e62c94dd7ab32f57361e0e0a4ccfacbf4a28ea5dfa

SHA512
eaea2da7dec67846a53d75cec209a67eb759fb7eea247b539ee99878191fafa4c1cb2a718c9162109323a96ec5f302dad252f9732e77372c1a2d38db87610e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3F07OP7V.cookie
MD5
abf6d45055ef1992066b09f13ab9c1fd

SHA1
24f713059bd2d090b0bfddf5b51cc02d6b8cf2ad

SHA256
dfd6b04d031452b8c1f1917878407b8ab841ac4968f62454f27fb28346b3950b

SHA512
6fc0849e3e0dc771c3420475be19e1fcd72872b67523d8dbe7f06a397c40a19a0e758766f2e62b8c85d39f38696c94f66a4a55736cfd9d0391925fe16780541b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MOVKWZJ0.cookie
MD5
4ad4a10867e09eee30549031ae29c334

SHA1
a2517b437690cdda22fcb9c163480a5e6d2a7b3d

SHA256
af7ea5770845ccb93b3245c60016157cf980c7043f04e513b1edd8d81e5f4c06

SHA512
fdb4e9b621a01340fb8ec0a9155ced5ddac0e289a99e63b285967cdf91efc3f7cc9dceaf9ff00e7e4a68f3ded33773e4262063788a0971955103a59f0c638276

Download Submit
memory/784-114-0x00007FFE0B9F0000-0x00007FFE0BA5B000-memory.dmp

Filesize
428KB

Download
memory/2672-115-0x0000000000000000-mapping.dmp

Download