hxxp://www[.]redcap[.]link/ghma8ndc

General

Target

http://www.redcap.link/ghma8ndc
Sample

210611-g9m62eth5a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0dfff1f7b5ed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "330167627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "506551529"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30891643"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad98e1c4c5c1f64cbad3c833b8884b27000000000200000000001066000000010000200000002f4dcd54998b35e61debc3d6d820fcabcddda6ce3674d678971f37f7bbf5a1bb000000000e80000000020000200000005415d509ae30ee84f0d870ab99b7547198fd3e35c37e914ddbf17ea71c84d56120000000db232a5559299db8cfa17183aa6239d2d318401459422753bc479974a70efe4640000000c745d77361b2009e7f2ec84aa5423d34794dbf3c820d929322adf335ef72eb4514fc7f2999bee2ee604a1cd929e465aeb925cf47048713b749e0f51837ca2f95	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "496239071"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "330151034"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "496393968"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "330199619"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30891643"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30891643"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad98e1c4c5c1f64cbad3c833b8884b270000000002000000000010660000000100002000000052e03cc62e10e270963d91dd91740ebe7c4d6231126a37f433e7abcf1eba16b1000000000e800000000200002000000052a11ecc90a7a56b0c7cf1bf5596e3feed2daa55f6c4b00b4fb1257da801f2fa20000000366739fa32cefce7487a95eb755414bd1dda7f55bdd8fb887c05182684ddbf56400000003d91f2a1f8c482784850c7d96ec1a56599125d8d48a7cd16879dfa24e6bb32028bb81065cdfa4a2a0d0b1ee9d10ded49a89063e509a954fdd520157b87ac8f7c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e406207b5ed701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48F02303-CA6E-11EB-A11C-E62B3DD6123B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3656 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3656 iexplore.exe
3656 iexplore.exe
1256 IEXPLORE.EXE
1256 IEXPLORE.EXE
1256 IEXPLORE.EXE
1256 IEXPLORE.EXE
1256 IEXPLORE.EXE

pid	process
3656	iexplore.exe

pid	process
3656	iexplore.exe
3656	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3656 wrote to memory of 1256	3656	iexplore.exe	IEXPLORE.EXE
PID 3656 wrote to memory of 1256	3656	iexplore.exe	IEXPLORE.EXE
PID 3656 wrote to memory of 1256	3656	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.redcap.link/ghma8ndc
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3656 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
150dda2eb57bd8be69cfa5ce9cd3e441

SHA1
2298d1a63a477f66513803f3f3b07cf4252a4fc3

SHA256
90418cd3025b164625ff7d2ba42fa99cba396642cc600a9c100870d5d0e15749

SHA512
4042809184efa8279aa228f2b3c4e7b16b7f7546962e46852c9f48324e0a8d9e51a6ac9a64edf0367860f0f18d5f7da052455bd49e4a0cab4f0cfee0e3b3286b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6da3f673f86b0160bbc562da296b02e2

SHA1
4b580ddc267f73832140f32c43c645ed04cbb505

SHA256
cea2e743ec6800934ebab7a70c081652434cd3117d2cf0d80c370d224889a889

SHA512
3912f054306ba8d69453431644324c79e8846a3f1bed8d459b895cb9097197848a77b20a894540475157be47e5759097860a6d8fb65cee7ba7e3b8d07e4e7fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
54922379e617ff0afda858ec1c3c1c83

SHA1
9017f2ad1ac536a8c046db6e5f45762ed4c5c2b9

SHA256
5aa0c11160c2e9ed20bc38fa3738a81b27f277d6af1d617ab32a8a9340874c06

SHA512
0ba336eda38bcb0550ef31e22c262fd03c19b4847ac868951c238b748a7f69343a6820a524cb7650280b409d26c6094ed7b66f7df20947db3b10af5376a45b96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
526ea3d63ede6aafec7b6c11402314a9

SHA1
da701b5531a9e6ccb7745a7ca768330a2a7c5ea0

SHA256
68600290351b2fa7c1f594259d3b66620ec865de9dcd68ce46e8fc287913872e

SHA512
52982b45698639ca8295a4dafc6ca5ef8a55e034ddd49d73b4a458de15116c135b1e908c7e52de2d3902487df7e49e98402bd19c67a2943e75e7496da39c767f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
8d19f698b61560b8b3b5a4ba49ebab60

SHA1
98208da6fc0a49fc20a9463db168c71edda412df

SHA256
a75bf8ae0c346c2d6a42f5ec207b0c4bf9a5fcc982570c5322c006d685239049

SHA512
5e19841ed410432ef1bb0a10dfe7c285c68759cd2fedfa726e79e8aac40fa3678b72bf2dcd3f5331c97632f5575cc9bf6a676a86ebc7034c093c8684f2815bc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
b4794bd8f17fede43e93a2f0f2957f95

SHA1
c6d54583f6676622444351890062aa28664be725

SHA256
977487866593d68bd50020f9be180c953a2c87be762be78a889f5e4038cc5f67

SHA512
67ecf12947df1265c79a0c1c4d861bf83ddc426a02b07fa34e7cc958f9bf65d0a726fc419f2bbd4b2e97acec0ad87ab9aa4a909948bd486a10ba50aa6e2888b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\512FYUC8.cookie
MD5
e774d37733798ad7a1bbbe794741bff6

SHA1
1d95fb751059c818ad3bcfc7c6dcc67dd7117365

SHA256
08cd58549a39e7aea89fc40092ed234485e22151f1b74e659783fd324cda5f0e

SHA512
b5e3d4cfbb87163f9958aafe2852a6964659cead43f22d61da1a25494d691e4c3c33b0a5fcd461743d4dbe3b08a24fbb8a261f93a421d6867726731736f2a2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FEAIKWZ2.cookie
MD5
c6e3ca1765d32a3aa145f260df655bd8

SHA1
68eb9db61fe5b2b1b42bee378c19257f71a85a7f

SHA256
daa5943eb52e9fc1d081eefdebe0709dc290f33ff44ff0483ebccbbc817f7ce4

SHA512
053fa7b8d802ef93e6aff2215835acb669f52dd3857689c2b7866310e7d0b61d3a617c051553fa6028b2cdac88ce8786da6964b696778cf5ddf02747c07133e7

Download Submit
memory/1256-115-0x0000000000000000-mapping.dmp

Download
memory/3656-114-0x00007FF891820000-0x00007FF89188B000-memory.dmp

Filesize
428KB

Download

Resubmissions

Analysis

Sharing