hxxps://cutt[.]ly/6nlgqnc

General

Target

https://cutt.ly/6nlgqnc
Sample

210722-j3e8xxnbja

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "333714799"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042675150cd989a4995b1886557144b7e00000000020000000000106600000001000020000000a1d50d39e0b048c76ca0620aa044c1f253a5823add89d75b311717b41a0243b8000000000e8000000002000020000000308519156c59830f1f11c57b37f58d23578d578ec43f3ef4a3374cb7ec15528e20000000bc5b48f95a1fab52c903dfceec64b09fde2d3727c165562c326ab7284ad4d56c40000000ea8c7f1a43f137e571f664631f91c3b4be97422b43ac00a14b17bf040ad76d7b9355f37cd880f8082f33c585b81ed45ca79995ae33f789991af8c6499753426e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2809868027"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D2DCEAE1-EAD7-11EB-A11C-7EF74584969E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2822056131"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30899940"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2809868027"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d02a9097e47ed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "333763385"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899940"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899940"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "333731393"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3368 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3368 iexplore.exe
3368 iexplore.exe
1268 IEXPLORE.EXE
1268 IEXPLORE.EXE
1268 IEXPLORE.EXE
1268 IEXPLORE.EXE

pid	process
3368	iexplore.exe

pid	process
3368	iexplore.exe
3368	iexplore.exe
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3368 wrote to memory of 1268	3368	iexplore.exe	IEXPLORE.EXE
PID 3368 wrote to memory of 1268	3368	iexplore.exe	IEXPLORE.EXE
PID 3368 wrote to memory of 1268	3368	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cutt.ly/6nlgqnc
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3368 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BB
MD5
20364f905cce81ab9d8a66566e50766e

SHA1
fda9c1dfcdcbdbf5064b66c00641267c3473f9ff

SHA256
61943311435615dc7151d16620bc8f57267e3fb45235247b45a96423bc839afc

SHA512
f6e31854fb988bd48dfd167d38d30037984f0cd121cca5ab5b593f81b1f922027d7c5c4412c706d146a2e47f1e1b16c29daaaae878b51421ba4535b8a7eaa19a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
4b8ffe79016c051a1fa57e4ab8ee0e0b

SHA1
a06394b4c74aad7d296327a942729db01486ea26

SHA256
75e171759473658cd648f09d099b249f99a7cb139732201576b07c4554a9c4b9

SHA512
6a057cc6cc12715d6324e0cb8c22c3d1ff5a8bd20c5ecd10e64ae155a5a5936a972374fa8005d9cf195fdd44deeb24e54f27d3eba78aa0f3a82e03e272e39091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_86C2A03C133240EC4C95180B9FD368BB
MD5
76a14c6b480a83239c11a51fc51c1c36

SHA1
b6183526353bad24c065bc5a79187a19799129d6

SHA256
6f435ae84f2ab88fc37b50a64293732641ab8f5ecb4997bf219b1c1351749a68

SHA512
ec90c8b883ccb4131799a1c18f4bc3419335ace24db19422de7ff8e045ce9bb4452060bb90881bff9d66d40f1b84c67f94916573e5e46c0f2875fc9906ab1288

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
dacc8c128da1b3e923349b4e66a4df24

SHA1
d8cc1a09a4dadc5f79d3ff8fea5f19f23119ac00

SHA256
8b8b86720f889da3a8cd1f650f19f4125fc0658b3a06fd0c4642fab13d7bc236

SHA512
f1d36642cf67d851c558461282759ce14d0e232c07d416a5fd41c333979bf4fcfd233437179488dc41ee1440182af3e3b472ec24f168ba9861612c4c37a8cabd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5ZARO2W1.cookie
MD5
c6cfa3cc3b8fba28221ed4a96368d5a6

SHA1
1c67f0928a1baac69d2a253ccbc4403867b4705d

SHA256
bd729f82bcd20e5bb4356cc8a02a5707beabc1452402eae4276fe8380febc83a

SHA512
cb22641387d43538377da67f9fffbc3a739cb0811955e5d0acb96ae82738c54c5df0604d4c57e03bb505229a0837e929ff962ae87df17bc43fe296124b0a65f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RWUJZF6F.cookie
MD5
215f10ae6c8c7c092a26239acf56c783

SHA1
5dca644d3cfe69093e203486d0ba89b700965835

SHA256
5f026f7643986d5b580782e01a6e256428c7bf6526f0c24ab972143bfff51e1c

SHA512
df7f973be4e3dda038fbba0394f9d6210d1f40203f1cc4ece80648e09b552be4c3a71f1b903b47da25edb1d32f7460ca70a94e9760beef977a42e5a67af1a3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UH4A670J.cookie
MD5
1f1f912f7666580dafc6e9245183e968

SHA1
7ca639ccfb709b0baeed8b2e8c303fbe4646c291

SHA256
139e6aa63a3f7fb4afd6cfd5bea686d458cbb7a07135f9fc2ae1076b92c9b9c7

SHA512
3de77f8b6259c338eb0a7f90fdc1cc9304a6093c957a220ff44e90bc43e2b49c61ab4ed33e78e010bd48548cd942b34568ac86dfccdd7cddcb2ae4fe43c27113

Download Submit
memory/1268-115-0x0000000000000000-mapping.dmp

Download
memory/3368-114-0x00007FF980E00000-0x00007FF980E6B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing