hxxps://www[.]felipebalestrin[.]com[.]br/wp-content/uploads/2021/mrzjjzucaekshyxo75ptcqgeagcnrtvjagdtgftxwkqbr22zo4b/krzqnuwrwmt6dq6utuyv4nhpzmscvcf3xf3wqimpr7myualswp/mtjxyz8sceaskanjcxre6pv37ucnzqgwpyaxgc4ajxfxyxdyzo[.]php?

General

Target

https://www.felipebalestrin.com.br/wp-content/uploads/2021/mrzjjzucaekshyxo75ptcqgeagcnrtvjagdtgftxwkqbr22zo4b/krzqnuwrwmt6dq6utuyv4nhpzmscvcf3xf3wqimpr7myualswp/mtjxyz8sceaskanjcxre6pv37ucnzqgwpyaxgc4ajxfxyxdyzo.php?
Sample

210722-zjrmshvnk2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899942"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30899942"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "333732388"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4138364481"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "333715794"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4138364481"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4172395832"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd3265cc34677649b8937be06035e22f00000000020000000000106600000001000020000000dd6bc7b796500d29a974a2500b9c6e0f345b689104e8549e35d586a44c6822c4000000000e80000000020000200000000a44196890f7a04262762c32dfa44f2c8b8efd2dddc3f4380285cf28194058d120000000c6deef6a858bdb47d4694d1e4b3fefa216e1feb7b173dec6bfe7b76c309e19114000000011122952f16a11ef0ff6c06a78686d3a7807233732dd8b7d769f8771659ee56800bc2b7bf2a4b473de08a1fe0a7d271aeb2cf371c8fe841d515cbe296431ce71	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd3265cc34677649b8937be06035e22f00000000020000000000106600000001000020000000737677dd5cad2ce053a0eb3dae50a281b8232df60ca4ee114514d86c2300c4d2000000000e8000000002000020000000d07522db155e07ab723d7e0f5460cdf3d3d8563002fe9b8ac7aa6db698ba52cb2000000095b9a877a1e2cc00d67c6fcffce5ee18f1da1f34529f6f39a2ebe8172ae46bb140000000f22d622eeac1a6c2cb6c97778820a1affe35dd205ed0f574cc072b409415009629f2c0dd688a3e5c611c601a695a249e4303a0d2769c7acc353226f9f66c0b4a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0220ffbe67ed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21BF1DDB-EADA-11EB-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ccdafae67ed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30899942"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "333764379"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

664 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

664 iexplore.exe
664 iexplore.exe
3948 IEXPLORE.EXE
3948 IEXPLORE.EXE
3948 IEXPLORE.EXE
3948 IEXPLORE.EXE

pid	process
664	iexplore.exe

pid	process
664	iexplore.exe
664	iexplore.exe
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 664 wrote to memory of 3948	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 3948	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 3948	664	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.felipebalestrin.com.br/wp-content/uploads/2021/mrzjjzucaekshyxo75ptcqgeagcnrtvjagdtgftxwkqbr22zo4b/krzqnuwrwmt6dq6utuyv4nhpzmscvcf3xf3wqimpr7myualswp/mtjxyz8sceaskanjcxre6pv37ucnzqgwpyaxgc4ajxfxyxdyzo.php?
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
4e64ee3a1f4c34f528e8de9b728dbca6

SHA1
9b27bb889cc2fe2fbb89c0c7c8aa16a841291499

SHA256
ec75d601fb9309c65a60ad6bd10b10c5927c77648d42de670003dc0b2693105b

SHA512
e23b06910c9009d254dba06b1fe8910d10fd0c11cf0ad22ebf21cf41765da0f51f9179eeb39ca7317cf3ccfcce01622914171ebb9e7c661373dbc92acf9676bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
3a2f67616055a69fffca5de25226973e

SHA1
beb0736c990ecd3d9c82e434bfb6918b07f777a7

SHA256
dde1429b3a0293d176500c92e8fcd75d2032099a28db9d197287131f13b6df4b

SHA512
a053ba7f1d5c18b2ce9d71523c90639cd458ba23492532ca70398f87e6db1d180417535beba3f17d616462f9acf4f8e3dbf4045ed626fac7b274d80ddf01fa8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\C7CUASM3.cookie
MD5
cd3857caaecb4bece2ef4cab572c60e9

SHA1
482729a03c68ced2d8592b581ff596e6df6bf19d

SHA256
213e573ced688498c8318a42d87a646b433604ab5536b4e861d9cfaef73c65b7

SHA512
1c9001720c6ff055b6b1add43f974ecd8b5cc549734a0845f0ea1e19154258852915707acfce171ec9789b63aa5d726031faa0dbd3c78507d869afb8294c3b0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CQ3IFJMD.cookie
MD5
74fe3c9264d99fe62bfde930f6027ad0

SHA1
75c91d2ca993dc33cd10a1bde50447f469f37eb1

SHA256
ae1b63dc1694c9c1670620ec82862f6db7ced2740591bdbc7ea614750e9bc83c

SHA512
401c6c62d5ae1623eece0edb8cf64577a5b891bdef7f11926e35d6783270aa71d6d82bc231c2da4110124b50d0dca40c2c35e9b653bd78f4186e1cdd1eede0c2

Download Submit
memory/664-114-0x00007FFAE0360000-0x00007FFAE03CB000-memory.dmp

Filesize
428KB

Download
memory/3948-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing