64591f750303fe4aba5c2f787597cd5cd56dc9f87a829cde27b3239cf7628957

Analysis

max time kernel
82s
max time network
155s
platform
windows7_x64
resource
win7v20210408
submitted
30-08-2021 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

irs/test.html
Size

23KB
MD5

f8968b5cec271891dfec168f814a0ed7
SHA1

b31cd27358e4fe531ee61836b41a943e9c9e2ccf
SHA256

2833d9fb8fa07e55dd18b5b22af852f793dcfafc9c645d40b0ca0f42cef5f556
SHA512

52e72de8202587fea152098d68cbbb10faeefc05bbd943ab898d5dac361d6560e0f95642af19a024e6e589a7c77f2e3cf594b9e37a2c4148ada62b90e583202f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005373483530261b4eb5cb286380ff9bf3000000000200000000001066000000010000200000007a3422a25b0575f3c4a3c7d9890b8f7f1bba72ccc2f2ba03b8a601bfe7e6abd8000000000e80000000020000200000004c3dc1044e5ce69eb09a56811f47b0d6c80c537d977ce5b4b9c0caff89ce0437200000000bda004e2ef895f5e4e1b5eeb704b9d76970067c0e87820d91549e902175686740000000c6ddf08f7505cf630f60254477ba1c6949c7bb1820ea45a839c60758f42cfe997bea11e27e1f76f2f7a226e5ea65cda496aa630fda350db60541123ba4975dd5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "337105971"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b30960bc9dd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F86D881-09AF-11EC-9C72-EA91F6580701} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005373483530261b4eb5cb286380ff9bf3000000000200000000001066000000010000200000003ccf7d0bd8be26788581a2425037514978bc7e55159f1c9043896c8e321f3bae000000000e8000000002000020000000df793308381dc1e727a497a3305964e0f7ee6a6f3e5dc35e9be8908bcd92d068900000005f29bd27c67fc634489b3c0e79387e1eba178665718d38839e25f4eb130a4ef7c45ed55170fb1f8abb055174a194b013fc136a1d967ba5606877823f6b01bde69c52c1857295ce211acc4788884d9645ca412d3bb025c476ed579d90a152faba1dfa553ede235a2c8b86d37ca8208ab6a7f6cef39e7737c5d41485415e095ede8c05ee25949e2ad27008b51bdb52fbf640000000d4c0a847c0ac208e0ed9180b75677e67250de0cb4a9a84524b8847530da707af6626566a30711ada21534214b37cdde6505472abece6ad974c260e154c1e7164	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1828 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1828 iexplore.exe
1828 iexplore.exe
744 IEXPLORE.EXE
744 IEXPLORE.EXE
744 IEXPLORE.EXE
744 IEXPLORE.EXE

pid	process
1828	iexplore.exe

pid	process
1828	iexplore.exe
1828	iexplore.exe
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1828 wrote to memory of 744	1828	iexplore.exe	IEXPLORE.EXE
PID 1828 wrote to memory of 744	1828	iexplore.exe	IEXPLORE.EXE
PID 1828 wrote to memory of 744	1828	iexplore.exe	IEXPLORE.EXE
PID 1828 wrote to memory of 744	1828	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\irs\test.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
243478016188b4bfbc62010a460e51af

SHA1
49764515a492bf9640ed9e01ad21841b26735f69

SHA256
353340f2bca6f458bcc833acf9e819e4706b293b43a34f711581062ff027b044

SHA512
2a531eff86cbe34df5d7a38c4772f4d2f86bed587cc5a4f79110ad9d7f3ee5dc11c9576a0d841db03a924afbfa18e340bdbafce3fffda6a59b097d727a23a90b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S3YFO31K.txt

MD5
3cfaf3aee8dc6f09655424d71b02d99a

SHA1
b6f2a0992b53a672f6a90d72f1ed0b2be80400f0

SHA256
8c34eaa231f8261d02ae3149e40f2fa2199f4cd0b10c47b28d1ea7f8efd9c285

SHA512
9122b93a7c0299b3e2c7c0a29d023719e0e45cd86cddf8f78a56814ce63ff2042c814636ad7c98bec4ce9867ade7ebe7f4d608c40b0fd5fbdf53476c33fef9cf

Download Submit
memory/744-62-0x0000000000000000-mapping.dmp

Download
memory/744-63-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1828-60-0x000007FEFBBB1000-0x000007FEFBBB3000-memory.dmp

Filesize
8KB

Download
memory/1828-61-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download