Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:13
Static task
static1
URLScan task
urlscan1
Sample
https://firebasestorage.googleapis.com/v0/b/mrje2n53563ghdgc0eetsra.appspot.com/o/Bn.html?alt=media&token=0f034d1d-cbf4-4703-a4c2-ba4dd123dfc5#tests@test.com
Behavioral task
behavioral1
Sample
https://firebasestorage.googleapis.com/v0/b/mrje2n53563ghdgc0eetsra.appspot.com/o/Bn.html?alt=media&token=0f034d1d-cbf4-4703-a4c2-ba4dd123dfc5#tests@test.com
Resource
win10-en-20210920
General
-
Target
https://firebasestorage.googleapis.com/v0/b/mrje2n53563ghdgc0eetsra.appspot.com/o/Bn.html?alt=media&token=0f034d1d-cbf4-4703-a4c2-ba4dd123dfc5#tests@test.com
-
Sample
210926-rjl4waehar
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 404a3f8ff1aed701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338997994" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339046580" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC98C98C-1ED3-11EC-AF2E-CA89ED8AE987} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000e774b709d64ad4b05cb363f82c30cc42b74b2e1873d7d61fa4841533eaddd778000000000e80000000020000200000007eae70cc2c2dd42cb84793f6d0a2549b6fd0336a221489ea69e582ed73c00fae2000000076a14e1aa8018f6068ebd2806f218e5d8d98c0c2d6557249cea452492a5bff8e40000000a0a87af449fa017821f34ac202d31c2357a6cead260f0ad10cc8411ddd8c0774c387ec04345ee58b3aa788ca4695bf6fb0ca40db04b20ca326ed075b82ec557a iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000004c8484dfa376ab2092091a159ecfe754a6063b84be65f4941d2d6d755a358ec9000000000e8000000002000020000000f5ff0fe21d4bc0e2e158c4ea32b3f11f9fa29ce4f30dc5e94e738be441769bdb20000000de20a545a5f919016bc7f5f49f5f1156e50dcb1a03262efa31fa931fbd2ce16a4000000049cb6cc8cd7d7fae14a1acd82ab9588aa62b9c2eda115c49b2863bdd150836afb23f795cb11cc0a202c1969201bacf7c9a47ca33e2f19c46f979cb4817ce56f0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501e388ff1aed701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339014588" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2160 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2160 iexplore.exe 2160 iexplore.exe 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 2160 wrote to memory of 2620 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2620 2160 iexplore.exe IEXPLORE.EXE PID 2160 wrote to memory of 2620 2160 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/mrje2n53563ghdgc0eetsra.appspot.com/o/Bn.html?alt=media&token=0f034d1d-cbf4-4703-a4c2-ba4dd123dfc5#tests@test.com1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAMD5
28f3e514f353bd25873a84aeb808527f
SHA1a3c7fa6eefcbf13fa3d4261cb34db5721aee1b28
SHA2563c669eaf705e66de35e607b29d92833029b36bb75ec332e83d2765bb63cfba90
SHA5129b097162c5b25a2f181a02396435d7f7ff09bee576284815e9fdcc893fa9e35766123c5c7e11ef1230becc4e05e11a87b6cd9a24ddda3436ce043cffc668a260
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAMD5
de27664da1e04c94901fcc3880064613
SHA1aeb52fc87f907dd40ae683c52cf3129d4b27e25a
SHA2567e59ce8a2d7d1e1201e535a3175bfaf239b9f5da7be265c18c5ff1e1bc696282
SHA5122d1e23a6cb1641bb1c393e404950a781cb20e5123c1e85bed129a02cc54b45e84ef49b54bd4a19a0dd48c66693fe119fd4f6b6733c71d34655d4ef67b760fa36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_3B9C2111EAE052C5BA0EC1CBB6D70DEAMD5
b3b0696d2ec27523c6fbaf967afa6e80
SHA181360fee58617af76f052ea338335147a4a99585
SHA25623f5c00ee65e6c4a2bea51a5ea065736c7deb385cdfac237b20c89483cd47612
SHA512ccf63b9a1e1caa9793c97bd01c6d2884588ccb13ba29cbfc3a40dd47dd55b4b2e6229d54dc1ac8a37e121cece42186a25e3e143fdf064d2779cc7a8955886926
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAMD5
488b24010a638764a485500be3c54172
SHA1cb0dff90ebd63d7975af29d9895de01bf7832955
SHA25612561563af4d1b0f7913d62f86ed0eaffd83751b6962701dd100535ec9509dab
SHA512a9c0f09ea2a114ca7c3de17ba7f5cb3c01866d71112dc8da96c6d066aeda502d3d0810021cfb6769612c9227dfa5f2f7047db7fe62ff7f2c5d18b175552a2679
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAMD5
4d8d67c28ef064359ecca679cfe5b8b1
SHA1b9a290d2b9186f06905485516493d1ac339865bf
SHA2561d17c5e07074557ed0e54c7ee43c47c29cc9ec1878e0b1dbaf58c9469b241e28
SHA512217950d0995f75c71a6d8b2c4c7ca8ffa342b22e10bbd1c6d1fee950e6801c05cddffbb5161f96312f9a9a85a64b4bc170ed374b6435e520f6871916514da6ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_3B9C2111EAE052C5BA0EC1CBB6D70DEAMD5
ddf782affef831eea44fd5e59ddfb8c6
SHA18072570bae5f1f7c7031652578ceb8e7d6521e1a
SHA256f2848db2329074ca811cf6a4deaf274eb2ecc7a99796d0218e514fe5c6bd559b
SHA51208dd6402a5e00d4730f5eb5408cf9111bc735913081975179c79e4bb16605481fd1c5c57421cf2ffbdf8c312b8a50045138defcea65cbc093a1336ad5926d74c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\M4D4EGJ2.cookieMD5
153d27e4ae2b943bd9447de47f2d2375
SHA15b4a94c12e11ba426ce9487159cf09659f57cd94
SHA256ec542f2d732ffa787b5c9ed190deff6ee130445a2e8790c329d17d0200048242
SHA51290de64e57e790c97097775907dcb5a0a4ec2cb1db984e044c8dc4e6389ffa2b8ad0b183cf2034863db7eab204e9ad7a9d6526e01491265fe379a34e1bed58d60
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TQXIPCI4.cookieMD5
24b597ccf471e4c061ae9de4ab6c123f
SHA16a7cf4452422beaeaf00b142c7ca56f1f9a5c4b3
SHA2567624c5ccff201b5a0e98b4a9a26645f4464f1f5e72a6bd5d54b859bdfd48431e
SHA512cd755a0a552c200cc411a6d95c05c015e51e43c4e72b00ed5a5fd6484161b1f07a5724f4854588ddf5daab04e19072c81959be37e8fbfe05d353c60b2127182d
-
memory/2160-115-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmpFilesize
428KB
-
memory/2620-116-0x0000000000000000-mapping.dmp