hxxps://bit[.]ly/3zuvzXs

Analysis

max time kernel
98s
max time network
139s
platform
windows10_x64
resource
win10v20210408
submitted
26-09-2021 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3zuvzXs
Sample

210926-sgh5wafae3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{039F1B8A-1EEC-11EC-B2DB-6EE0A42A1E5F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000382260319411c6439cd8b83a3bf093ea000000000200000000001066000000010000200000000dc4e5e0986d12d6a69a326d23120f150ad2a70499dbfb6fde01cf8b489f53c7000000000e8000000002000020000000ae397eef07ba6f4b16c716ebf0d347d14ca6221896266e57b63657e26ca9e46d200000002a3932f81cd088f1344beac0a9e94199ddd3931548ba86e2370353f1a7efbc8040000000a9b7ce1f2a0e5e075b009ff2ac65db74c6d4a4db355dea780b6a0e6e73a8ce7dbe4aa21a237765476464eb01edb5f14f5fcaf7f70a242e5303b7a43f86d88d19	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f338e4f8b2d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3628784872"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30913272"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3628784872"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3679097831"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000382260319411c6439cd8b83a3bf093ea00000000020000000000106600000001000020000000fc0d36d9596a6540083f3dda4ac5c99b776110a1d290d287ab7a0d915f034441000000000e8000000002000020000000393e1d9dd7349ae246ec09f9ffe1bbd23d75517d1499bda8861de3fa05d550c32000000049d37e850e7c5830299fe031e23de158d7ee03b1258a3f81eceafd5c3f42e94b400000009d1f21c3a7f9921625fbe646516b90cac2b5210731ce069ba09e89bfcfe728a5a2dfa9d9f64804dfa6ed2125d5aba02c9693c5d9dc73e732da8bfb263d5aa08b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06261e4f8b2d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30913272"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339440936"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339489521"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30913272"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339457529"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

996 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

996 iexplore.exe
996 iexplore.exe
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE

pid	process
996	iexplore.exe

pid	process
996	iexplore.exe
996	iexplore.exe
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 996 wrote to memory of 1104	996	iexplore.exe	IEXPLORE.EXE
PID 996 wrote to memory of 1104	996	iexplore.exe	IEXPLORE.EXE
PID 996 wrote to memory of 1104	996	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3zuvzXs
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
28f3e514f353bd25873a84aeb808527f

SHA1
a3c7fa6eefcbf13fa3d4261cb34db5721aee1b28

SHA256
3c669eaf705e66de35e607b29d92833029b36bb75ec332e83d2765bb63cfba90

SHA512
9b097162c5b25a2f181a02396435d7f7ff09bee576284815e9fdcc893fa9e35766123c5c7e11ef1230becc4e05e11a87b6cd9a24ddda3436ce043cffc668a260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ce98c91d236b64b56ca87fc7186af2c5

SHA1
ed75a894a924e03763b46178ae1a6842f91b7a24

SHA256
d28dc7a774741853733d1e6e385f27c910d0b97eda6f0a1ca47580e85c6e484a

SHA512
2787eede0e61b8e938a7fc47534b8d2aa31a01920013752bb4877c81e728931b9042a8ef5304b7e919f2e83bc6b1d1726bb1d34888e82f6a0ed4f34512b881dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
de27664da1e04c94901fcc3880064613

SHA1
aeb52fc87f907dd40ae683c52cf3129d4b27e25a

SHA256
7e59ce8a2d7d1e1201e535a3175bfaf239b9f5da7be265c18c5ff1e1bc696282

SHA512
2d1e23a6cb1641bb1c393e404950a781cb20e5123c1e85bed129a02cc54b45e84ef49b54bd4a19a0dd48c66693fe119fd4f6b6733c71d34655d4ef67b760fa36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8441C862A241EDBD5FA59220D1429036
MD5
69bad007966666f3955f74c978261d53

SHA1
72cc325c5a581ea79fa223ebed33d21579c130cd

SHA256
341103f677c97b8a68836026b7b3560992c97bf2569103315bbf63bcb455f553

SHA512
d2a4eac1785f0285822b019841935766f8a889eafe061de71f4c970865d5c997b69f4260116924bd5faba040695ef33deb10cfb0c2088f0385e2fa821573fd31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
75377b9b80ed7d37a9f06a480ce48110

SHA1
36559b688d588d7c7250bc8383a205b71adada1b

SHA256
b74ec60e14dc6399fe849ba7f9a04dc1ac35f3a905990d2cbb72712ab6c6cd51

SHA512
44b00017e49a9661de8194ef9b7d2b466b9df9a46b176efffeb893acb4d86b60d6596e6a1d8247a81bfa12e5f546ad278222321caa85d81d8c2b8832f38fbbfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
35b845d61d660e6172ae03f870442732

SHA1
990539baee0fd55f390dbf32e287bb9a998609ed

SHA256
8ed1beeb2cbfd2af14ce1ab027dfaaa0c82e8499ad002c3600ffe1e9128842e4

SHA512
0a32e37ffd5c1735a08e6015e462bacef7cb7e886c234a6bdcea4e89e5543d564efbcc2d5982a5067994255193416bbd6d5c39f1bdefb0b762565ee053f86ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
1715e90d83439b8d22edf121578a4101

SHA1
4bba01bb4896c57ca42145ae2b2c52b651c9f1f2

SHA256
f2e28f904752e70854ef0dbaebfde919f2c9dd5635d9de18733ce44943db60d4

SHA512
669027772cbcbc142f459b1ebc28f8e1d3e4ffb826f5c11943f123a76f609baba9bb5b3a3bff2c6b65c9a1ea661174eb02187b0e1c4d1dba1d8f19eae61aa837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8441C862A241EDBD5FA59220D1429036
MD5
62268310d989799e8d8e8b31d1c676ec

SHA1
3fea5946c7a593a2284eacbae460745a817139c1

SHA256
82b336cde040104ab2c796a72538c2f3ab3111ffb0a2ab0393da8d07a36b5c5f

SHA512
31e01239ddd252b3575a7e945829813d0945fae38c6104bd85b66919f70fa628130815cebab9e7af77bee26cf550f58ff5cc838158b989b565ca0ff742be9a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\19MQQQ9Z.cookie
MD5
a06e27f4c9d8c28ce74d239d461504bd

SHA1
b1aa14fd0c364524c2f03533c4bb26901fe41644

SHA256
43d88c47de18089a5d1caf3cc12430c7f9ee2b26f042a2f291585060226fe21b

SHA512
d4e0517d828e049296b81fefb2bcbcf598c9a8693a80005faf150b4a8609f5c9065028fd583bd26b101d9dd56f8f93aecd2fbfa68de33b4dd41a430817004f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\K1GGPJ1W.cookie
MD5
84cfa893b4d2901a94ec1766d8a2bd2f

SHA1
16af5b29d90d3bddf040a9acf8871dd65ed1d4f6

SHA256
f149f38ae32407ed52d2061543439baa2640420920b97921da49aa16a8c02c6b

SHA512
b7453ac0ff7a4108004daffb74bae36683e7ce6a2d6b1af782897a9092da714662ebad0dec49451eef4c9339a2c8466fe8a4de2a7e9f867ea2c3d48a275dd6ce

Download Submit
memory/996-114-0x00007FF898CA0000-0x00007FF898D0B000-memory.dmp

Filesize
428KB

Download
memory/1104-115-0x0000000000000000-mapping.dmp

Download