hxxps://gulfinnovationgroup[.]com/hmauto/hmauto[.]php?email=email@email[.]com

General

Target

https://gulfinnovationgroup.com/hmauto/[email protected]
Sample

210927-vtnbgahehl

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2090"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1270"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "159"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "329"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "502"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1608"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339576585"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "243"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "418"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2099"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409727a1c3b3d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1523"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "3047"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "1270"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30913475"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "243"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "243"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "1608"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "2090"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339528000"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "77"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "159"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "1270"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506b20a1c3b3d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "77"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "3047"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "582"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "1608"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "2086"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "2185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "418"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "418"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "502"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "582"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\Total = "1523"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2088"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2434782382"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339544594"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "159"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1442"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\gulfinnovationgroup.com\ = "1523"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000086df8635d32cc573ac7bc0741688c3245708cdf0891d7dffd8f8c38cc407370f000000000e800000000200002000000070238349c3c45c7356b1fe00fce7d75b36f808bea28a5bb5c4683b48720e603020000000ea25bf4ab0d794d8006fc2ac7bee6a45c8a483efa3c80f27b0599c5146b85f0140000000fecd5b02750ca7565fccf1ab7360ba1c7f6d906a2860913d2b0e8d7caf13c3fb4e284721cd864c51c4c05f2fe0ae33939e5a9286302b076391d531fe004c0fc3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3047"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2208 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2208 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2208 iexplore.exe
2208 iexplore.exe
2504 IEXPLORE.EXE
2504 IEXPLORE.EXE
2504 IEXPLORE.EXE
2504 IEXPLORE.EXE

pid	process
2208	iexplore.exe

pid	process
2208	iexplore.exe

pid	process
2208	iexplore.exe
2208	iexplore.exe
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2208 wrote to memory of 2504	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 2504	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 2504	2208	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://gulfinnovationgroup.com/hmauto/[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
647b8d7bc982449272d66d17e09f119f

SHA1
fcee7e5a6ae28bbee3a7fe3ea22144b0c08f929e

SHA256
678a5f60df00580647a5434128825237050133fe3243aee397d68f4610e1b050

SHA512
21636b5a029afb2134b029db32f84a5ef0f143fbae4f377949a79cb0f453ac50dde473d1aab977d02724d7547b59d767ee03cf6f4de59deff0e81d3da90d5153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
c1539ef60cbb28a007df369f50fbe787

SHA1
0c5d0292bef3c311fb750be0a290e89207d74d27

SHA256
c4ab2972f2af3e6fe63103577d8ad93219278597ebf1eb2d91472203f2724563

SHA512
fe937a4ecbae6bf1e644943173ffe7756a8df6e0415011c1ec7883a70db710bc4a1bf33a42ab3ab3e01f50ca4918b625566c5b44e852e3f5d662ce26496de487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1a715bc0482d403b986a13719094636b

SHA1
004fd92b9736b1088a7e28808f02e32cbd4c7f2e

SHA256
851717e4f544fe91d1c11805d791d2c609ab8aafbb8bf62c4d6e6767b99bcd41

SHA512
5e63b1901c8f5e03c82fe5418669964df6140085307ae3208423b4d173bce2f26318aafca9bca1e39234139eb8a413d6081be7ce1a199865a9d73213b2cc2d34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a025651a6109ad2691d704d273fb3759

SHA1
3289013ca70dd3a9a4bc82a6f4115e63c4bdd1f7

SHA256
910139d65403192714750f7f4474c862ec1248fdfef22779f98ba5441c456ac0

SHA512
617737cbff68dce5fede5317b458180d42423dca339bca0400ef0f8bbf54a17695f78a18fc4fd727b39b12f33fd08c7871fa3c8bcab4c6b20ab9e22d9662368c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BZII3O77.cookie
MD5
486dcae0eac246a207b3df1a8ef4764e

SHA1
71f233c4714a2b1773ba61166c8e80f9c0c9be33

SHA256
e2f254120a8deee782684961b78eeb5da2934b5ceaf79668fc43383d08209f0d

SHA512
078aa76852d8bad1895abbbf96289a09d4c20e27c74c94ec690f7158240dc9c40a43ba8ef43a9482fd532fdcd1abfd5482b2cef597859a3fcdd60a12a13b2678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NHN03285.cookie
MD5
466c36192ab8087c7e31d1db22be43aa

SHA1
f02350fe0eb312b16079a419815c9a29a5a24908

SHA256
abca6951c45c4f4543712f5c61cb98ce1d138f104a5bdc7d7f8c205551a7f31a

SHA512
545998d374d25278fbbb3bdeaf05d1c2e0bb9c490e09e3f39bd6352d5bb8ef886f3a0422ea5e2f0ea62d9433f2a88ec6d8a181e5a215d4a308e7e6dd528c2151

Download Submit
memory/2208-115-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/2504-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing