hxxp://hillmag[.]xyz/

General

Target

http://hillmag.xyz/
Sample

210930-3w5mjaafdj

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{913D2FD1-2249-11EC-BA8C-DA23DD5773EE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fded7656b6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000a696d94e90a98cbb3ca2e6ba6ca423ee3ceac7c90753c112a981cedc925b8cd1000000000e8000000002000020000000d13932f4c3e927dff2b1021e51e6301202dbea9973c94a9e019be71f9a7ef99190000000df1ea47f0907bd1cae7f2ce992cb5ad750da5c0eaa11c33c67f4f96b99dd25986ab5a3173b873297aecbdf5212337167f91eca25a5aea0ed4bb622d92165eafef3b61ddb827f7bd0ea0fd075f40feb5afa3210a91aba89f4dc22a2ee211f2e07882594d47703cac4c1701ec42f9190ba7acc584be0d84f0915744a43900db46834f03f2fdc5c1cfa8ddb884cf21d3bbe40000000a4f37cf90165d4702b55603443429deb8a81847733ecfa22dc96bfdccba74529704c3989cdf327267631ed24a3ebab0ca5656b9174abe6ac9b5c30385a50fd69	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339810968"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000b0049fb432fc0c74f1a07d34661dbd508b6fd9605fe43470f1a919f09856b57d000000000e80000000020000200000007feb367fe2d9f3eaefcf3d83295daefdf701244f7540336aad4dc88ccad0d52d20000000bec08cfc44fa315f6bf2bf8dde0dac6f155c290309c1a5b4e013568a9e8e750e4000000050dc28a1ce44f7fccddbf9e1d96cadf5fbcde8747a1ebecfde6dbee836f053971b20c6b28883b25a3a5c4179de1ae0b751ac37bc77d55317e6d19c12c6c3487f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a60000000002000000000010660000000100002000000053ebbc6718afa4f346f6954b3085c19d76ec87a1c6ea4a8f2daa33671e0446e4000000000e80000000020000200000006d527c063406ac982a37d563a93f708cc7225a8dfcd7ec4a5b7d2753d334b78be00400000c0712bbe35f3fb714b3c92f8810fce43c47eb413d6ea25595e6e4e19495a574c62be914d8a6e9136f8a8b1e15ac5aff07692681e5f8e8be04c21176cacc1be11120314b74b6bc93e22450acc3740361832d9fc1a2a4d19e5bec1d47b42452c40f6d30c079788d88454bdb7f86acda41a772318e4ffe5bd92009f663b95dbe4372bc9f508911fdc152101375eea00ff3499cf189c09181f42e9ab521bb140c3a5dde80c82eadc16aec6c3bf8f739b70c9f0d1cfe40083d9856cadffbf908828ff1da539f7fbf80e696ea390a5850a084c3303953d864814f74b6e36ad17e98e00ea25f4f4119ffb64e5d5e452a45259789a8dac5bcc8c1b341dd02def7f69074a626ffa68ee7c72fecc4972dbd89444bad7d81c52751bd523d6903b54add9470ad3c3c7402442d9b897cf96ff78b3d39e5e22ecaa64868cd4d61ee7a30d454f36d3c7a47ea0520850ce6d6a5d172fb148c03c867e04923bc507f3beb1cbe92fe230ff5b2a016a5c662b4e00b4ad85c214d3783f6e35f67230e4d82513ee3f978b4c02fdeafd90db4d9e92f5cc213e86cbffc44539689f25590b8d0b101d3afe0e89815002e93e918d554badfc5d7a07a817a602a728f37bad10ed6acd4b6c3db6e55f040b7a40b80fb142e0305967c912fceee4cbd4bda416dbc52378597091f0b5df4ca233cfffc5a9ee1470c566967e0679a9c568632482b51ba9daee1771c73c79e1d35d8b7bd67d717c92ed9a71d656b4a9ffbd798b0371d259ebf8e7aaaca8ba253f7f17998d0a1bdfcbc2a8b41064e906ec11701b1a4b0d3db8bacba6002155e41f7ed99eb62f61cf18793a9d34d9733afe776785afc1ed234c2145d6b6fa1ef660455e6f0c6dac98c414faa688a268aabb2e49f35482e4a441bdecb4e6cec5c3a105aeb273a62b4b9fc15101baf294b3701c7a3a27112af97a5b6c554933ea170b60c29d367629b735cf0f31cc1e473886b981dd61df29c56bd3edc779dadb2416fda3a662735b3139a31a134e844f2598585bc5d967ad6cb4757728472232581d71a7f253ddf70b739a66be023aa44322d9beeeb5295342a77cae7d2fb9407f50e8944c46c8a611a95ba26ddaa9ec1c7b90975749e1f231edad0d38a0272dad8f76deb07f164dc4194d80e5be3e8e77102d21a1067a6c375c8998adbcb492296abbac2212ec4b6d447bec7a8a3b5c3697e40c939ac0cc55865aea896811feaaf930b6fcb0fbf44e832e95b1d1fc9f99e73cb7a47a2d90192f8af0e5d42797774d8ed10938a9ca5897af6ef1bea6821655a66d6fa6b6d4935eed680a8c586678d72936cf7ae8e8da2b0a35e7b15cc1aa0bc6a9e29505f21e9b7b178ccef86380f618922c27abc4b89085edbe9a066ba4b47e6206af3e92f98fbb195c324c520a5d8bbef19902389c9f9784b695b16bfe95ce0d5ed1a3db377204648f5b25828c5f80423df3b4a5b855a7b6f881f34bb86d44300966612c0d06950e0954fce41c49ad64698b735f3398b32be412798603575e2b3c5e0f4f2c16ad392a8274a5debdbc0983205cfdf31a8b2a80b9777f0f69bfb49283cc1c887edf5d20b5a1c42f17f6bf09bffe41cb234b52e62d20c17a1bbac65c2bc276784fd85887d4285ee884068f6beccf31a5c26b1512dcd3ba30d7d4bf3824602dd6cb0f1565b05d517af34161bd0d45107f62e11f468b48283a194f7d2e6a34e1fef9d60ce9961314f831eb04e29e8eeb5e2d06bec205168f45a2412c335935fc244c8ff20f94000000050aff7f6743018fe98965039eb05f136bd504813051e9b58be8ed0b3cd701904967e88632fafa01f6557389ba27ef71628667de75389899736517965fa096b6e	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1560 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1560	iexplore.exe
1560	iexplore.exe
812	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
812	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1560 wrote to memory of 812	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 812	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 812	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 812	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1688	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1688	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1688	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1688	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1716	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1716	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1716	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1716	1560	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://hillmag.xyz/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:996372 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
eb730f508e03d3764a5d8f6288703831

SHA1
ecf31204189b2aab8143db96efb4ef94ce9ea05b

SHA256
ed7264c2c04d9de8d387972aca8ba11a97a2ca9904e7b79ee647d26f0d9b718d

SHA512
0728c03016aed70c9b46a21537a94b09b9861614884b934e9e9d26dca69b694ae159afae3c5661f825c4cc37b50f433161879d3f25d9d971f8b4f923bb44f91e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
48ed9a66f955d6dc766b9d418dd8da6a

SHA1
28959dd73f5a0a30ca2ff05fa850c96d7b11fd49

SHA256
72896d189b0e5c48adab267bd84371cdec72e8f1fec161c9f8f9a8d096e4f577

SHA512
9fd003db350deed37bf4f35f4a538786efcdcb16fb5a87526911d933af0f00e7616629dca3751b6fbc73ee2d85c4750f5dc05ea233707af0f7654d6241749613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20FS0QLA\ORWF1TEV.htm
MD5
d19fa77934d1d0f3d8a69b37a5563eed

SHA1
6418c49a0e322400d6731bd874858b812a6e4183

SHA256
2d33a6cfee719d2fca5ae7f563a0013bdcbf194299f4fc2588d8e6fb5bf92099

SHA512
f703adc07b407554b62ca568ade85d05675f15fce44233ada9842c18a85595a5ef4a050436219424db54b6322c81f10359f2a273b4e97ec17e81dbe3e40973a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\324ZA0K5\QVGZLR7P.htm
MD5
5044b7c97e81b5f69585186a1823c403

SHA1
17a75e96542a16cebbbbb39fe2bea02cc2c29896

SHA256
3959a6824363a542b714c7e29e8416e8470df0c39c770b3508b2b83544c226bf

SHA512
d74db25a7ede3fb18032e03af49dcb46d3882bda7eadedd38ed306bc3c800fbd119065d51e62ab05bbcc405f9b8cf73a7c640eda048309052f6205837308fca9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SX6GLBVL.txt
MD5
8d60f4ba76cda97c27b223c9a066b287

SHA1
b97dda1be797bde88f63da47dd2b1cd698b107a9

SHA256
62f669c42377c336230abb1c23892568575543321d3977782bf2a51a4da01993

SHA512
3de2f6b0648676b4c4ce39626ad9cea36c575754825bbbb3521e939347e58d265d8acc7fa46e7abc4f28bb9022f22ff7e88d155f2282607a27d6a520b0f281e5

Download Submit
memory/812-54-0x0000000000000000-mapping.dmp

Download
memory/1688-59-0x0000000000000000-mapping.dmp

Download
memory/1688-60-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download
memory/1716-62-0x0000000000000000-mapping.dmp

Download
memory/1716-64-0x0000000000D70000-0x0000000000D72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads