hxxps://0sgm6[.]mjt[.]lu/lnk/AUYAADwj6a8AAAAAAAAAAAAIyIMAAAAAAtoAAAAAABoxEgBhWx_P2lTiF8zmQmOXR8JoQiDkRgAZR5M/1/UNpQ4f0aztsCa8ZSiEeRHg/aHR0cHM6Ly9hcmFic2FvdWRpLXNwbC04ZTVlMzEuaW5ncmVzcy1lYXJ0aC5lYXN5d3AuY29tL3NwbG9naW4vbG9nZmluYWw

General

Target

https://0sgm6.mjt.lu/lnk/AUYAADwj6a8AAAAAAAAAAAAIyIMAAAAAAtoAAAAAABoxEgBhWx_P2lTiF8zmQmOXR8JoQiDkRgAZR5M/1/UNpQ4f0aztsCa8ZSiEeRHg/aHR0cHM6Ly9hcmFic2FvdWRpLXNwbC04ZTVlMzEuaW5ncmVzcy1lYXJ0aC5lYXN5d3AuY29tL3NwbG9naW4vbG9nZmluYWw
Sample

211004-3v2t9ahdar

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914938"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000007bacb5cbefb1e7c271a5fc6f91f2223f5e9c1833a5c1fc6c6fb875b24cf20dc5000000000e800000000200002000000091dd32f36a51e68888cd9e5f5aa94bdeb8b634e65e662a55574f7866eaf694f820000000a98fae771d0b9600593971eec48e6fa34c0be976a503b6766b6e98f7864b68804000000024dc56c10f5ffb72f70f53b0a567af960250ca522c43d81ef0e8775cf01395089a7f4cad2aac287af3719bc05ca280c6da09ba3b06f4d0aa090bccdf72193d41	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB99C686-256D-11EC-AF2E-C20F2984D143} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3231700325"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914938"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000c78f2b8726f27033acaf54016316cf24707a831c009c82d4dba66e8089b2844e000000000e80000000020000200000002c08316b1ff75b78d0e2661cf76e91847f429f52c73bb026c021c5b69f18cff3200000006f019f11537f25a02488815c0b954049fd9ba86c999b80f305437f3a1dfb07b04000000052894eea62773163e509f5f7b88adcda6d65d0df9e12fb06b3abf01bf57099450501a6ed95cef367ce143d02cb8fa09aded0048fc61ef2499fc7eebc588dff23	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3224511568"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0612fc37ab9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340205018"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30914938"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004f1cc37ab9d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340156432"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340173026"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3224511568"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1808 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1808 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1808 iexplore.exe
1808 iexplore.exe
1896 IEXPLORE.EXE
1896 IEXPLORE.EXE
1896 IEXPLORE.EXE
1896 IEXPLORE.EXE

pid	process
1808	iexplore.exe

pid	process
1808	iexplore.exe

pid	process
1808	iexplore.exe
1808	iexplore.exe
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1808 wrote to memory of 1896	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1896	1808	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 1896	1808	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://0sgm6.mjt.lu/lnk/AUYAADwj6a8AAAAAAAAAAAAIyIMAAAAAAtoAAAAAABoxEgBhWx_P2lTiF8zmQmOXR8JoQiDkRgAZR5M/1/UNpQ4f0aztsCa8ZSiEeRHg/aHR0cHM6Ly9hcmFic2FvdWRpLXNwbC04ZTVlMzEuaW5ncmVzcy1lYXJ0aC5lYXN5d3AuY29tL3NwbG9naW4vbG9nZmluYWw
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
46cbd0a3d1e70a49db77aa1a79dea093

SHA1
e7ee6492153fcb7477c0512e14e923532940e066

SHA256
678c0747c7616857ed9abc64fa182ae2ff649167f322a11299b1119947f2f651

SHA512
8e11310cb6ea27c0aed73c29293fc3336e5445391063bc7e5a8b0443784a5a9919786386d950bdfe6f4e9cefb83f44a0ebeb400ddb1ed2ced0e16274f691784b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
79aa6a453433f7beaed64481ca797db4

SHA1
8755706f915c96698a303fccf904cb2085a236df

SHA256
25211281068b09f525d24f8948a54f29f043ce9df52f40e9b69b69debba7c635

SHA512
e252d85491e104fe02db589bd3eb1af32007c61c339feef1560140bdb6a5924f876515faa3177f5e35ead12523b90ce1f7fa087c9790623f39e4e2a1cfc9d4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GVM9EGLW.cookie
MD5
a6bd466669d98436964268fc24690215

SHA1
eb7fbc3e2993e3f0eaa5e452f757cdfcd0f1ca97

SHA256
06a92ca6997d884ae6e119442a0e7373d6a6cae34a03c4e6db56b0cf61ea769c

SHA512
2f5f89e44bbbdcb3ab6ee55185283d2203e4352b909a09d950d314adec2e0c8b6a2e424ff29b7df3ed369496a830dbc8d05b824c28ebe1cd12ae5e6a1dccab7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MXAP94M2.cookie
MD5
770b9e4cf3e6b98ab9c3c56ceb66dbf7

SHA1
7e0894f94a8167c10c70cb61fc714af3ffc5ade8

SHA256
e2585180f67ddd9d8ccda6a8a5bcfe68373291b38bd470dd91967e3003769576

SHA512
4e2b16d70b8a522cdcc56ac968152f10f0708d704fd837dbb7e2648f9b82eb8f4a0b7203c3f2615fa726cd4f920a9d21bf52b696696798ff415cd9c7c1653543

Download Submit
memory/1808-115-0x00007FFFA83A0000-0x00007FFFA840B000-memory.dmp

Filesize
428KB

Download
memory/1896-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing