hxxps://samadeleke[.]com/wp-admin/Stock

General

Target

https://samadeleke.com/wp-admin/Stock
Sample

211007-t4f5gachfn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4d2ebef9098104e944b2691fd1deed000000000020000000000106600000001000020000000799697327044fc01cd19e7ce453d6440c8b00d3afd311bfc3a46cf87daef62cd000000000e800000000200002000000007547e3612abc473f36f743467707f1745e75dc7bca612fcdf37c1c5116e223f200000009913377a51b3aba19790dec66079389b0e7ea6fbd90d0fb009ebd10169dfd6ff4000000071cc3e2964921f93f60d9f2deef1f7b3c55e1be7684af9af793c0dfafdbb697604e5624e20e3ed4ec4fce03aeef9b693cd7d51e9af67b8384971079624141832	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05CEA9C3-29F9-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3684539355"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340672583"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340704574"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3684539355"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3731368002"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3016fde205bed701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a035d2e205bed701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c4d2ebef9098104e944b2691fd1deed0000000000200000000001066000000010000200000006a5614cdc19bb5818eca6d122608e6f8486d9de553d84fad8b84a956a2ee1720000000000e8000000002000020000000cd742f32dfa044be27879e216b4ec31019572a79d37079ad3000bbda767e5a92200000006eb04619cfd0d2f3b750ab9e8069147bdd3b5861139686ac9558172237fcc0ae400000000191496f05ecfb3c96bc5cbe90f6b56db76bf2f1778cb835c3ddaf474c3266ed411a7fe0d181b09e347996f8432d5dee1e542442a8ace139654a49f98436471e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30916101"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340655988"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30916101"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30916101"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

664 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

664 iexplore.exe
664 iexplore.exe
4080 IEXPLORE.EXE
4080 IEXPLORE.EXE
4080 IEXPLORE.EXE
4080 IEXPLORE.EXE

pid	process
664	iexplore.exe

pid	process
664	iexplore.exe
664	iexplore.exe
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 664 wrote to memory of 4080	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 4080	664	iexplore.exe	IEXPLORE.EXE
PID 664 wrote to memory of 4080	664	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://samadeleke.com/wp-admin/Stock
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
374ec10d9ad192aea0b9e778f1c4d977

SHA1
739c177c68a942c58de4eca6ff8745dd96c0b030

SHA256
b4fee9a922a0ff84e62f00a7ac75b425a9a89c4ea053616687f7e3c4dc90588a

SHA512
c4c017f3c966f1dad2a86ca0f2d02392fc9218d08aecf3170e9af7d647fb5a8f5534e7a8e1585954cb84fb9ad3496176374d4a22003603e3d0c0d5b3a3beb37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
92535e9138564ddd624bb202e366003d

SHA1
153ace058de018d00ea90fb03d9ba756d4d61a40

SHA256
9dab7fbe21fb5203ac3523a81d7ef4052bebbf87f0ce23992f6bb38160d0e36a

SHA512
063654a24e4fba3140856742cabb929a0924ad5bf097e0bb5539a5ba0752c9c93adfa17738751d6ee104378087c592de2a288dfdb1d9e97961c600e4e290acbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a2813539f8a680786111c31406ba7ba7

SHA1
aed66aabd98725764d45e7968fafbee6514e6f08

SHA256
e5dd7d1a27f6c8e286a30087bd57665509a8656f0555fc17f5e1d2805190228e

SHA512
3acddfa59283386cddb83f01e50f5a2124f668d4f2bc85d7d4225070343f757734cc6d015259ce5d084fa7c84ce47ca0b694c9e87f340207e955c018ac668d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
a7ac2b7b5da14f640ab81b20b5c831be

SHA1
797dfdbc7fe88204813a2325ca07fab69dcf0fbc

SHA256
e47f8da89abc904a1f696f8bbae1e931f78c43c22e8886fdebbe9c55bf986d68

SHA512
385243c85898a61b49de0029174d37210c2aae083b7576abe421c50c0ca8e30895fd32c905f436cd2eb286a1d444e677102b5e90aaa33db6d405481986e66839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UT4I9F5V.cookie
MD5
4cab4c6c356a4a1fdf49edadc2ea1bff

SHA1
90c0f24f5f307b04ea9081dfe1af6be9bd447cbe

SHA256
a2d614a0ac694b7b09a5f7e73ce65c6bd3c700ca864e2da580c9392764d253de

SHA512
0f104872347ebced2afd7e7c8904c6fed566f3091488b219a5256e3a038d6eb38155fff7b9a1c0da59799c874f50f2bcf33d0e070a3209bbcf509115988ed384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V6B7CFOT.cookie
MD5
212ed637574322bc740f09bab189158b

SHA1
def7708278e018b895123695938da200a0d647a9

SHA256
7787d3cfff00f81a1d1b0f8cd1eddfe8fee7f76422e626c97279c7f25e71f5b7

SHA512
d5704986e602b0e9047f84302f5ff6dbb303c39538a51a54cd6d64465421708802d221649d5ed0333fba06de5a6666eb6b853b2453c79f989ea0e836741f167b

Download Submit
memory/664-144-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-149-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-123-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-124-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-126-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-127-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-128-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-130-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-131-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-132-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-134-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-135-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-136-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-137-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-115-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-141-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-140-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-143-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-114-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-146-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-148-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-122-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-150-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-154-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-155-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-156-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-162-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-163-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-164-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-165-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-166-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-167-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-168-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-172-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-174-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-177-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-178-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-121-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-120-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-119-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-118-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/664-116-0x00007FFADF5D0000-0x00007FFADF63B000-memory.dmp

Filesize
428KB

Download
memory/4080-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing