hxxps://discordsgift[.]com/gift/eX5PFweHPrNWCj8t

General

Target

https://discordsgift.com/gift/eX5PFweHPrNWCj8t
Sample

211010-kz5slafgdj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000f7ff454a0ab2223d5a7a3dc7427301ee7bb2c4646f0b4922745240ab3156fac8000000000e800000000200002000000050c8c6e1a37cc526c818fef03bc2d4221c48946f67dbcb639749931d9a02dcdd20000000d6dc55e13b86836d1235c0c0b87c491cf97eaa3836b2f903dd9c0a74c71f9171400000007650493403491635d431c2f1b7f4fca69dc52f92ed2a1a511e8e442a85b6738c8708a7a6abf517609e80c76d7ec0c832ffd979dec4b43ec9b9a95f87681df82c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ccd2dd72bdd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70E75289-2C04-11EC-AF2E-FE4672F7746C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1182440472"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000000c27e049ac2cbd2908465a2572781a4e46dc112d25e953c1bf27219e8ea83a7000000000e80000000020000200000009d9bb2c31846def321634025b270630a2cfc958b4053bd1de7afff463c57573320000000612860ca4411b2fd260d8c3a1e7f3460996915a3a87da262f7c36dfacd24f1ee40000000205b167171068cdfbcf6300b6ac137ce76966e9ae144d71c4a127d155d25c5bd3b145e0af3a098dd2542c8b45ff03e148897f69f0dd30d29e960132376188121	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\discordsgift.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30916625"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3050e8dd72bdd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1182440472"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340641426"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340609434"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340592840"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\discordsgift.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30916625"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1688 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1688 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1688 iexplore.exe
1688 iexplore.exe
708 IEXPLORE.EXE
708 IEXPLORE.EXE
708 IEXPLORE.EXE
708 IEXPLORE.EXE
708 IEXPLORE.EXE

pid	process
1688	iexplore.exe

pid	process
1688	iexplore.exe

pid	process
1688	iexplore.exe
1688	iexplore.exe
708	IEXPLORE.EXE
708	IEXPLORE.EXE
708	IEXPLORE.EXE
708	IEXPLORE.EXE
708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1688 wrote to memory of 708	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 708	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 708	1688	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discordsgift.com/gift/eX5PFweHPrNWCj8t
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:82945 /prefetch:2
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2XUTVJII.cookie
MD5
7602a4a9c7e2e814756a34edfbe27029

SHA1
c789b5d7996e9ede6ffe0873072b9ef9c260ad0f

SHA256
da8b4a97dcbe8b1a824854835a8b0590e772670c19805dc29a4d5a649c408957

SHA512
a00e268b3d602e50cd80669fc1f531dff570e8c08983c5cc35db61c70e9365392a4b9d829a7d9b43251d7418bc20272f50708ec64a88a49c0997aeb9a55d59bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PTZY19I2.cookie
MD5
757146858cdedc96ae296c427893580f

SHA1
86eeb6d70055449999ea530af02db1680a6a0c32

SHA256
fa5606fa6e6aa4ca97aaad4eda1a2c6a5a4a6d5d808149c302f540770ccfd7d2

SHA512
140dce3d5d5aff9f0ae58c409bfe21f31c3ee957b3e29803e912cba9d141188cdfd2908ad1d2c1779c99eb180f554439d283be7290a0ca19e3d32a27546669d6

Download Submit
memory/708-140-0x0000000000000000-mapping.dmp

Download
memory/1688-142-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-122-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-121-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-145-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-123-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-124-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-125-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-127-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-128-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-129-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-131-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-132-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-134-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-135-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-137-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-147-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-138-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-119-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-141-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-115-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-117-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-120-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-136-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-149-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-150-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-151-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-155-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-156-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-157-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-163-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-164-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-165-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-166-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-167-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-168-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-169-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-173-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-174-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-177-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-178-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-179-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-144-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download
memory/1688-116-0x00007FFF144D0000-0x00007FFF1453B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads