hxxps://discordsgift[.]com/gift/eX5PFweHPrNWCj8t

General

Target

https://discordsgift.com/gift/eX5PFweHPrNWCj8t
Sample

211010-kz5slafgdj

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000050b3f69b39395ce3c4e844adedeb2fe7dc4fdf04f475336e05c67e4fb0eb4fe1000000000e8000000002000020000000a17671ed1610d2313daf27b8f3b9f313a4a503a2a2dd71360cd578eee1d3a6fd2000000033bcfed3e703cbb2743146286b1961dfcfcf3adfee2a2b22c1811e106f9bed264000000028cb22f2c01291b0c1ff5eace587deb961504a3d4a5696d26c33c24b1641008ad61cce678ebfa797efbcfbd029061ca60f9318b2ec9e3b9151f6b59ea0335b3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{713F943C-2C04-11EC-AF2E-DAC1D1864B58} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b0dd56adbdd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\discordsgift.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340617951"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a022f256adbdd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340666537"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000e8f45fa03578e665087c812ed0ca059cdca60f843851adc1e42c7c40e00a4e67000000000e8000000002000020000000c5576aec791729fb0706e21b36b6bbd674360147ff0c9f1780e2c91d53b6432a20000000f6c9d2d4bae7afe5a17eb4a084702936ac9eb48cc6c26133bbe6bb844f4c5c44400000001f05b4389423db86a50236689c29e072dcbb25b5cdbf5ccfe07645be5f0194d9248bb2aec113068d7a9333e6f472477de588d3d9967d4d9a428f89424a00c216	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340634546"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\discordsgift.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1776 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1776 iexplore.exe
1776 iexplore.exe
1060 IEXPLORE.EXE
1060 IEXPLORE.EXE
1060 IEXPLORE.EXE
1060 IEXPLORE.EXE
1060 IEXPLORE.EXE

pid	process
1776	iexplore.exe

pid	process
1776	iexplore.exe
1776	iexplore.exe
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1776 wrote to memory of 1060	1776	iexplore.exe	IEXPLORE.EXE
PID 1776 wrote to memory of 1060	1776	iexplore.exe	IEXPLORE.EXE
PID 1776 wrote to memory of 1060	1776	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discordsgift.com/gift/eX5PFweHPrNWCj8t
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:82945 /prefetch:2
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q6N49J97.cookie
MD5
ec88aba1cb624c3bb93ee3035d3ad401

SHA1
0b5f3770216fed20ecd2411ac01bd7cb61ec35ab

SHA256
b90dcd2d0bbca0bb4d62ae0152cc25bb0c41a99bafe4b573e0dcbb00fdbf976e

SHA512
c187254a09897d19e7190d664856916c6ac734a3ada761f7e5d6244fe91dcfb134b28ca6848f9c6c04a6846cf724394a4abff176849793cbe557e85bfca1b1ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TP84JPWN.cookie
MD5
747aad0dbe3da29baae699348603dcf8

SHA1
d75bce5763a78182a7595dc8609b3e2c5dc9bb6b

SHA256
2c85b371c8ea7d055e2d716f463eb3fe1c95b7b2f3a34514177fbe04d9e8253e

SHA512
a69eb04c7cb5e5dbf11726ce649450ff4b710615a980d39f668669c712dab9c27cc3e80b3fd0ead86ddefcd711d764f3e4245b0b5ded2a880f5a72722885fd9c

Download Submit
memory/1060-140-0x0000000000000000-mapping.dmp

Download
memory/1776-142-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-127-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-147-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-122-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-123-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-124-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-125-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-145-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-128-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-129-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-131-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-133-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-144-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-135-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-136-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-137-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-138-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-119-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-141-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-115-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-134-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-120-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-121-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-150-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-149-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-151-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-155-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-156-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-157-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-163-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-164-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-165-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-166-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-167-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-168-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-169-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-173-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-175-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-178-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-179-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-117-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/1776-116-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads