hxxps://subseainspectionghana[.]com/ggh/

General

Target

https://subseainspectionghana.com/ggh/
Sample

211012-q2w65acdcj

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071b125e70d28d246834b4e6953557bee00000000020000000000106600000001000020000000e19a50e065781b54c31175953522c609a48c84a4d0a513d25d6232248a8fe28b000000000e8000000002000020000000f16fcfe144aae3d12d06676bb7458beb2e38b78cb5113dbde2dc9c6ef557ea95200000006dccfd35d70a35c72ece55c68d3823bfd9cc755d5701262489a46b3bff86e00840000000be48107bcd8befbc00c7133cdae8f050086d5fadfac135482426e2b19eef8cac7f2598b0d1d58c619a0eec789a84055f12cad3ec2fadc132ed5c097f27fb6040	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30916395"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30916395"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "709577094"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b000902d2bbfd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071b125e70d28d246834b4e6953557bee00000000020000000000106600000001000020000000cd40e93a57503a18bad8c2e3912e2494d00f5bddb09132d33732c476970bca22000000000e8000000002000020000000a34696f4bdb078a5ca05ab8638f617fc3cc217d00be19de4789116698a9a3cf220000000cf43dc3723ad2e326adf51305efe00ec84f0f0113fc73ffe5ff6763c6bc11d15400000009d1216702405a975ec26e32958c01330603ddd6c28d2db5c8f6efe02dcede2a635ecbe10c4200eb8255117003564ad57eae670983a9456f5b3951fa051fb9422	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "709733559"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340781957"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{050333E5-2DCF-11EC-B2DB-4E3A6605C0D3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340830543"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0002da2d2bbfd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340798552"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

808 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

808 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

808 iexplore.exe
808 iexplore.exe
3280 IEXPLORE.EXE
3280 IEXPLORE.EXE
3280 IEXPLORE.EXE
3280 IEXPLORE.EXE

pid	process
808	iexplore.exe

pid	process
808	iexplore.exe

pid	process
808	iexplore.exe
808	iexplore.exe
3280	IEXPLORE.EXE
3280	IEXPLORE.EXE
3280	IEXPLORE.EXE
3280	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 808 wrote to memory of 3280	808	iexplore.exe	IEXPLORE.EXE
PID 808 wrote to memory of 3280	808	iexplore.exe	IEXPLORE.EXE
PID 808 wrote to memory of 3280	808	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://subseainspectionghana.com/ggh/
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
61add8e2ad302fc97f519ecc9791606a

SHA1
96922ac661b7ec245064fd200c1b4fcf039fd24c

SHA256
9930dd5dc71208dc6d9e4cac5670097e4a04a99247d0df9d28216e2800797345

SHA512
76961be79a25efda506380d8d9fefaccc04d39c490ef0ff432100e754a34d8f88150772f08d358ad2235fbca7e3d61c2a42b8053157c1dfdadccc50f1c296cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
1712df4650a51edd15926147cd38b8da

SHA1
28a3e1bbf6723a689aefc256f17284720fd88a7f

SHA256
fe053aebf0e9790bb0900f097e1865aa32b2dd3efddeea74f5ba1bb09719782e

SHA512
f4b4ef2561b94df79d386b70b6157b4d7f880c47047e34db65452c51b8c1929b031cd05ad58bd9a641b222046c1afa0d4bdbd42ff5091631775c8e4cd943353f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8HDB8DK1.cookie
MD5
5a1e53cebbd1dae64766fcd1d51a47fb

SHA1
933694e7448017fe4c6b2b365ab50c0e9c443328

SHA256
7b18ec48fb97283b260971c8c439795e20fd36f517d0a414989bf1fd8daef4ad

SHA512
bb6e478550f28974f07697d0e7b8f54a8119a512eb64f2deb0dc9a11ca46553afd2a9a9f764967d9c6e9cb5118bb2e597b6d36ddfd999b0cbb4c8b4c565672ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LFVB0FQQ.cookie
MD5
b92e1bbbeac11451a1bbd74519ef2064

SHA1
6350f27e555725093065fefb198286587219fb26

SHA256
9d342f119376c625980e6c89e270453ddf23c9327e9c1468e878a631bc0be2e9

SHA512
a9809fe7f36808fbffe9bf5745a5cec16d1f508aa51ebef55d3ad258b93fc6e9b0c48768807b19e82ff10e3a1dc671c2b50909098222a756f13428297d05734f

Download Submit
memory/808-141-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-123-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-121-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-146-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-124-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-122-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-126-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-127-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-128-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-130-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-131-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-132-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-134-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-135-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-136-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-148-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-115-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-140-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-114-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-143-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-116-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-120-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-137-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-149-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-150-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-154-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-155-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-156-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-162-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-163-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-164-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-165-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-166-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-167-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-168-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-172-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-174-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-177-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-178-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-119-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-118-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/808-144-0x00007FF91DA60000-0x00007FF91DACB000-memory.dmp

Filesize
428KB

Download
memory/3280-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing