hxxps://lekarica[.]com/354/login[.]php?cmd=login_submit&id=2ed9db7e9f4cc61a3775386ecd4913eb2ed9db7e9f4cc61a3775386ecd4913eb&session=2ed9db7e9f4cc61a3775386ecd4913eb2ed9db7e9f4cc61a3775386ecd4913eb

General

Target

https://lekarica.com/354/login.php?cmd=login_submit&id=2ed9db7e9f4cc61a3775386ecd4913eb2ed9db7e9f4cc61a3775386ecd4913eb&session=2ed9db7e9f4cc61a3775386ecd4913eb2ed9db7e9f4cc61a3775386ecd4913eb
Sample

211012-rrdsgacec6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000052c352350f78ffc0a64329e0b206f6c173427df6fe707ec0d91edd1819eb3f57000000000e8000000002000020000000a026a86f521b6a972bd65786fb25e841e51f1c765badae9542d4edbddc5615832000000062d11dce6eaf1ec79b300453daae0f3bb88c23ca59d0d490dd53958bc90f7e8340000000f4d9e065a74407f7c8779ad523c105da68b28ecaec0d6984330bed9b47f1b00c8fc585013d99096172a20e63314b416af8bf3f37997a262635ed8d4c0581e34a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BAC349A3-2DC3-11EC-AF2E-DAB78683E0E4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340855071"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340823079"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340806485"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000004814c98644dfd76485c10c73cef1137d4d0f7ff97ef439112f4ad6ee97214880000000000e8000000002000020000000790396d993a341e6a6004075697fb53d88b7ae23e0d32d69eafddcac8014e5322000000084a8907e66aa17d4b5f98d9c62724c56a46cf3b72660fdfad6eb52473c41835b40000000bd80b0d45a5bb99fa20fddd6a5f0eb8860715cb6f2af4311cabc919010c80632ada9f2345af6f0cdbbc62046ee44fe67e75682aedac1a52085d600453924ff90	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7034af4a64bfd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0929e4a64bfd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3608 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3608 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3608 iexplore.exe
3608 iexplore.exe
4596 IEXPLORE.EXE
4596 IEXPLORE.EXE
4596 IEXPLORE.EXE
4596 IEXPLORE.EXE

pid	process
3608	iexplore.exe

pid	process
3608	iexplore.exe

pid	process
3608	iexplore.exe
3608	iexplore.exe
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE
4596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3608 wrote to memory of 4596	3608	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4596	3608	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4596	3608	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://lekarica.com/354/login.php?cmd=login_submit&id=2ed9db7e9f4cc61a3775386ecd4913eb2ed9db7e9f4cc61a3775386ecd4913eb&session=2ed9db7e9f4cc61a3775386ecd4913eb2ed9db7e9f4cc61a3775386ecd4913eb
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7A3112A66298E38C7207F8F0E3E5A311
MD5
3ee55ba607b0c796c72d9e5346b7bdc0

SHA1
464d11aaa1affb982bd4d073022872dbe3ec9d13

SHA256
0afee977f1c97bc23818aec9ef38b83e8d47c7ff78493609916c2a9649d41c07

SHA512
72e8429da660ab58441e924eed852356953251548f3d2000e2dd4cd5f7df8d6b3de2d709ddd4b1298c555d761ddf519a524bfae2aaa8772b29e3b83645f51d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
ba9c8209107fe967ee3667d67c4d944c

SHA1
41305555db3727a2da234925033b367d61a83641

SHA256
151a0e686721969212d49ae3de54e78f07813f24d8467cdfc320bda2d1e88477

SHA512
fa8df4bc13efab707487d9dc4daa10f6c69b44bbd87c4bd597b9371010f503c9b94803191bd163f4e9b98f69ac51291096d8b0f28c1e2f0e8cdf44293d824374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7A3112A66298E38C7207F8F0E3E5A311
MD5
bc81b27211ac4ef7185a3dbba6cba837

SHA1
a6bc5d327fe92995b8286fc465a06c7ff7b4306c

SHA256
c9ea4087a5018bbe348ea8f084d9f30c61a0465fcbe16fac2fa4784c2478cd75

SHA512
8d9e890e847fb43a0b8193aad52830e13dada8717df2c40d13685b2b6a5d6d6fc707e12a195bdfd47f4cb90305b2a203d407a8b7eb8890e5f02e3445885af1ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\T5WU2FB0.cookie
MD5
ef41c791e8535840583adc091eb50648

SHA1
2b0773ed434046eb0149cafd28aa5b2132d6c9ac

SHA256
35ef697529f277ae6eb3ff80fae04ae96aede772bc94a61460bebc28f867e7eb

SHA512
041992cc389686c6deff60a4165d572e7e7f2eae0c20b05f97b00ced391b4de86e3f1582dabf9eb27eba32da070b4998901297b1653863f9f3058bf9bc93d8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TQOXP2BF.cookie
MD5
53c0a0ad30cdc69c758e0f6e5c5827b0

SHA1
3f8abb6468ac1a3eb44d65697c9a7234ef184ef7

SHA256
bc3e67feec28f5e83399bfe12209959a00ec6f4e2dc5f6d5984124bd34ee39a1

SHA512
98a671f1bbcd5d52370418deb6fc7671c7022d87d935ede1cb135d66a9ccc68a93ae675f12f588cf1c9785cf6e1de7319cb0f375499707f844e187eea75c56e8

Download Submit
memory/3608-145-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-150-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-124-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-125-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-127-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-128-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-129-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-131-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-133-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-134-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-135-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-136-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-137-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-138-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-116-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-141-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-142-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-144-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-115-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-147-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-149-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-123-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-151-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-155-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-156-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-157-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-163-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-164-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-166-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-165-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-167-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-168-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-169-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-173-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-175-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-176-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-179-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-122-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-121-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-120-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-119-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-117-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/4596-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing