hxxps://secureemail[.]umm[.]edu/b/b[.]e?r=aleat%40evolenthealth[.]com&n=Fc%2FQIc6vrsS%2Bf%2F4cZYUDEA%3D%3D

General

Target

https://secureemail.umm.edu/b/b.e?r=aleat%40evolenthealth.com&n=Fc%2FQIc6vrsS%2Bf%2F4cZYUDEA%3D%3D
Sample

211012-vw2xmscfdr

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000024b4058984df6bd547dcd891c7ea2133ce3304276ae05036be0859dc7bbeb64e000000000e8000000002000020000000e21c7e7147ac3e268f3ee6af5d5e2a9f0c4195a91c2c47835b409d16508057a9200000002666609ba86b379b6665324f1fba37f4a38c49c1fd1b8df3dd839b2443f246e34000000061cb93df6da5d6250fab45b4311ebcf9515857cad5145c53fce8c496be1bc2e3f409d75728c9c47c198043c4c4bbe8940b392df7eedff9a1c9eedb9a9851a191	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340840848"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b032a78dbfd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340824254"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340872840"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DC10055-2DDC-11EC-AF2E-F6E18B238CBC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e7b1a68dbfd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000719be8efe0f1de842016337b4d684c08a7980f7347aa12ccdb3674ca962166cb000000000e8000000002000020000000e58f8be7b75fcf6c2082e8a931f9ef3dab3c2bed43253ede77889e2fc4ecf18620000000e9c92d51a4ca019c10c7f5d415f16dccd001fac39f9e502b503b383c63702625400000008f7d32168bf6ec15683ab6765d03a78d4ffd2fe68a30328a5509ff5a0b5b5cdd2ffd2721155b92c8a866c90b2fa317a9f763b4ac121610a8463d99b72571afad	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3572 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3572 iexplore.exe
3572 iexplore.exe
692 IEXPLORE.EXE
692 IEXPLORE.EXE
692 IEXPLORE.EXE
692 IEXPLORE.EXE

pid	process
3572	iexplore.exe

pid	process
3572	iexplore.exe
3572	iexplore.exe
692	IEXPLORE.EXE
692	IEXPLORE.EXE
692	IEXPLORE.EXE
692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3572 wrote to memory of 692	3572	iexplore.exe	IEXPLORE.EXE
PID 3572 wrote to memory of 692	3572	iexplore.exe	IEXPLORE.EXE
PID 3572 wrote to memory of 692	3572	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secureemail.umm.edu/b/b.e?r=aleat%40evolenthealth.com&n=Fc%2FQIc6vrsS%2Bf%2F4cZYUDEA%3D%3D
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3572 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5054D3D7526395AFD1BB54714B2BD386_186F366F03B948E4A16D1AF841D19A7C
MD5
318b6b8cd7f4235f3af9b136d03320d2

SHA1
42e32c358dea5dbf10318c200054186992aa128f

SHA256
b1ace0c06c7770f6913c0133c09d87e2fa6b511dd8a517a67ee11e5b9f066f67

SHA512
dede6c6616cda265977dea484acb3b9dbdd29cb401d74462ae4bf63d448f8d8cffae4f83368b5292a1a2e7ef746376c7debc21422ac61312346b15d8662f091b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_36F39750452E59840DABDBAB8F8B2E8F
MD5
f3c88d21b4b978a4ffe6fb19ee968904

SHA1
3f4e5e7543d5015632e37ed388d6499c5adb13cf

SHA256
2f1992563118fc22faedf3427242e434a9d5c7126ad1720c1e89dfc0618bc0ea

SHA512
af2ec98a6e6572518fad1097768477ca7932b0fc1b0487bfd75ec7280e437660e37aa82ef064666f1606c300e9b659a54e144e748b5faa4132c85fe3b70e01af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9A2923BC865F3B679E3C71FB2AB7C8F_7DC37CFD3C23CAEEED5F14A81380DC43
MD5
2042bd76367cca62f9c0ded1a431acbd

SHA1
7409ab7d5676019177ccf54d4b545dfdb2d6d938

SHA256
d2ad8d9e9f653cafcc7fdebc24e2b8251076d05158c34755d62a05720be429fc

SHA512
229f54abab285320d237125eb571268fe0e483a6b366132c16a3bd03d7a5b6bf48378a50fb421e6a31b1af8d87811f20b3e5bd6e81ac6e4dbfde8d4d70a33de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5054D3D7526395AFD1BB54714B2BD386_186F366F03B948E4A16D1AF841D19A7C
MD5
b63a7d6bf6e0140fb1ec6e57edd58b7c

SHA1
00693339090ef09e93a327ddb7f90e2019b310d7

SHA256
7f547110761754300a3325c4ce75ca018d55a65b6808c73a810e100e5f4c8858

SHA512
8bcd761798447708c78dc9e71539edcba36a8c461ae5b317ffa23fef70cc17de1aaba3978c6087f09121897d7cc749b1257d4a3128bc9046f2d913720e3aa24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_36F39750452E59840DABDBAB8F8B2E8F
MD5
dd88a5fcaff9673355e320267f9a22fc

SHA1
d619b2e2ab10cfa2ebd86ee3dd6f5ca374b1bc74

SHA256
db0658972b8c7ab1da749fea9af10d6c7d73a8c0956774ddb259763b24aa0877

SHA512
3953ac8fd1c1adef039a865baeead1d9d95cad24fe0ecc10ac47c4b9eabe9be354a6285c6beaf6014d171a5d513325e867dd82777619e7aaced0d72358e2f246

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9A2923BC865F3B679E3C71FB2AB7C8F_7DC37CFD3C23CAEEED5F14A81380DC43
MD5
1cd0d243b77517cb3b96e52c38ffe19e

SHA1
f410284ffb50c7f7fc91386a022e9c10d1285365

SHA256
455b062e81e160b1df33b78c3566aea3e86ec1ddfadb888587ac5c1f6357a9a7

SHA512
2ae55bb06629a95425dc0ccefb2c1a059ce2d728f3191116fd82c1a077c72c73d3d055f2cc873fe638459a4d9b0c7f198ce2d1fc58a56ed402dc6f1290c1a934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3CXRWP1E.cookie
MD5
5070e437382f01e4c5a1fa437c32179c

SHA1
8929ffac94a456af020180519c6e973bf801e099

SHA256
f8149799101cccf74c2c7fdea5a3ac20457492dac2062666d6bdd454bdf6b19c

SHA512
7a6450f9dfce0e50559f73dd66ef953ca08d12877cae8ba8be6ac72f0e36c99f9d5d7d09dbe153c31e6e29c8b95087b51617fa54db920cbce89112c8ed3c1c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ILLZ2IIH.cookie
MD5
40953b77d5a0ff3529e51ded4dd48774

SHA1
0b6ae7da599015fe53447268cfa5c60e64f422be

SHA256
2a55db5f6294c055ef686b5f142d9b5ca7abbd2ae2ea9db82f87e1e40691c2aa

SHA512
546432f2467b6bf54027d76c8ce761f22a9fe47179344fbb6e5c662bf903c2f49b53bc706b498b82dbd28452210724f47a632a32b9cfcb639c33d1bab21d5e83

Download Submit
memory/692-140-0x0000000000000000-mapping.dmp

Download
memory/3572-138-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-149-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-122-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-123-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-124-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-125-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-127-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-128-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-129-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-131-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-133-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-134-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-135-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-136-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-137-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-120-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-141-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-142-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-144-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-145-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-147-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-121-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-150-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-151-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-155-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-156-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-157-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-163-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-164-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-165-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-166-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-167-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-168-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-169-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-119-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-117-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-116-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-115-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-173-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-175-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-178-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download
memory/3572-179-0x00007FF9961A0000-0x00007FF99620B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing