hxxps://mktallinace[.]com/js/roll[.]php?email=email@email[.]com

General

Target

https://mktallinace.com/js/roll.php?email=email@email.com
Sample

211015-phjagsbfar

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b2d19d40c2d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341137615"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341121021"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000000061284146f5be819e20beeed779c49582e88d318324c469bb7a66c51c660807000000000e8000000002000020000000c722b5ae39f23b963f88301761b43c751fca7e0ea4476af501ce5b73701a19982000000067d2d8b8af8effdf26219c43c08a757c61ac6d09c05ef55aab0c446d000d0e9340000000710a1d8f814558dcabd8c12e263351953a2f1f315a4e3885400b975e0b865ac9ca8ab3ed06f0c8ecf8c5466fd481a7e621e26947b11a693b5a43869528c38d3f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cbc59d40c2d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000092da3fc7d99bf45a02e230dc947dbbd59fec1a3cf00fe876e4e6f529eb128334000000000e80000000020000200000006c7057c1f2dec47d7a135227c51bbef52ae1adbd02adb80962257be06edc72fa20000000a2534b617ae1b5e3be080b1f5dcfa829ab2c0fe64bc688c169397b372addf514400000003dc2e057ee839e93d1b3775027c156cfa0034815e7d1064f8fcdd8a7d28fccc9375ad619e6b07dade5fbe7fcfe6b23fec0222ef35badcf324d54e4a1b924137e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341169607"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B797F49D-300D-11EC-AF2E-D6FD385E2EB3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2432 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2432 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2432 iexplore.exe
2432 iexplore.exe
1292 IEXPLORE.EXE
1292 IEXPLORE.EXE
1292 IEXPLORE.EXE
1292 IEXPLORE.EXE

pid	process
2432	iexplore.exe

pid	process
2432	iexplore.exe

pid	process
2432	iexplore.exe
2432	iexplore.exe
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2432 wrote to memory of 1292	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 1292	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 1292	2432	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mktallinace.com/js/roll.php?email=email@email.com
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6F8991E32ACFE66B0FA1E9DD853DC87
MD5
ee262af51aa0275fe07940334252fbcc

SHA1
031ec718863f01916c17557716bb371584b35bf2

SHA256
aa7a2c115595ccbeea0e7240c407f7de57394943a215a50155250533d72809fd

SHA512
30d03c826aa3fa9a1bf4d8e186e61db6a65942924a0d55f385ea7932a65ffc6fc555f50ff7d9dbb0f822725cfa1ff39331a86d94e2879904c1a1e6b289cd01aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
cdf7a6e56418846fd81bea0d8368f85b

SHA1
6dd8952d8a89f5713ea9fe1d2596d8f2790c0452

SHA256
5e56ee769b963fc6842d7f5eb684005001570ccb4116b2219d967573f52c7797

SHA512
1e0b8612b32bf8c62a30176d9fbed4aab6d2fd2c7a2c404e10bf185358bdd36fd754ed6878c3f9c310fb6301a1f16e429c78ae0b73bee3bcef6a83dc6308ef97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6F8991E32ACFE66B0FA1E9DD853DC87
MD5
5dae8ea9bc4132536a076e19e8106e75

SHA1
65eb9fe7886697ef1e018e020aae5b944492c245

SHA256
b9f09746b151fc011e71ef1c084d42a29274b17410fb442fecd4f91dbafc8af8

SHA512
7dca87df9d5fdefa4536e2dc0ff9d436effbd8f16a14da0ecc9a170bdf588bbcd545d3f399c153ed890b5bb6912092c8001bb44eb6ba941c20837fd87dbdeefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\72IVK15R.cookie
MD5
39c01ce08aff719475f204d154c4bb53

SHA1
6cf69cc56aa6844bd964dcebea00d1d3119a0a59

SHA256
c74a1bc1b5315416155eea35787b4baeaa1aab1a0f87e6d10b4d0f0f0678bfdb

SHA512
373a384072f9e509cbb490b01615067e38edd7c0abebea8a999f7857fbbb8b27baa80020f57ed49478637559dcb64c7823f52d6239676dd849168e4b922253b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZI1EKCHA.cookie
MD5
0b16e7a9f9e8cc71037c53ecf0355a1b

SHA1
4ffedd44bf076e3a3c936008c62495aa9d9b6b11

SHA256
4824e2a6ad4e2fb4e2d7c7dc7d1a465fcc95f6ba0f03bafcc29c8e79876737e1

SHA512
a4a5352dfdfd1175078de7a7c5f5d8437f6cfbb9358df62f2bb86eca977d72f5ac1d025dc038f81986d974e35cc6afe5f6f87c6c0e5331f5060a6d822d00007d

Download Submit
memory/1292-140-0x0000000000000000-mapping.dmp

Download
memory/2432-138-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-145-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-120-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-121-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-122-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-123-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-124-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-125-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-127-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-128-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-129-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-131-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-132-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-133-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-135-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-136-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-137-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-117-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-141-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-142-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-144-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-119-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-147-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-149-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-150-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-154-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-155-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-156-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-157-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-163-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-164-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-165-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-166-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-167-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-168-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-169-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-170-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-116-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-115-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-171-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-175-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-178-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download
memory/2432-179-0x00007FF939B60000-0x00007FF939BCB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing