hxxps://2xelon[.]com/eth/

General

Target

https://2xelon.com/eth/
Sample

211015-r1p7vsbag7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000002ae3c40968734bba24bba61ccacbb319e2c6bdf1beea8ce0e24ea39a2b9093e6000000000e800000000200002000000019ccdee5f1ff701d2327ee23122f7641c4fca8733d70f41b335783886912faeb2000000009ff97e71c682c50d1db3f3f671788a07c1868ca2ed7bfbc6302c7decec13b84400000001233db2e3913d5d6fb7507f6eb929f4c5962eb726bc4ee04d26799cea73dd7521b4627f406335ebd2be795fe92a74b0dfbb84320d451438fe6146e6965120433	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341065466"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341082061"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000071526f496d6ffe581cc32562bcc7d0974d7412dda46b6c7abdeb977444b02486000000000e8000000002000020000000b2eaf17a8e017441e30001155bbaa7cf7fd3e32a9bb22e9e834291b5876ed0e8200000000d65316ed5d9216e14722ffafcb57daca684a5f321601a420868baac4b4a74604000000051b70f8884fb122ec1d8bac2a5161545f92f5fdc8b766d0f95c338f92d3d73790f5fd3237458225a2945a39527d2bd30eae8463af43c9da9cf88b5b3dc8ad53c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341114052"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f1d145bfc1d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3075e745bfc1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A20FD52-3021-11EC-AF2E-DAB78683E0E4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3608 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3608 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3608 iexplore.exe
3608 iexplore.exe
4624 IEXPLORE.EXE
4624 IEXPLORE.EXE
4624 IEXPLORE.EXE
4624 IEXPLORE.EXE

pid	process
3608	iexplore.exe

pid	process
3608	iexplore.exe

pid	process
3608	iexplore.exe
3608	iexplore.exe
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3608 wrote to memory of 4624	3608	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4624	3608	iexplore.exe	IEXPLORE.EXE
PID 3608 wrote to memory of 4624	3608	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://2xelon.com/eth/
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GVYJIS63.cookie
MD5
80db4dca30c4a305d3ac339cdf593c33

SHA1
0a6a0c545e4d3e66756808b43593f2f6568656f3

SHA256
8f61e76febcb0ce1980591a3e238347543a4a01f93bc68246e10df73993594ae

SHA512
3b12e4596fb47f2749b2305e3953f90fc6dbd0967838c6719608bb062e8c2a6131eee1d66849d70fe9a00594a5844b67b75b9016b29b4368c805b599b15908c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MNCEIJAX.cookie
MD5
7376e5630652218cf83be098ddfc2f74

SHA1
29e490bb4ce12d57588dc3b8ee14b37c510c9d40

SHA256
5e41a15831b684d3c099e23ff0e0d03d51aa4e63285e9804bd34d901e543de87

SHA512
15ce7d4176440bd096b476e3ffaec279600ffd1db2361aa68cee282044f004de294b7767110df570c83319ebdb97f8a3185cbaf1c657f8d8fa5b6f583e50a82f

Download Submit
memory/3608-142-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-121-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-120-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-144-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-122-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-123-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-124-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-125-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-127-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-128-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-129-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-131-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-133-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-134-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-135-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-145-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-137-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-138-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-116-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-141-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-117-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-119-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-136-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-147-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-149-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-150-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-151-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-155-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-156-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-157-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-163-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-164-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-165-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-166-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-167-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-168-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-169-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-173-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-175-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-178-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-179-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/3608-115-0x00007FFC08570000-0x00007FFC085DB000-memory.dmp

Filesize
428KB

Download
memory/4624-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing