hxxp://t[.]rimanggis[.]com/activities_web/track/click?msgid=f87f21e4-e899-44fa-9035-51c40b94b15a&linkid=616e6506c16f4b690f1baa86

General

Target

http://t.rimanggis.com/activities_web/track/click?msgid=f87f21e4-e899-44fa-9035-51c40b94b15a&linkid=616e6506c16f4b690f1baa86
Sample

211019-hblnpsgcak

Score

5^/10

google phishing

Malware Config

Signatures

Detected potential entity reuse from brand google.
phishing google

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05B75CC8-3302-11EC-AF2E-CA89ED8AE987} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2160 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2160 iexplore.exe
2160 iexplore.exe
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE

pid	process
2160	iexplore.exe

pid	process
2160	iexplore.exe
2160	iexplore.exe
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2160 wrote to memory of 1104	2160	iexplore.exe	IEXPLORE.EXE
PID 2160 wrote to memory of 1104	2160	iexplore.exe	IEXPLORE.EXE
PID 2160 wrote to memory of 1104	2160	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://t.rimanggis.com/activities_web/track/click?msgid=f87f21e4-e899-44fa-9035-51c40b94b15a&linkid=616e6506c16f4b690f1baa86
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
696f583f07dba993761882b3f0f70820

SHA1
fe4c5a70a5034f7c8f1029fab0432bff17441fe0

SHA256
0f8d79db111a414cfcbf1648123bb068f686ee4b4708c3fb10563c58ad03cb5c

SHA512
e1629f21dab405915b17e662ab90f06422b2a6d50fac924232ae73ff5378a4dafb1cc0794b7ba88606bf3fb143d174c8047c8b9018f4be8087bcfce061283d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8A6A7E24EA4C3355B6BE43AA2093BF34
MD5
4a30fce5785d78a36ad9e2c4b929583e

SHA1
ebdf2c9af82ed0ebb2cab791ed4ff0dc6ac8a55a

SHA256
cc375f69f617ddd5142c80a28d0e50c348aa6116b7d8bd82fa1ee8b47fd141d2

SHA512
42d9a22f8e209f2e7f0162a7dcebd078699fac83170a992227c652ddc074b5780bbf91bb7e422bdfa23f36e10e7681657a4fa16df465124cc9beab4f8e6277b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
9cea686a0a1bc972c19ea8140e783cac

SHA1
627f8cb31d9ee47f88f999c382d95d440d51b7b1

SHA256
dc82ec108e56a9be5815364ef3526409cdf33f15c4f6b1407886ef8e9451a3df

SHA512
e121057eb1eac6091afb798b7eee9029291ffdea5dd9b9001a345ed7dc6db4e256b3b52d11ee2462b34e82a3e009dfd17bdad39a03aead1d00caaf5218e7326f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8A6A7E24EA4C3355B6BE43AA2093BF34
MD5
3c74c05e356374dbd1d3ad03d36316cf

SHA1
e8dc6a5b8cb2bd0978a7ece7d4266bbe6a3f65cc

SHA256
ee3385ed284434330529c25ecf02de8ee46d738abb4bc1e18a0576da26fd7ada

SHA512
eb225610f4b7e3b01f87c57470a0924e9a4ec7e507238dc4e17ccb17cd4ffcee0f9d6a348eac889b6d81f4cc45f9505fb4540861bded266270642a55b1ae9a31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
809f7d04a7c16398ecaa9f79ca0b8873

SHA1
d39dcfe754fbbe28f6e20308a65c02eab0bc0168

SHA256
9780ce76f2f40ddd598af5598b3bc439b5dc531e6fff719b95b3bcd80f93ce9b

SHA512
afd59e4fc9e7d0d3a0149b0b85bab237db572cb06c5fb519452f7e6efa77042152e7c822a4e5914b3c23f9900603731148685579f82b411359c81f05a48619d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YVRB0KTJ.cookie
MD5
35a4f1aad01d08eb674b5767c7093052

SHA1
61b974318149bcfeb11d8a7acffd977c053a7418

SHA256
87a7523069423bef0c80c4ed5441160ca41d2eebfa4e2e57433e7cd22aae6bab

SHA512
5feaf9ce918e44016f3cae575b33861c2d1dc27b20de5945f739b5e5779af03a23ecc72f2e010c41c48c43c17a2ce2bfb68e270c3b36e07ed4b56447fd0e36b0

Download Submit
memory/1104-140-0x0000000000000000-mapping.dmp

Download
memory/2160-138-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-147-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-121-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-122-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-123-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-124-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-125-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-127-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-128-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-129-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-131-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-132-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-133-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-135-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-136-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-137-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-119-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-141-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-142-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-144-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-145-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-120-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-150-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-149-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-151-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-155-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-156-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-157-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-163-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-164-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-165-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-166-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-167-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-168-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-169-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-173-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-117-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-116-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-115-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-176-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-180-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-179-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download

Resubmissions

Analysis

Sharing