hxxps://i-lom[.]no[.]datasenter[.]no/904984030/

General

Target

https://i-lom.no.datasenter.no/904984030/
Sample

211019-jrze6sgcej

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06eada9fbc4d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341469844"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a195a9fbc4d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341421258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341437853"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000081bca127db8217632dac5972ddf442c72527424110973ec3a183c25e8eba3339000000000e80000000020000200000003a30532b6be4652b4c3e342c6e7f58a9472cce3512477453c2e4a5dfe2ca302c2000000045a04bbe920493217edff5c9e7a08294e30ee4b6a569ac5126cac500126177df400000001e4bf5875b2ab08da9af59130b78b64a57318dcf21bcfe3de2ddc61504fa6c50678d1a7873df729faf1a2d8accd3323f4d621281d755978f622c3ca08acc9ce4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000b909cc8c514f78b7fce865162b6b7a3945d54aa500bdc002de6deffa2a4f0d6a000000000e8000000002000020000000f3e29f0a1fac5c15cfbd4f7b94e9ec50aa937404515880137c7377ee5f09678d200000009ef0cb4e1afb9864390862667f00c999d28e0b57481f9c2f318426a8af46133d400000006a8e37988ce91e902cefa9cd6def0e5d6aaa1eb68c592d05eb17811ef32ffe0db83cee1efe32d26c62266a4c4fd7fcb54b69da8b6a2841522116ec3b2ab75103	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{613CF2EF-330D-11EC-AF2E-CA89ED8AE987} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2160 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2160 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2160 iexplore.exe
2160 iexplore.exe
1368 IEXPLORE.EXE
1368 IEXPLORE.EXE
1368 IEXPLORE.EXE
1368 IEXPLORE.EXE

pid	process
2160	iexplore.exe

pid	process
2160	iexplore.exe

pid	process
2160	iexplore.exe
2160	iexplore.exe
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2160 wrote to memory of 1368	2160	iexplore.exe	IEXPLORE.EXE
PID 2160 wrote to memory of 1368	2160	iexplore.exe	IEXPLORE.EXE
PID 2160 wrote to memory of 1368	2160	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://i-lom.no.datasenter.no/904984030/
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5B44AE2BE4E224410EB84FA55918B8A3
MD5
c9cc3c091aed4020f099bc701f5ab6d8

SHA1
9dcc511c67b1bdbd0f614708e6a13fd5fc9dbd2e

SHA256
e5b686b647fb3c5709d93d3a126636fef5420ab6901dc59df77dbf1794769b7f

SHA512
5e5099ee8e618582896328a92f0bdf4bbd0c1bf713fe601adc04dd973c01f954b9d40f695a558c95ddae3adc668cdd5594641814c19d9073f274bf4b9d3959b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
15228b2022a327afde85b83b14ae099d

SHA1
db57776148bc05e8fae7d626c745f1d9e840655a

SHA256
a899809c18b722b845e7b7549bb4d5d2f1340255ec3739248a4936314f0ac4b2

SHA512
08b6ace03fc3affb6d2a266dc44b9d3bda4ada2c2eb4b811cf705fdb4feed3224531a7b5b2a1aec292d865715fd3916ce25c92ae7b408ae78d3013f6b6c2279b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
a3f9184185274b8f2a3d2a48229ecdf0

SHA1
d896fe9f421eb0e3c79baff76836b39149f103c4

SHA256
ae452d6b7753d11922ac45a14d64447c4e47e10a27dc731e7d7280d0401d2662

SHA512
49f03f7a8c948b442e19d84867ec17f9703a89ea6cbeb4af3b902dc53fa6b75ce05343cdc6d1cbf7fa4d019d2e1f7f7c33c3339242b24a3d5d68765cfcebc163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5B44AE2BE4E224410EB84FA55918B8A3
MD5
6ad1cd0b802b1837eaeeb957e5c793c8

SHA1
413d13b276e0b874614fb506d2e8f51b005cc5be

SHA256
d2f18a9834c665b53c9b77eccdcf367466bdbdaa5e63b18e3add24bf0cc9e77a

SHA512
dd29894831a51f76664faa496a7516c6f1771381b3f6f1bc36f0bfbbdf74a62039b7a68f137ee6c3c7ab0b3beca0e480f3ecd82f41014f12b7019512af310ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LFG4GWND.cookie
MD5
447a497a954661dbd222f954123bef5c

SHA1
a6c8a371800925ceedb90773d2813a39943b139a

SHA256
f879c6ce119b0131f48a065f58d8f0e6432efd21ad1a27913d68e4c93174ae5b

SHA512
833774f18030faa199cc6bce057bdba5fd939cb6e8ade58fb45f1a00eb94cbdc91064ca2bd76e9b93178400fc9dd336d88af9bf0b3c300380e0dfa4bd2dc7473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q6SZE3NQ.cookie
MD5
b3fa3c8dd33f0bd563d16199b43414a5

SHA1
93e82e42b1205136b0151e7c936ecf1882e13a76

SHA256
c062bba1bbbdff7eefb817dfb5abfe245bf4b746c58e9aa9d02bf1317641bbaf

SHA512
f6889dddfa32ea5d1e050b85b6f4ac88c456d4cd2ec200b6361d0f3ffc7d72b72ccea355510dc919220ffb428a75e46e3ec52b6dd84d3af23022d8e6d69f313c

Download Submit
memory/1368-140-0x0000000000000000-mapping.dmp

Download
memory/2160-142-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-149-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-122-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-123-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-124-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-125-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-127-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-128-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-129-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-131-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-132-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-134-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-135-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-136-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-137-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-138-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-141-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-120-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-144-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-145-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-147-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-121-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-150-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-151-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-155-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-156-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-157-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-163-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-164-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-165-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-166-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-167-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-168-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-169-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-170-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-171-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-119-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-117-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-116-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-115-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-172-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-174-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-177-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download
memory/2160-179-0x00007FF96B070000-0x00007FF96B0DB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing