hxxps://priceless-leakey[.]178-128-227-135[.]plesk[.]page/0002DU/hebb986imm33qd3tg8168l3i[.]php?97H8DK1634731591f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7&email=email@email[.]com

General

Target

https://priceless-leakey.178-128-227-135.plesk.page/0002DU/hebb986imm33qd3tg8168l3i.php?97H8DK1634731591f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7&email=email@email.com
Sample

211020-pc4n8shad4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ecd8dd30c6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341554062"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000002e82c456238f55ec66b89d0de570b2275f1a7a2c64270222c1a089f9b981bea5000000000e80000000020000200000009320d321ba76ed4c635e82502ac27751dc540fdf435297ee38de079ccc8c5be3200000004224e56b921d8b728e2b13b9eed02132f0a2fc1ac18e8351a45f32724e48360640000000e7187eaaef198758248df72e280a9601204e18da030ce2bfc2e78454ff9740f6df5a5b80d5b0866aad094e14190877e024e7d52bc6f7c3f22ca2f060eb7a28bf	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000eb8d50e0697ea6bfbd63f7b123798d11f19489e86dea3bf7665237476400d2d7000000000e8000000002000020000000807b143c5a8db3fc04d4b2af1aeeb2c736e523b6fc74ea471e764664e08cc76020000000189e8d6c532061cb2927aecbfb2a0bc19a16b6cf83e823f3a1f29f752f25041d400000002ad8f7681994e1c5988fe0f55042f4fe0ad3f0a8d72a6a3331015fb39a7ef3e13494e2166647009cf83aa90ef2194ccc831a921136b6479b42dea7513d7e6787	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341570656"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c7b2dd30c6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E921748-33FA-11EC-AF2E-D6720A704CE1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341602648"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2388 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2388 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2388 iexplore.exe
2388 iexplore.exe
1296 IEXPLORE.EXE
1296 IEXPLORE.EXE
1296 IEXPLORE.EXE
1296 IEXPLORE.EXE

pid	process
2388	iexplore.exe

pid	process
2388	iexplore.exe

pid	process
2388	iexplore.exe
2388	iexplore.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2388 wrote to memory of 1296	2388	iexplore.exe	IEXPLORE.EXE
PID 2388 wrote to memory of 1296	2388	iexplore.exe	IEXPLORE.EXE
PID 2388 wrote to memory of 1296	2388	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://priceless-leakey.178-128-227-135.plesk.page/0002DU/hebb986imm33qd3tg8168l3i.php?97H8DK1634731591f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7f9c4bb4aa275b9054fee2a8d610fd0a7&email=email@email.com
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HC0FWNDP.cookie
MD5
151848429a6715fca26aa3f2a23cebcd

SHA1
690113046a1a83f5c6cf277a2f0109410e9f5837

SHA256
26cc13d5ab69d6cf8560332a5cca598457ad076ec8c8440c80ad457c738d4b13

SHA512
1791c4c5145bf4a46c8c48fad3053021e213fe1bb510439c437ed74eb9055f879725b4ed52258c5588d3adbf2ab20db9634cbc675d8b00e2af35d4fcc842bafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TR36IOPB.cookie
MD5
51ac112653b12ecde644a406e4d4fa39

SHA1
8890fb1ae73b08c4f3bb8518d8517fbab1f0e141

SHA256
e0cd2b5ba65d8a4cfe85927ee4698d6d7c8ae38946dc36a005da0eaf81961028

SHA512
85ca4c6e62f5c1d3e964852c275f9ba1061ed6828e3e7c9258bd76c4cf880725a8d36066b4b0ff1c82b391024b6c5b9bc617811bbcc51f05603e6344fb344428

Download Submit
memory/1296-140-0x0000000000000000-mapping.dmp

Download
memory/2388-142-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-127-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-147-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-123-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-122-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-125-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-124-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-145-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-128-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-129-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-131-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-132-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-144-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-135-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-136-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-137-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-138-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-119-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-141-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-115-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-134-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-120-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-121-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-149-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-150-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-151-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-155-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-156-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-157-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-163-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-164-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-165-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-166-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-167-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-168-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-169-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-173-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-175-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-178-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-179-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-117-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download
memory/2388-116-0x00007FFDFE3F0000-0x00007FFDFE45B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing