hxxps://creditriseconsultants[.]com/hud-file/offaccess/

General

Target

https://creditriseconsultants.com/hud-file/offaccess/
Sample

211021-xdklraafc8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805e7a3e07c9d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341866037"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30918919"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000ec615d9669fa13ce8d60922fbb9617692654469fa71cee52c69e3df15c568e06000000000e80000000020000200000000e683196ca4ff21c0442d8a33543165187c65d17403a1d24f337762806d9223520000000694b458339bd69d0dec99dbe84ebd6a254cd3b659bceb764092b7b4dfb6d99db400000006060f5906834116a150feb4894394a0bcb7fbfa01a0df979907678f9b2e15b82d4c312c8870161a5c4a5118be0d25ec178233429fccefe7541aa60cfa584bded	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30918919"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30918919"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50008b3e07c9d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "994769864"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000dba64fa5d8d6c50937312cf88c81b9d755ec014c3fc2bef1225b2885fca7020e000000000e8000000002000020000000ea0a90ce91c54eb7d8d98c9b6b1b478ab31958eb88502e1a1c1fc5f79211192e20000000dd27989e10f643d9ec702c9dafda9c56a2958a43176e1dd42ccc622995ee418e400000000308e348d1148692dea33cdc726f28eaa896965741f68a8cdbe7f4607b2b69f5460948d128a5da64ac7f197051b194594595d6ea87f3f62cda8b75d4b6862743	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{661B3CBB-34FA-11EC-AF2E-FE4672F7746C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "994769864"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1009651158"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341914623"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341882631"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2784 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2784 iexplore.exe
2784 iexplore.exe
1332 IEXPLORE.EXE
1332 IEXPLORE.EXE
1332 IEXPLORE.EXE
1332 IEXPLORE.EXE

pid	process
2784	iexplore.exe

pid	process
2784	iexplore.exe
2784	iexplore.exe
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2784 wrote to memory of 1332	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1332	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1332	2784	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://creditriseconsultants.com/hud-file/offaccess/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
960badc027f372ad21ed00e41ab77db8

SHA1
19ce7920225b093cc1c3ac07e5b5367fd171d43c

SHA256
c20983f7b876c8f644a6830750803674471e0be7f787ee61c743256561d14323

SHA512
e5b46a5abfc795be457524fdd7bacfec9a4c6dbc931bbeb4ba0e7068a957a6bbbb268a5bdd07668201f6500d51d1a87cee39c06f0ba0885483822850676468a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
32aacae4fa3fcf5a7f22f07eaf57113f

SHA1
312038523ae33ccedaa956b99800841c9bc9b234

SHA256
8f9abfb15c88be78bb9349aeb5252acf5f92161d60bbee0c91f1c94fab1cad0f

SHA512
cc272133aa2d94d4f679fa5d2bd1a58e00b8ad058a80217d6d7028c207b6964f61a1b7aa7b50246ce0c51951d12885ea2badecee49db1db81c26c36546f03cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
81c9325bbc6303b855b9f7cc99440984

SHA1
7497aafe594c4c347b58271107c6a6e2098d0c42

SHA256
85976ba577f74f91c46e89c3754ab9c73f0577e048ab457790b6c4280532f61e

SHA512
551687129a9f444c75fa3f92c8b6635ede85da7b6148cc1f3e424e58bbe05145afa1117a9ddfee9c65bb15321de07221772f00ca452545117e1b910dbcf2229e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\39H0KEC0.cookie
MD5
d581d74493acfda800773927ce1c32d4

SHA1
9b1e3b0210e86a734ce91239579197490c3dc0c2

SHA256
215c819ad3f0e42e38e705e6d407751e73468158b1b3e77ec8d230f0c059b730

SHA512
4ca3d85a729e79f7452760c92f276c523b57c93a3a991ad87d2430d447166a9fae54c3f85c49d8dc0ecb4e9cef8889c54748745c401539d6566de66bb0b73a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MPFINS2Y.cookie
MD5
6b4f9e2a05868794ad0e2c5a29a6cb5c

SHA1
81c3bb1cf5c70f68a38b4dcb8f3d1144dd4db9a6

SHA256
91ff49aa890943081c709807608582436679dde1e41ee870a1b8c9c521920cb0

SHA512
8f865e97079f2c4a62176625e43848512c27f78f359f0bdaa9db4a7ac22aad94c734991c8aa196fd441a1c58396564151a0f3b6bf7fb8e8aa5b8cd49f9c93473

Download Submit
memory/1332-140-0x0000000000000000-mapping.dmp

Download
memory/2784-138-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-145-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-120-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-121-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-122-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-123-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-124-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-125-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-127-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-128-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-129-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-131-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-132-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-133-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-135-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-136-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-137-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-117-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-141-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-142-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-144-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-119-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-147-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-149-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-150-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-151-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-155-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-156-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-157-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-163-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-164-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-165-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-166-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-167-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-168-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-169-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-170-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-116-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-115-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-171-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-175-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-176-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download
memory/2784-179-0x00007FFF13780000-0x00007FFF137EB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing