hxxps://app[.]salesforceiq[.]com/r?target=5db239bd4cedfd007a4815b0&t=AFwhZf3OqJI19TTAtGCBYeAJEKTUZE709bXusWk6jfnKrszgUqIzB7NWtIEB0ZEoYToEFcTgzp272Xm4LhD0jGBgV2WCVBaOhd5JxmfM8rwt4NzPdOFuAdqpaJv1aqqd3gRTnMEDHcCh&url=hxxps://penandanvil[.]com/test/redirect/43972051/Kp/lynette[.]seid@kp[.]org

General

Target

https://app.salesforceiq.com/r?target=5db239bd4cedfd007a4815b0&t=AFwhZf3OqJI19TTAtGCBYeAJEKTUZE709bXusWk6jfnKrszgUqIzB7NWtIEB0ZEoYToEFcTgzp272Xm4LhD0jGBgV2WCVBaOhd5JxmfM8rwt4NzPdOFuAdqpaJv1aqqd3gRTnMEDHcCh&url=https://penandanvil.com/test/redirect/43972051/Kp/lynette.seid@kp.org
Sample

211021-za862saga3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341698647"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341730638"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000d15757cd8e5a99b823aa34d24f876f431c1bffaa8d2802f29411bda047b1944c000000000e8000000002000020000000c553ada336b07c293633c0224f0ca2e35c171012c550b88abb741991c27bff9e200000003681b3b1cc7f7a00dd95e3ac386be97b6b07c6f969aa3a79177da2b6976e87a84000000041a2adf802f9002fb0ed7fa0ccdfc083ea86557cff558c3a6f25dc4036cbb7513378d2a8ca3d9f31bed67b71851440d8798d7d1b1d6f88e3e259200fd42e48ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000b2d1357dd71a3dadb8072f392bd94efd6c9941b3be8f74f7cc25085d6e8a6f78000000000e8000000002000020000000f26792ac8dee2aeba0ca6f58ed5fa06babcc5cfd22888bca6b53efac4cb3de5d200000009e00fdeecfd26266db59393433e98d37769c3b440748b31a3ae6b405867de9ea40000000b38edda40b0bbc80e4f2973c132011cf896d00993a6e15993fd10474dd700e332336e174a754b711180308a424bc880a02110dfdeec20d006052ee498fe18ae7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007d10e05ac7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341682052"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{823E07F3-3509-11EC-AF2E-4AC12AF62747} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0011a5df5ac7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3248 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3248 iexplore.exe
3248 iexplore.exe
4244 IEXPLORE.EXE
4244 IEXPLORE.EXE

pid	process
3248	iexplore.exe

pid	process
3248	iexplore.exe
3248	iexplore.exe
4244	IEXPLORE.EXE
4244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3248 wrote to memory of 4244	3248	iexplore.exe	IEXPLORE.EXE
PID 3248 wrote to memory of 4244	3248	iexplore.exe	IEXPLORE.EXE
PID 3248 wrote to memory of 4244	3248	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://app.salesforceiq.com/r?target=5db239bd4cedfd007a4815b0&t=AFwhZf3OqJI19TTAtGCBYeAJEKTUZE709bXusWk6jfnKrszgUqIzB7NWtIEB0ZEoYToEFcTgzp272Xm4LhD0jGBgV2WCVBaOhd5JxmfM8rwt4NzPdOFuAdqpaJv1aqqd3gRTnMEDHcCh&url=https://penandanvil.com/test/redirect/43972051/Kp/lynette.seid@kp.org
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3248 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2BEAB5Z1.cookie
MD5
070d9ab6ea6dc798638e88a84f19245d

SHA1
c8c22bfe27d336fb781ab380f1c4df2dce242f99

SHA256
f48e8821573094ca7f250719d5c80343c87c642807ff6a5e269ed8e83adfb852

SHA512
a1d65b535cdc4a386a7c68d5767f34916b2b88b061267dcb56eae507c96be68ef621ac96ce8d40c9f1d718d3abd10dadbee5d3a4d298b7d04455cbf49fc2b8e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EUUVT0RG.cookie
MD5
0216eb247427a21d252b2783ffaeb0bc

SHA1
540a20835f8db63e65929bff48d7dea2cdc403d5

SHA256
ed6ba3cfed355cf61e09e717e553879dbf2c1baf9a5b0167e20738bc123bda90

SHA512
60a047d27d83c1e2d3772bd4855cb55692847ad0ac51b8305f3ec794abe362ae762fe5103fdc071da470e51b5cae0f73addba6feba4986c5199fd0674f5f82fd

Download Submit
memory/3248-142-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-121-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-120-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-144-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-122-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-123-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-124-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-125-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-127-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-128-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-129-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-131-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-133-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-134-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-135-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-145-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-137-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-138-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-116-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-141-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-117-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-119-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-136-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-147-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-149-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-150-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-151-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-155-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-156-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-157-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-163-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-164-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-165-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-166-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-167-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-168-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-169-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-173-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-175-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-178-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-179-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/3248-115-0x00007FFB85290000-0x00007FFB852FB000-memory.dmp

Filesize
428KB

Download
memory/4244-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing