hxxps://paper[.]dropbox[.]com/doc/Story-Treatment-ON2IT-2aGGFUZzX0GHvMiuV4K0I?bmnt=AADErlGZkGfC2WCtF8u6Ri9uiFMr6w3-vTc&eid=5d8FqrrRlwpGC7OMCbQ8ef4MOjLHfWMKvZAUYnP1zZXIj3Ax5fEtL&email=anon@anon[.]net

General

Target

https://paper.dropbox.com/doc/Story-Treatment-ON2IT-2aGGFUZzX0GHvMiuV4K0I?bmnt=AADErlGZkGfC2WCtF8u6Ri9uiFMr6w3-vTc&eid=5d8FqrrRlwpGC7OMCbQ8ef4MOjLHfWMKvZAUYnP1zZXIj3Ax5fEtL&email=anon@anon.net
Sample

211022-kr3y2abdd3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000001e03e1e7c1068bd290db9a5ceb6a881755e4f833d6e960f6b98c93729f90647000000000e80000000020000200000004332428be53c43d19023e2c6b1020fd82af529eb45a1317753797b5a1f4892f4200000002015e2198bd3f898b95a1b7021c954c8d168d721ceeeb184bb07734a0e06ea45400000005e81dee2b0a1e09c402cb0c546add70541d0fa32e38a47258d03222feaecc775cc114b46b776930e0de5c8f936fa6e86876ab223f477dae1cbe2ae451f38b2b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341648583"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341680575"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B7E66706-3570-11EC-AF2E-F228A97E8A33} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a7054ee6c6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000f981b791357522fb30379f70231a57c333753016e3380c19810067e1bfb813f7000000000e800000000200002000000070c89886489405f0caeecae069917488566324bf80f5e851ba798f41318e9dd520000000f0ce215964fb22951be9552f99d82ddebf1babc0422eb2269b2b3ee12508768d40000000de9935aa2094ab59c22feece192609fe180b72ca827119554709c0fe6136848d814f15ec5720700daab708ecf8800982953e9936dbae1121f7b906a4e881737f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03d2e4ee6c6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341631989"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3540 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3540 iexplore.exe
3540 iexplore.exe
1940 IEXPLORE.EXE
1940 IEXPLORE.EXE
1940 IEXPLORE.EXE
1940 IEXPLORE.EXE

pid	process
3540	iexplore.exe

pid	process
3540	iexplore.exe
3540	iexplore.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3540 wrote to memory of 1940	3540	iexplore.exe	IEXPLORE.EXE
PID 3540 wrote to memory of 1940	3540	iexplore.exe	IEXPLORE.EXE
PID 3540 wrote to memory of 1940	3540	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://paper.dropbox.com/doc/Story-Treatment-ON2IT-2aGGFUZzX0GHvMiuV4K0I?bmnt=AADErlGZkGfC2WCtF8u6Ri9uiFMr6w3-vTc&eid=5d8FqrrRlwpGC7OMCbQ8ef4MOjLHfWMKvZAUYnP1zZXIj3Ax5fEtL&email=anon@anon.net
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3540 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_0F411E33126A030959D41CA717C3DDB8
MD5
734c4ff5db3c1c2c1abc9bb7ca208b33

SHA1
00ad78d855b28346993e6c315fd6c5b77a0b6130

SHA256
93a8d9c8e5580b455b66a698a2204491f697b6ebdafcae065148c3a5a7659246

SHA512
f0f7f81e3da7e1185f949d56ce932460b2228d2ae59c1e8f41f3bbabf2e7ecad6cef9ab41968c705a12fcdde4441308083dd682c05ede50bc6a243891725e93c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
2061e914c6b0e1d8644f37435b71f0c1

SHA1
9f40f5aee745c9f65c7a4c5e3502aeb5fd66e8b3

SHA256
81cc274184d3342aabfa39fdb0a2725e31914e1b5d11d194c066e919a35413d3

SHA512
a97e8abf4fdf660e2599e7724555d6c584440d7d86c18e5e56d46295e9f093523aaaf1c4ac931a57ef8ac8dc40a6a0e3f491385cf81f5d84af48aba6d77894ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_0F411E33126A030959D41CA717C3DDB8
MD5
aa70b0fdd116521077f2adac972af10f

SHA1
4c3cf379a19a0121a3d6b0db04aad746e28b7a4e

SHA256
ac6e62b5e65ee43c143e27dcff770e39cfd083cf686cb692eb723696da47d551

SHA512
0161399ec1e03e470f82795bfa218457a543355a330bba42294d135bb1cf8cfa7943704df1adf73c75e944561868e429dc36c6051d58dcc1be1c17536824d23e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
43297a5a0017a4482aa23b285e7f6d4b

SHA1
e06a04d55516637abdfaef787fb0bc0dfd1ee74b

SHA256
3e30188c0683ef06773b9a77b7d4ab782ad22ac84e9de1b0b3b9f8f9d19457f0

SHA512
d620c763853d5a047279bdf2c8cf809cb8b86cd3d8fe883c53f3a592ecca78968e852c231dfd6d179f3dd9ac6188224634737fbaed9b6aeb679becf3654129c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0CVU81CM.cookie
MD5
af8e1e71b2b14c003d102f04c4badaae

SHA1
5f40aeb4d0eb0c2bbb77769411cbefd90a0f2589

SHA256
a6eb52a56d13a4643b725976ccff4d7406ed9a90f7bc7eebcc61dbbcc7b44f9a

SHA512
41331b7afc112d90766dcfb462e636026be4247412c0600821d93040b91b74672c6efd226c033bc97a3b199f4f9a4f6055d0ed05f82afb9b3f2dc9d324e6955f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XVG4J9V1.cookie
MD5
e87a7dec42102d7f9c36cc37c867d806

SHA1
7975f274aa26357617ba594238a7be432b4fc320

SHA256
0e5d7d854addcf49337c5a3f1cb319ced2cd5bb37465a47efc15522ff1ff2429

SHA512
950bc2e75397424a46ceb0ee57a6b3163c1b19bdd77ff687a38b77cd105bc5e3a5de60f1dc6a051f25258053ae42f85fb3e579d02107c288e5d2e8e6d6422400

Download Submit
memory/1940-140-0x0000000000000000-mapping.dmp

Download
memory/3540-145-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-151-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-125-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-127-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-128-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-129-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-131-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-132-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-134-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-135-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-136-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-137-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-138-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-123-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-141-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-142-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-144-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-115-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-147-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-149-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-150-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-124-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-155-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-156-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-157-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-163-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-164-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-165-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-166-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-167-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-168-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-169-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-173-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-175-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-179-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-178-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-122-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-121-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-120-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-119-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-117-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download
memory/3540-116-0x00007FFDCBFD0000-0x00007FFDCC03B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing