hxxp://falconer-marine[.]com/zh/web_manage/include/shipmod/savelanguage/index[.]php?fresh=1cyqrmep0563w&notice=fish&possible=yellow

General

Target

http://falconer-marine.com/zh/web_manage/include/shipmod/savelanguage/index.php?fresh=1cyqrmep0563w&notice=fish&possible=yellow
Sample

211022-smw9pabgf2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A8C1EBC-35B7-11EC-B8A2-42858A040E5E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a020980b96c7d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341707493"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb000000000200000000001066000000010000200000000d460eeb33bd3f75a217a0b7ed9b8c111c99cb39c56a46595a167178009c36c7000000000e8000000002000020000000daa38712c7130335d931ce341f9fb8f9aae736e36eb9b30143fe2f903c2817b12000000006adb3a541463d422376de23570a940ef0fa971f5f6d19383442ed28e7c74cee400000008b4081ad5d85ad14bfbe17fda2d43a57a9076df980b770b022831a3f9bc0d01a1c25ed6ce495f83ce7a8f0f6ec6e284a16fe823368b0cdc8d95e34bcbeb5354c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341756079"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341724088"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3488 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3488 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3488 iexplore.exe
3488 iexplore.exe
1136 IEXPLORE.EXE
1136 IEXPLORE.EXE
1136 IEXPLORE.EXE
1136 IEXPLORE.EXE

pid	process
3488	iexplore.exe

pid	process
3488	iexplore.exe

pid	process
3488	iexplore.exe
3488	iexplore.exe
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3488 wrote to memory of 1136	3488	iexplore.exe	IEXPLORE.EXE
PID 3488 wrote to memory of 1136	3488	iexplore.exe	IEXPLORE.EXE
PID 3488 wrote to memory of 1136	3488	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://falconer-marine.com/zh/web_manage/include/shipmod/savelanguage/index.php?fresh=1cyqrmep0563w&notice=fish&possible=yellow
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3488 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KV0SWY1Z.cookie
MD5
edcd3ecd512c80d2a8db766c56bbccb3

SHA1
36a588d1d7bed20f8e139b56a23a98766c36e30f

SHA256
b8f57fc29e1331402d850b56ef8a33df7b39a38a5687cfdc98f36cfd59fc96cd

SHA512
37ecc0b3b13d7a5e6a6ab258565c21666f75095d9037631c4873f5ecad8fbf3bcd0c2ca56cfa02eb4c41612b62ffbbdaeea9fcc293b5fa35a316ec6064c124da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P2R7WPW8.cookie
MD5
01eb2877582824a0d8c499c31e91dc45

SHA1
7e39c39b35f4f1be99e31c9c090de0d4fe25e37d

SHA256
0619c122a83dfd6867421d6ba161146246c39441ff63acc7c9b7f4be74c66e7d

SHA512
c105f94986925e2d6f78f1677104462ab58cd149604ce21140ea881b4c92113fada07909d5e4b20a0e4bbe2fbba2df2cdf744279bec6577e192602db04bbb32a

Download Submit
memory/1136-142-0x0000000000000000-mapping.dmp

Download
memory/3488-144-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-124-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-123-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-147-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-125-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-126-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-127-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-129-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-130-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-131-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-133-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-134-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-135-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-137-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-138-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-149-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-140-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-121-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-143-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-117-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-119-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-122-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-139-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-151-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-152-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-153-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-157-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-158-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-159-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-165-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-166-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-167-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-168-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-169-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-170-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-171-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-175-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-176-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-179-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-180-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-181-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-146-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download
memory/3488-118-0x00007FFE734B0000-0x00007FFE7351B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing