6d4ee1d401a2289b5bbb769d09100cd99231817b175b4a9bfeba233989d668a7

General

Target

centre-inffo_Doc#92543.htm
Size

421KB
MD5

d142022d40a23a709134db3612d76a8c
SHA1

b349854744c71606384e3f7ef10c2752a1357697
SHA256

6d4ee1d401a2289b5bbb769d09100cd99231817b175b4a9bfeba233989d668a7
SHA512

420afe03e257da714cdf1f582cf723dfacca60242f6374ca4b0d58c665f84272fb4e032e83bd4818cbf8e73e29f827931e844e503571edda2e0d5477f79ea473

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000ccf7db8e771e4eff42b51739308ab9b1c755494c07159f154963e03daa00a116000000000e8000000002000020000000f19025cc633b95c92e591901060078964dd72a5507d810765d363a426a8abffc20000000db8b658a7a0a51d1e02b9b352aaa750feb1421347a8a3c4dea8140acdfb13a45400000001623defdff5ca401a5e25414fa43bd5b04f42fc2a9ea8a5d65e00f2b84b66e88001f2908af47353ed67928f2bf52d462efb2dae5590d037b4d8bda44da6194c7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a79d7726c9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341928035"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341896044"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000007aa86ae033b9b57db17a11a8d93fb5a46db181fbe3039503ba591421c278af42000000000e8000000002000020000000c52e915c9dcc6ef0b12a62fb400748b110c4972236801fa81b6c586b1b50d25b20000000b72ba67ba5bf663af84dee595dcfbb64e83c24352227b061e4e7638b5b64cb7140000000db50920d560d15fef3a71b9aaec73cbeda96a5fe9955675968e07396f1170341f2c8b5c6626c35927066394fec2371285e57b4151f239710cc90c8d3bb23a029	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48212C54-37C4-11EC-AF2E-DAC1D1864B58} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50f9ca7726c9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341879450"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3744 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3744 iexplore.exe
3744 iexplore.exe
1028 IEXPLORE.EXE
1028 IEXPLORE.EXE

pid	process
3744	iexplore.exe

pid	process
3744	iexplore.exe
3744	iexplore.exe
1028	IEXPLORE.EXE
1028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3744 wrote to memory of 1028	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 1028	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 1028	3744	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\centre-inffo_Doc#92543.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\43RKSDHR.cookie
MD5
1ddccc12662d0929dce70f2a12af82fb

SHA1
58e17244de543f7c79ed5c4fc2de2c4e602bbb4a

SHA256
356842fd5994d1d8c9eee821831c97fb4f8018ed16a98e2d01163cc106f73bea

SHA512
7bb0824b6fdd728c9d582f0bd2713b672db1f51acc5838b6fb8b168dfd5a1887c2e9777c9d40f8cd2b4c5600231d662489ca16bbab436a116033212f5db26dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DGY1LAMU.cookie
MD5
a3993b6920f59315b9ce43778ce06503

SHA1
3b47264adb0c29b34d317587cae034a7d8e1f04f

SHA256
acfbc00ea7e7327d55a0035a66aa45adfaa7b00c26c7b8116501cff69463dfd8

SHA512
c7db25f689dc054781f80242961801112b871b1d6c8e657fcd8ea6e5adc9760d7e8e9a7fc4e133e8d5170f584b349b10e1a6e000def2d23565e77d085a07bba1

Download Submit
memory/1028-141-0x0000000000000000-mapping.dmp

Download
memory/3744-143-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-127-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-121-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-145-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-123-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-148-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-125-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-146-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-128-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-129-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-131-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-132-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-134-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-135-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-136-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-137-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-138-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-140-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-119-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-115-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-122-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-120-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-124-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-150-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-151-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-152-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-156-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-157-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-158-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-164-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-165-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-166-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-167-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-168-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-169-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-173-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-178-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-179-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-175-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-117-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download
memory/3744-116-0x00007FF956700000-0x00007FF95676B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing