hxxps://inbox[.]read2me[.]repl[.]co/vi-8pt-0dr-9abu-8phman-w8met-9a-8p-0dm

General

Target

https://inbox.read2me.repl.co/vi-8pt-0dr-9abu-8phman-w8met-9a-8p-0dm
Sample

211025-nv6qwaghhl

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b006b9a795c9d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000faea060f06d097cc219892ac1af0b086face8f063e2982342dac48ee6e7dffec000000000e8000000002000020000000d624667b8111aa3d07a8eb303fbe810417e2ff364a5504cd2b55f98aaf259ad220000000da57088c6e223bd8ba02bd9bf7334834d83b5659f5302ac17b77ebdb2cbd4b3b40000000e6411846fc362a9bcda8e9ee3a68729f8964f700953f6b4dbbae14d8928dc3f4c74b907825801d5dee9ef882978a93fd04996a9499c97005d02a31a97bbc6a3a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60896E1A-37E4-11EC-AF2E-6A11DFB39146} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09ecfc495c9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000a81eb125e98751fdc2923c6347b62be77e9150f4a40b9e10ee0852e0d0adeed3000000000e800000000200002000000039c1a60b08a886ab4d1ef250d8f17076a575f5d55e6486532ba17b7056f63a16c0000000240b22d369735f36cac457a537560056c040fa3fc0a4af2e88cec6dd32a1bbf0f3a04d7953785d9a1402f45bcccb6f403eeef6e6b7f0ae62b5a56afbd88b63602e11819f9f37ca7ad7f752056f2ad5787a926cc696907fc08cc81971dc24ac93cd7dcd6a90f25599823aa736c33285518a62ca2c14a73e130f5d5be2614957c679bef0ef382d2073789e031002f4b51f30af75c68573fc926b5880bbf567be3af9a83f85cc90f436b16ee5c8ef007b9befce777781103eace60a63cf74d1a6aa4000000012281937da5bb82b0fe30c2ad66ddc31c9a55e3fea5b470c272d053256da45de2571311712db121ab1eaf4b351f9615e274f00d515daaa8b6ffbfbf0a9680758	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000006a6268801878b17326cac37b29fe1841db5816f8e26d18993af86e2208d8b5fd000000000e8000000002000020000000908dd24b5ed65a17e460af55fc46a65fab87f1a8110fa7cbf5e1317037ff1d33200000005cd4b8524bdba4ee4591e480505e646689988dd9f215bdada26a18b6383dff1f40000000829579597935dcea92776a61d44877e314f5c97522734d70f699c428a468ee7a083dc56eadf380bd6595d4bcd00f0ba1174ec4831fccd275f6ea83b17a435732	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341927233"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341975819"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341943827"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3712 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3712 iexplore.exe
3712 iexplore.exe
920 IEXPLORE.EXE
920 IEXPLORE.EXE
920 IEXPLORE.EXE
920 IEXPLORE.EXE
920 IEXPLORE.EXE
920 IEXPLORE.EXE

pid	process
3712	iexplore.exe

pid	process
3712	iexplore.exe
3712	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE
920	IEXPLORE.EXE
920	IEXPLORE.EXE
920	IEXPLORE.EXE
920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3712 wrote to memory of 920	3712	iexplore.exe	IEXPLORE.EXE
PID 3712 wrote to memory of 920	3712	iexplore.exe	IEXPLORE.EXE
PID 3712 wrote to memory of 920	3712	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://inbox.read2me.repl.co/vi-8pt-0dr-9abu-8phman-w8met-9a-8p-0dm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
b9db26f59f20c6f2de18f281c72b0be8

SHA1
d3b1e3736293bded5169bf42e3954a8c5eaeabb3

SHA256
2c4aaaf6fa47850216764e544aaa045c84ac036fb24af5a5cf3d6c8d52024631

SHA512
0bc4295b3168a7f4a39d49c84410a5c762b1b4f2634096e835dab161273d5f3699f8483ed3ae7038032e1bc273898f294ddd3233d1ee4ab3ef6be40d63af24f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
dd805174b8c130e5764ab5b639fec73f

SHA1
7ae59ee3b498149a6c30fcc72351acb32d0ebad8

SHA256
aade66e468127083084c9fb32bc41e57c89ffc77fc5362180d538d6881f597af

SHA512
6d99eb67184a8468df6e4ebcb98fc48ab0eefd98da9dc0957d69c9ce68be06fd88aac84137a51384816d967ca4a68b9c4d21835f62ae7c06629adb5259bc9832

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
MD5
26abb15434e1afdbe71fe674f4b1a075

SHA1
71240f6015425f28a0c697c90fa51dd6ffbbcd2b

SHA256
029f038e4ed9b7ccc5a5ec10897d0c01de710579269f4241d91655ba6b9c887c

SHA512
b1089d618cb67469d6e5790fbc254ba1c0afa5ca43456fd38803e2ead1bb954b6f05893a2cc7ba2370ef9c5073ef162aef52d2a75178485971a6eb853231d935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
MD5
a34386029d710da6b81840c33996d4aa

SHA1
04039151f38d50058382eee14f86da351af28917

SHA256
5961f9718b45b0f5f270b8da03ac83c6194b109bfe267952999318d5a11d4e7b

SHA512
5752e468c03a84829d7bb760c3df350aa12ffe414f5ca2f5a222ab1e2f71e709f8e9338969060a47441b65b55424da649e811197a85d49f7936b6fc706d54c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\33TKQF0T.cookie
MD5
3078876bf2e73157036188a5aaa3b2bb

SHA1
5a3f48bc77a7032ea0998120009eadd385608d00

SHA256
7f96fbf8fa213861c29f140920efcd9e73524d9d273ca9370716ba26c2ff7b85

SHA512
af49d6a53abc7d99d338ffbe5e782a1ccbc7df9d8adfecc767f04a8636d3d3f09c343da776e2439c40ae4c96b95f060291dc21347a17f979aa8368adb9e11101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IMC2HG31.cookie
MD5
75303993d3324533fab143a46092a658

SHA1
4ebd52db2d86b338918f65cd4f716cded76cf69a

SHA256
1875ad27bf99d505539f0e5068ccb43b08aa59847b22e665ecd2715e008b2752

SHA512
a6a40ea463d62aefef1bafbfc1cb2510dad66c0bd5d688598ed6f8b16c111b4af1ca05f295bfafb7827a6b1266df90ebb77e8c85d199908c2f05a188d314c0b2

Download Submit
memory/920-140-0x0000000000000000-mapping.dmp

Download
memory/3712-138-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-145-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-120-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-121-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-122-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-123-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-124-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-125-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-127-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-128-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-129-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-131-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-133-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-135-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-134-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-136-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-137-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-117-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-141-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-142-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-144-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-119-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-147-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-149-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-150-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-151-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-155-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-156-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-157-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-163-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-164-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-165-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-166-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-167-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-168-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-169-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-170-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-116-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-115-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-174-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-175-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-178-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download
memory/3712-179-0x00007FFD543A0000-0x00007FFD5440B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing