hxxps://leverifyquest[.]com/wp-includes/js/tinymce/wp/szltiqxhp1vvb30z4gbduzh8ro[.]php?0=dHJpYWxpbmZvLm1pc0BiYXllci5jb20=&[.]verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_

General

Target

https://leverifyquest.com/wp-includes/js/tinymce/wp/szltiqxhp1vvb30z4gbduzh8ro.php?0=dHJpYWxpbmZvLm1pc0BiYXllci5jb20=&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_
Sample

211025-q18hrsgca5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fd0f740ac9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39F934F5-37F5-11EC-AF2E-722E034E2031} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341884010"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000089356b82a5e35db5c9098a50ead4fa7aa4bb0e9bfd1f477e31978ebc053165cf000000000e8000000002000020000000acf03a9d0e50e3193c8c3213bc498b300ea399aa1f263109127657cf3b63338d20000000c06d984712d7ac54b3c0f8c7bc7e8ef640b71e2e161de5f36412fe37b183305f400000005f8ec0de069e2d0e197ac7f8f481fb7714b2f4e6990f7cbfcf869506caae8343248ac30297d73f109f024fa7c0c1f9b7f95161dea22c609b85c58abc6a8101c2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f1dd730ac9d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341916002"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000051909eb0a1fea4142425d9e724ac125823cb406cf9adef36115790674f36f5e3000000000e800000000200002000000027bbdadcfcc4fea7b84c9f67b540d5f821e6820d32e4f0f2b207bdd8c268919b20000000ea2fc4b08cf35aee4e4ffe7ca6dea126cac8d99a98fc91afe055c6943f47ed35400000007d131eadb8b3beb0f6742e51a3c3ec3edb68155092b1cadd23510eca3ec58fd121219628139ec7170ca5748ef04094911ca8cbb206e2184841cfe3b4026f2120	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341867416"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3308 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3308 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3308 iexplore.exe
3308 iexplore.exe
1260 IEXPLORE.EXE
1260 IEXPLORE.EXE
1260 IEXPLORE.EXE
1260 IEXPLORE.EXE

pid	process
3308	iexplore.exe

pid	process
3308	iexplore.exe

pid	process
3308	iexplore.exe
3308	iexplore.exe
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3308 wrote to memory of 1260	3308	iexplore.exe	IEXPLORE.EXE
PID 3308 wrote to memory of 1260	3308	iexplore.exe	IEXPLORE.EXE
PID 3308 wrote to memory of 1260	3308	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://leverifyquest.com/wp-includes/js/tinymce/wp/szltiqxhp1vvb30z4gbduzh8ro.php?0=dHJpYWxpbmZvLm1pc0BiYXllci5jb20=&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3308 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IS65U7YQ.cookie
MD5
68dbfbb0db990221c2edca5ae503406f

SHA1
f6da2a9e8a4a93f6ab11d6ea3493327c58d285af

SHA256
f34f0a2c37ac11b9c9684c3306409c39a5cce2e5f2013738e6205e7a7580a10f

SHA512
338d34817443b8e077c1c22ad003938cf8446c36643937e4e0f3755e08aac1cadb5edc9b0b93c29712a3250af28a008f21915e7a59ce51b6f2980066ee0454b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\STNW3SMV.cookie
MD5
c282e83aac39e08f19e905c33015ea94

SHA1
68ab98538f5fa6a54d401579839b595e5f4142e9

SHA256
93dd6b8a0c6021aaefa75cbebf42294e443db512a91461e87158808c83f85d82

SHA512
d31c8f10a6c46e46f7a03b0175665ea4aaa579d3997582ad8cf4baf1bdbc06d0b0b65de2448631402efaf19bb0342c5184dafc6a8f59457ad84e828fecd30a7b

Download Submit
memory/1260-140-0x0000000000000000-mapping.dmp

Download
memory/3308-142-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-127-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-147-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-122-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-124-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-123-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-125-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-145-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-128-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-129-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-131-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-133-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-144-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-135-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-137-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-136-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-138-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-119-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-141-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-115-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-134-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-120-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-121-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-149-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-150-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-151-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-155-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-156-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-157-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-163-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-164-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-165-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-166-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-167-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-168-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-169-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-173-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-175-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-179-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-178-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-117-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download
memory/3308-116-0x00007FFCE66B0000-0x00007FFCE671B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing