hxxps://secureemail[.]umm[.]edu/b/b[.]e?r=aleat%40evolenthealth[.]com&n=Fc%2FQIc6vrsS%2Bf%2F4cZYUDEA%3D%3D

General

Target

https://secureemail.umm.edu/b/b.e?r=aleat%40evolenthealth.com&n=Fc%2FQIc6vrsS%2Bf%2F4cZYUDEA%3D%3D
Sample

211025-wjtk6shdbn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c02755e2c9c9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000001f34205eb422522ee52be2a89dc108beb9d3e0c9ef2299521dd025596058e77c000000000e80000000020000200000006e1f5bc2cb8705df167fb93d5d43a01813a36676985336f31b4be4be25742f412000000078440b24a53925abbb0cf30c2a4f5612c712d61ab4dadf431be0d7e3eb87b4f540000000c9b53a1e2d65f1cec828bb23ba82c47cf8373d1059501a507f135c88b56589d0f7ec04d6bf7d82e2b02758f2684276c58de038f1311b1c60dcacbde2106ab114	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341966230"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000418257ec1459989fe2bfd53a24d440a50fcfe55952448b841171cb7c8e84ed24000000000e8000000002000020000000c7c43e5c6dc56408a3190f0a48a3bfa1729f806ebeb3a0fadd3843b021c3b4bc2000000024605685f7cec497390db3d1441a306988b766135a3b8dd16783fb8942773fe640000000ee1c1a32242ce1529ced7d19a2d59bfc3d13a99a608c8018fff8381a873a6460c0b77649444b3ddd425e5e7ea4731bf034c2a8b3a365d32fccce8bce542b7203	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341998221"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341949635"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89399DD5-3818-11EC-AF2E-C21CE4F78BE2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d771e2c9c9d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4092 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4092 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4092 iexplore.exe
4092 iexplore.exe
1180 IEXPLORE.EXE
1180 IEXPLORE.EXE
1180 IEXPLORE.EXE
1180 IEXPLORE.EXE

pid	process
4092	iexplore.exe

pid	process
4092	iexplore.exe

pid	process
4092	iexplore.exe
4092	iexplore.exe
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4092 wrote to memory of 1180	4092	iexplore.exe	IEXPLORE.EXE
PID 4092 wrote to memory of 1180	4092	iexplore.exe	IEXPLORE.EXE
PID 4092 wrote to memory of 1180	4092	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secureemail.umm.edu/b/b.e?r=aleat%40evolenthealth.com&n=Fc%2FQIc6vrsS%2Bf%2F4cZYUDEA%3D%3D
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5054D3D7526395AFD1BB54714B2BD386_4143E5AE9BB82AEC3127C79FFCD73452
MD5
c0dce03a93a8b2b40d6708010e08a837

SHA1
a3a83f407db72c39f48c684065fc19689a6d1cfb

SHA256
29d54b5b13e684e87e9e110dcd31e9b8b543d3b6ae4e80fb273cb5f0f2c15c8b

SHA512
2f51ad68ea4119714f2b0bb7f8da032a99dc78ce6937667c88f01b4e89c7cda0bc24178b348cca87f8eab70a7825cb9b22bdb75f3770f0ee28c53a5493bb5ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_36F39750452E59840DABDBAB8F8B2E8F
MD5
e870a007bc7d455f3741b840f99aef26

SHA1
acb2d0e2dc3098e646487fb92d4c3d3c01686e6f

SHA256
f2bbcdf223297dfe556169fd186f452f2686c9a067c6f58c53e445e833951f7a

SHA512
4fce9dd153b0860ed0ecc05c8aa007ec1353f85cbd101be65c7baecc55d63b83c01fa9a99c82246e2e4765c9653d0df55920845db8d17d84f1aa565e58bfaaf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9A2923BC865F3B679E3C71FB2AB7C8F_7DC37CFD3C23CAEEED5F14A81380DC43
MD5
f288bca0d59f88b3537c33313d7bb200

SHA1
8fc71dcb61f2a3ecb13feae91549d06112f8c7a4

SHA256
3b2714ecdc00cc5ced9f2469bd8b7b3d9de56fbadd9e79febccd7fb85029f0e6

SHA512
49756ef7067d113aa911535d51eaf02e6e127e01b7df382680516cdac43871a1dde68dd25d8baba9a0809d010ed3c48074f2ad315b5989033042066e44527319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5054D3D7526395AFD1BB54714B2BD386_4143E5AE9BB82AEC3127C79FFCD73452
MD5
ee5a44135c8f4f510fc4af8efa5a0434

SHA1
f795e67777b6d25f69f1e161d8dcfb92a1a35b0c

SHA256
f03c8ae0514d5a7480430c2c20a6a238ff47e53880c2634d5e6cf22b7f956c1f

SHA512
d1763c39d2158dbcd2d05b12b4fb34243a1898bad3b60a9b493064847d829fdf66705d6fa4d2fc63b114ba12061680954268db17bc7f9229dbfcc0889e8dfe45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_36F39750452E59840DABDBAB8F8B2E8F
MD5
08880bc3310cb18c2c4754f7cf84cb65

SHA1
2c3b4bb28e441321f74ab8b6177362c02a92cf86

SHA256
141fd409f69083420cd5d67cd1f0c11abb07e413d55d5c4919d322683f8d55d2

SHA512
c84ede380a22b8d95898680c23a813e784e1ed1a3dfbbed47715fe832701c773b7818c866b5c3cc62a3908f553bbe707a5d7e6ef76c732037cf0e7b3e6388356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9A2923BC865F3B679E3C71FB2AB7C8F_7DC37CFD3C23CAEEED5F14A81380DC43
MD5
54290da400bee902bd2b360a2c4d9f4d

SHA1
079e1e9dd57f20220ce5684f3687ccddc6a33469

SHA256
746a92d44af23617673db203818054140ab4c55cadfa450dc803570784fe1ebd

SHA512
18d5211069be2fd1fd9f5e3e9783c6b3ee5d510b8494be7f4b5815bea8a3e06c9ba12b8980e49c8aa3bcb22c8f8054ef7dd61b0cdb2572fd2f8ba48d5db4b280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\I3M9NTZF.cookie
MD5
11fabe6877fd8abe79dcd4cb3c22c0ef

SHA1
2bed45ee0b7bdeb2892cfd727f76f1170dd4b362

SHA256
83bb189fd783512470959f24c6c4f404045063d64284200fc65a35fa84d422e2

SHA512
931a2b8964dcef721372d7156a1965745a11c2ab5933900aae2afb82c7a9b0d5b3b063d4a59aafa00131f32c8f130bfcaf9f7951c15b0acf3495f9393a58c75a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\K1FG5LAD.cookie
MD5
eb8740de789f7c9bf66f09584d6839cf

SHA1
5af406825735db979b99b208df49e2c15d78aed3

SHA256
7787fb6063b3c5dc3e19e3f5c4b731bf12aa8157ebbcd878b54de3c1398f5a10

SHA512
6a9dcd622cd8236c425b5d6d7ff0a0e6b9c7cf783be022c4903f45615b9a9e50c8f88b569578c1cba16068dc7475cc1514a4a720d744ef6bd06c6d6bbec4f4fe

Download Submit
memory/1180-140-0x0000000000000000-mapping.dmp

Download
memory/4092-138-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-149-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-122-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-123-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-124-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-125-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-127-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-128-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-129-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-131-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-132-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-134-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-135-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-136-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-137-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-120-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-141-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-142-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-144-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-145-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-147-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-121-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-150-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-151-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-155-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-156-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-157-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-163-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-164-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-165-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-166-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-167-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-168-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-119-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-117-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-169-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-173-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-175-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-178-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-179-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-116-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/4092-115-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing