6453a5f675718863156581fc9c5f5b6997d8e0d114b10933ad37418b5202e15a

General

Target

message.html
Size

1.9MB
MD5

552d5294c7294e6efcddb6ac0e1b0fcc
SHA1

4c96ee5664839273dc7120fff06ed255ad097299
SHA256

6453a5f675718863156581fc9c5f5b6997d8e0d114b10933ad37418b5202e15a
SHA512

17be1ffbc2dc3ca6d0021224ee4c677725b50c8144542cfc1dc2efcf0cbe4504b102a39419c353b640a8a5fccef5c3e4c290fcda6ee3e2a4c6da8a36e1eb3f4a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "342217576"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000c9ccab211e0100b9840408571c50abf8f33f13679f85e508135dd905a3ca9c5b000000000e8000000002000020000000ac675e8663cf6ef37a20b6db718031a0ef0298aa1fc50e0064cc496d1d0f07ca200000002dd64ff845bf82234b9fa114f854d6b6766ad63574bdfa5ae9353f9edfaf5ef440000000d6ba39d51131982823d43a36ae9ec98205fb3bfe48734a5fb8ab6e42bf37f1b8dfc7d45647c89b1e7d643e74af6b0f422ea5a7308a6496e326a0b80546f96ece	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904f9a1813ccd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60F412BE-3A64-11EC-B8A2-EAD496D17CC8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb0000000002000000000010660000000100002000000048c1997dfb15c97c1bfc7112a50accb8e444951832faf3e93ec290add06043d0000000000e8000000002000020000000420d33d6a7c0818c5bfa195bdfbbfc628f2684364759eacabd4a096ad806573e2000000039c9703e781cf82fae4eaa34e0c5f6a7c1a77d158e8600ee25db1034a4e2aa8d4000000012cd956f3c8ffe8352a9d3a2ce8b380afbceecb8256d56e60e23751af0f3e40a60b65a1bdb3ed1fd8378792023bfa4d83087d94c7c73098757c3636be292d40f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342200982"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4049b91813ccd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "342249568"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2648 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2648 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2648 iexplore.exe
2648 iexplore.exe
2312 IEXPLORE.EXE
2312 IEXPLORE.EXE
2312 IEXPLORE.EXE
2312 IEXPLORE.EXE

pid	process
2648	iexplore.exe

pid	process
2648	iexplore.exe

pid	process
2648	iexplore.exe
2648	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2648 wrote to memory of 2312	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2312	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2312	2648	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\message.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1BBR8OZA.cookie
MD5
6f6cd57a60e21ac5a6bbd31526b1139c

SHA1
5cb327903a32365925b27db9567f5b01964f5d6a

SHA256
9234eb2cccc53607fbaf9d12fd945b94e9114bd0774be4f0e7d4693889bba93f

SHA512
40663ac81a7c84f51537493c3e72952e207944ba938a0720a912fbe4f464a1a681bd3fdf11fa275072b21b4cbe7b20a52dcae4cdd6c04f23a5d1d5ddcbc9c0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O8UN1C50.cookie
MD5
83e190cdaa7f7226495aee13f4b7a26b

SHA1
fc6831284e4abdbee4a1da95215d1b6449d7ba86

SHA256
7b541780267a755f7be59066ae59fa6c0d09f96f14550085bf3b10787a386561

SHA512
9546c2a4962981006edb47fcf77554e5ff9e40a014c06cc8a7f05595b208f1dbdfef14ec8486e516c5fe52c12986d226d078c7cc1478ab1d2ca35e253d237c8d

Download Submit
memory/2312-141-0x0000000000000000-mapping.dmp

Download
memory/2648-143-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-127-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-121-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-145-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-123-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-148-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-125-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-146-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-128-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-129-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-131-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-132-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-133-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-135-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-136-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-137-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-138-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-140-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-119-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-115-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-122-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-120-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-124-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-151-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-150-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-152-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-156-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-157-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-158-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-164-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-165-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-166-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-167-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-168-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-169-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-173-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-175-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-178-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-179-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-117-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download
memory/2648-116-0x00007FFB41010000-0x00007FFB4107B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing