hxxps://lespoppys[.]fr/wp-includes/sodium_compat/namespaced/Core/Poly1305/state/web/

General

Target

https://lespoppys.fr/wp-includes/sodium_compat/namespaced/Core/Poly1305/state/web/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000885fee618cfd181e90ad92d2ead7167a8da459a76b54710b84a84d72c85e4e17000000000e8000000002000020000000611f429bb7cc42ffe63bae51385f84bb75694bda864acfa585fd84ac993b54362000000058257116477d0c586b56f6af4819e6261126eaeb928191dd5d072bbe38169404400000000030d88bf6ca344d3bae3f7e962e071fb254769f6114a484c8d1325a3582e8018a0a4c904ec38e20d752d783b7dafa68a7c9370bc8e5364b4c338a5bb6526d0d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "342805199"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08131446bd1d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342788604"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49B4D37B-3FC2-11EC-B8A2-52291B2CF617} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000a27307c701ea306c4418d3a687709eb0d33ab7ecb5251b4cf332107e56ca86e8000000000e80000000020000200000002c69b3d54f4f5e07d42cdb3f6c100ddee70c0da1693f71587062795f3ffff64c20000000666a55b66f5b13074b8f02028e414929242180dc7a4d21d00f5e7acf1fb4448940000000b170c09ce569ca62ac4d80a6c29fe6999a633b4325123319968337d1615318e993b532abf1e56ef9445e0375edbe9cc97e64ff3e6be658f90d47d1a940d5db45	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5049f8436bd1d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "342837190"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4384 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4384 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4384 iexplore.exe
4384 iexplore.exe
3464 IEXPLORE.EXE
3464 IEXPLORE.EXE
3464 IEXPLORE.EXE
3464 IEXPLORE.EXE

pid	process
4384	iexplore.exe

pid	process
4384	iexplore.exe

pid	process
4384	iexplore.exe
4384	iexplore.exe
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE
3464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4384 wrote to memory of 3464	4384	iexplore.exe	IEXPLORE.EXE
PID 4384 wrote to memory of 3464	4384	iexplore.exe	IEXPLORE.EXE
PID 4384 wrote to memory of 3464	4384	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://lespoppys.fr/wp-includes/sodium_compat/namespaced/Core/Poly1305/state/web/
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4384 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C60487A1F3FE0F48C5E6AB4B2E94B7D5
MD5
a22aefe37280203e9e0c186d6e7b4556

SHA1
67977e3c8313cc3dafedc496330b143a62b81831

SHA256
d2cf2ddeec948885910d6f09a1a9624158b1c0c7f923d5489bf299faee7ca6e0

SHA512
f24fe889a9909c4b46754d8c1450ccc3a71447bad4c0e439dce2aa02d06a1386ede9ffc6ba8ad9f8b5566a79f9835df8ed2ffe54b6f69bf743ce90aa6a8a8f7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
78fb7008e0a15fab41cb8ec9ce11e957

SHA1
d5f786134052466fb76be11a91ff1da69b756a30

SHA256
7d3fbf3ed4b21f0da6e2cfb1d7466283e5ccd29ef3b042c702a51127367c17e0

SHA512
49a6915e1b93fd49869029a44531fa68a8b5e4757ac3ea47601889967a89c4402ccf6bf62520821e33913ae25b3818dc4b149e508e0397edd2d38b9f8eccbc8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C60487A1F3FE0F48C5E6AB4B2E94B7D5
MD5
726cc3f99e6727d1ee2f348f461c4e53

SHA1
6ed720a39cd3e139f2b19730774e3bb98e1875c3

SHA256
2f1ca222021b1a782af0b82d8825759d2433fc153ce2cfccf225a34d1ff2a706

SHA512
4284af9854a8fa153f235b87cd909b19ce3922bde60c0392e70ab54a4f07652abd55d05381a85e6b92b18160f9b477abdb517d14ffe57dbb59215ef1db5abfec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\T0FQDXXJ.cookie
MD5
39452f488cdef81618ceb1bc3588ee70

SHA1
bfa3833f24df065fa5aa70c00f4bc5e6a2d398dc

SHA256
421e7653f8d114b6ad4c33e72e3f900af866ba09964e1d2c80fd192a6bf598dc

SHA512
375c6d9b2fc11996ba168d58e636cf414f7751aedd7bcd2f546a388c8e45c2e837bd3f0eea07dbd868d489a663b17253dee742314274711ca92a44438e532e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XXCX9ENF.cookie
MD5
d667b810301890f719c72ee0b47d3562

SHA1
7a080de745e735902021db7c2cbc5982e8d9a845

SHA256
b169781a290667cf27e352e560d3dc2f5261c9f996dc3fed193f6e2db995b059

SHA512
a5b06647ad9d0db777ac073f237538eb2a5209f444fd4aa787824da7c891044809480f274c59a967c28ba16eebb05311b19a20a29d943e3321922f67d02d732c

Download Submit
memory/3464-140-0x0000000000000000-mapping.dmp

Download
memory/4384-138-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-145-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-120-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-121-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-122-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-123-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-124-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-125-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-127-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-128-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-129-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-131-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-132-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-133-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-135-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-136-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-137-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-117-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-141-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-142-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-144-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-119-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-147-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-149-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-150-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-151-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-155-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-156-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-157-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-163-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-164-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-165-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-166-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-167-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-168-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-169-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-171-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-116-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-115-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-170-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-174-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-175-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download
memory/4384-177-0x00007FFB1A140000-0x00007FFB1A1AB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing