hxxps://espace-edpcliene[.]ddns[.]net[:]443/saud97265288/

General

Target

https://espace-edpcliene.ddns.net:443/saud97265288/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000d3156fd0a58165896869fbc13af01b40bd2500ebfb9089c58cdba1e0563ad52f000000000e8000000002000020000000ae6576cf4f660299e7df4a327c2248457a4b9e5b72f430f8a2baa37b7df6967b200000007e10ae5fe646c58edd1339864291e37b31bbdfa5511b9951b465a7144fdd177b400000009ca730b8df87c2245d4af3a8c7154e428d4ddffe64bcc3a5cafdefb1dd42dcd453e483e6c503c74f1b5a7910d5e1f0c44cc915bb4d60d38b8f4bb593e5bf3345	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342850934"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "342867529"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000034f12aa01a74377217de2c7e1b6245773945e3e7bc8d354ee9c3dbf0b66afea7000000000e800000000200002000000095418974647b11eb2149eddcc3e10b07d14f5442d239e37fcaafb53d721d420120000000dbb11c8646b581e608f3b9f5cab7176b4917df2c3b2bbe487beb393c8c51038c4000000068e66a135af30775b6e735d125aa4d56639c47927887d4c5c287f8aecba078021226b7bf8dcb0495eca2ed9f6b8910285fc87285e0b6017420d2b4ee8cf7f2de	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60848642-3FE1-11EC-AF2E-4AC12AF62747} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 803cbf63fcd1d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506dcd63fcd1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "342899520"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3604 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3604 iexplore.exe
3604 iexplore.exe
4008 IEXPLORE.EXE
4008 IEXPLORE.EXE
4008 IEXPLORE.EXE
4008 IEXPLORE.EXE

pid	process
3604	iexplore.exe

pid	process
3604	iexplore.exe
3604	iexplore.exe
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3604 wrote to memory of 4008	3604	iexplore.exe	IEXPLORE.EXE
PID 3604 wrote to memory of 4008	3604	iexplore.exe	IEXPLORE.EXE
PID 3604 wrote to memory of 4008	3604	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://espace-edpcliene.ddns.net:443/saud97265288/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3604 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
ad6398133f5f0f28ea00e5ca9ca68514

SHA1
9a710b52f651875fb13e9a3186cb74a4a09118c2

SHA256
c55a5c3119dc2a5795afdc0c687758b1da279de340923bf5e9daffcf6ef4f715

SHA512
6fb08c26cef8bb94d974317bd48b7e9545c91247c8a439ac796fda588b6b3676e37a7680e83dc64b059dadda0dda9c052dd7194e013d97e7e338965d7daa8653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\D967BA9U.cookie
MD5
c7254305685ce393b9e6568b3482d3d2

SHA1
fab6b0a81952046510b7746c343f480f70e31739

SHA256
eb97e73e5c2b6aad883fc527985cf0b7726f9be36486c5cb6559ca2b206ae010

SHA512
70e06ae7dc8a3d7e7bb75564c8defcabdf62d7805b25c3c9048113b331179961d0b755b8f26b6de1a7861a99ad89eec3a111e988f32820e612d6fe0585745feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G297GVHN.cookie
MD5
8ef0754969cffe2affdda49ecd284f15

SHA1
dd783f26b17bf742248f976a1c9421896b94ba10

SHA256
9fa6f8c1792cbc4a1ffcfaa1e885e59d22f6acb804b41d76e3cd26ef4d4f8fb7

SHA512
5f5e2f7fda46a59530bf6df7e550ae6725fb95c648623e89469c59a8408cdc0d473d27d7224c74b216fb780a40684b4ffc5a068f95b03497f468b19e04df0805

Download Submit
memory/3604-142-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-123-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-122-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-147-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-124-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-125-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-127-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-128-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-129-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-131-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-132-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-134-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-135-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-136-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-137-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-149-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-116-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-141-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-115-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-144-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-117-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-121-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-138-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-150-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-151-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-155-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-156-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-157-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-163-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-164-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-165-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-167-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-166-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-168-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-169-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-173-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-175-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-179-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-178-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-120-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-119-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/3604-145-0x00007FFB85220000-0x00007FFB8528B000-memory.dmp

Filesize
428KB

Download
memory/4008-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing