d3844832d8214cef2c64d8bbb4116ae16fd17dc7ba74be95b4dc386f3f3de10c

General

Target

INV-37153-DUE.html
Size

1.2MB
MD5

512fb8f68762a521eaf27b7238f94139
SHA1

65ebecb99fbbedb08dcc5ad68f1c864fe424e35c
SHA256

d3844832d8214cef2c64d8bbb4116ae16fd17dc7ba74be95b4dc386f3f3de10c
SHA512

f7c1123a0882abce954c195a0f3b07f0dde823be011f2b8a3d96c7924fe909c5728697e5f29fb29cc00ea890fe46264ea70befabee65bbda90642801afa7f6c8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A84DFB1-414B-11EC-BA36-E6E03A731FA8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000084045f84778feef883b82c2fd44238823dd2c1e3fc11e89e03153bc2d885857b000000000e80000000020000200000000a7cf584a17cccc792461edaa4aa0fa40bf607e996970b14f77755ae79d6f8da20000000485853bab26639a4861f76181bbf56b558515b796adbf07adf50806200d0792540000000ffedad4e4f79ffac9fd88ddad2bddec29cf27f1c6b6e5124e9b0d597f0de182f765640ba2c316ee60d4d0ad105e28a7b37d2af854307efebaab9cddf8de39696	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343220306"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d043b36358d5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000af29a158f407e1e3adde59f667227ca0ae456dce5257bc15693ffcc005f359ad000000000e80000000020000200000009841cc76c0215b5c13e21cab61f688f2e16c5ce7a867e994184193561d9a1b39900000007339121386c830895fb2470453068b89cf7930845325af97802647cae43cbcc1d51dd3a87bb6931936857a863c12e6b4be9cabc867714d34be5f3870dc78c62e43c7ae3e7f170b4ec71e10da9ec68c1ca2094ae312100be80903eb8e75ee9fd0bd810b411e99f49c425ea174f711775b8ae382a0f397d2ae00bbafe2686307fa61bcdeca30b7edbffbfeb4b2231e0b1e400000002a5c8b70a20b8e84ec25c7e9931524ab1a17a0255d9a8fc87800d2f4247d7fdd2f77198e67d130409ed7433128c3a425dacef6fb363f3d81142d9b6b022942e9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\904C55FC7DDD2C5CDCD6F8B44AC2E473C964225271 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000e5e98da719c07fe2e97d374daa84f6513077d412d543a1378f8510bb9a49fe97000000000e8000000002000020000000b87cb0860fc8b2658a5c0670b924f7f5443e0ef18a255055e1b0a8509717222e80000000884540bb8d10b934a62e4beb4ca6a90ab7d407037d9fce67983a14987fa9366679989bdd9f3fb551f08dc7897e8366973d55de2279e07ffb73cedea89f54304eb2bc9fbe87ebf3cee73b223b9a4fa69410fae8e962254bf47cc4ed4c3ff2985bac41718d412b311e6e528ffaf2f8346b4da302553b83448e77d1209185a8dc694000000055b2455e84eef5c40d71bc9176c0f9eb1840c5c4c75ece546f05e2c3905c51b09c465c17f39fb6c5f77a9713f3be6ed93b2fd8ae605211bfb015c89dce962cbd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

652 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

652 iexplore.exe
652 iexplore.exe
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE

pid	process
652	iexplore.exe

pid	process
652	iexplore.exe
652	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 652 wrote to memory of 1608	652	iexplore.exe	IEXPLORE.EXE
PID 652 wrote to memory of 1608	652	iexplore.exe	IEXPLORE.EXE
PID 652 wrote to memory of 1608	652	iexplore.exe	IEXPLORE.EXE
PID 652 wrote to memory of 1608	652	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\INV-37153-DUE.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T5L3K1H2.txt
MD5
c8ccaff6365c985cef804497a1288732

SHA1
d62802496a6c1682662dcc036346f962639ca1a5

SHA256
5d839e19bc3f8fef34e34c5470f910a39e1f51700b9b5b3a3ff08e915bc6482f

SHA512
e5330c8e1d4760fa9b4b7193f853121cd109d83f89831f63b11bafa37704e27ce54ff46babac070451fa346cdbf298204428927ef599a14d68bbc2ad1e901aa5

Download Submit
memory/652-55-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/652-56-0x0000000002160000-0x0000000002170000-memory.dmp

Filesize
64KB

Download
memory/652-58-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1608-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing