hxxps://onedrive[.]live[.]com/download?cid=540EC15E17DE966E&resid=540EC15E17DE966E%21107&authkey=AJ34FnCVandAjGQ&em=2

General

Target

https://onedrive.live.com/download?cid=540EC15E17DE966E&resid=540EC15E17DE966E%21107&authkey=AJ34FnCVandAjGQ&em=2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30917352"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb000000000200000000001066000000010000200000004d94822479d1150c2264536e5a5c4bc0fd412b31f55389e873a6d6175e5c5f91000000000e8000000002000020000000bed9bb2d23cb3783132e344637cd33e5c0c36bbc40a6b8af7cd7b89008b409432000000054845eb9f0adcf56c43d102489e1e013fdca77fd3ca258d6842d90b7f8b468714000000031fd00038f4fa850b30a692d94c16a4486b93a95f2fb8745a35ad5dc1d67196a181a61013743a7cf46f7a77c1f7cac0fb275f56cc3804e3f89d8c9dbd2f4c738	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 706f1cf2e8c2d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341193310"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917352"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0baf8f1e8c2d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3902162932"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3902162932"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1349B6A2-2EDC-11EC-B8A2-F66DEDE8C9CE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000c256d2f27b674dcfcab4f121b9c3a2f220e4271d63634d736a7b464287c8dbbf000000000e8000000002000020000000ffd144ca32f9f20b13e1461006ea56c11c68ffe78e1e64fe14381e2affad1012200000006ca81a6896014bb56b66ed9bd10db04cd8bd66cf79873fc8a5018c037917db02400000005c21fb65bea7a43e21b08d66574f65920519c44560cd2e90a2a5c2667daf68a94b298b30e2eee2889420a604167ca8897dc57c5fb9525a3bb819a7a945973368	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341209906"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341241897"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917352"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3956850378"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3876 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3876 iexplore.exe
3876 iexplore.exe
1796 IEXPLORE.EXE
1796 IEXPLORE.EXE
1796 IEXPLORE.EXE
1796 IEXPLORE.EXE

pid	process
3876	iexplore.exe

pid	process
3876	iexplore.exe
3876	iexplore.exe
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3876 wrote to memory of 1796	3876	iexplore.exe	IEXPLORE.EXE
PID 3876 wrote to memory of 1796	3876	iexplore.exe	IEXPLORE.EXE
PID 3876 wrote to memory of 1796	3876	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download?cid=540EC15E17DE966E&resid=540EC15E17DE966E%21107&authkey=AJ34FnCVandAjGQ&em=2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3876 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1c3ed22c003b0e1724a802f750244f60

SHA1
c83f95230ea4d3ac58c4f5d5a7504b0f5eedf0ad

SHA256
f24de6edda835df45daadcce85ecfeaa1f5a363a16faeff1c16ae55ec57dcb6b

SHA512
7f9f0395307b63d4bda636b132533f5e62b36bfa78ff0850c5ba0a2ebe3f426b0a18232993a35bfe9166d9f86d2dfe2ad6429fc864265a0bdf6d4f1f25d26297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
7e6d8b454eaeea3e1867194c722da055

SHA1
28947bd2395552e1f6019267bf2505345b51c556

SHA256
1613e81c490b43786af044b72aa8edc3fdf89b7c3a830b95bd61ba355c26138f

SHA512
953c7ec0f98e5ba3ef59f90575ee94f8e7145bd0912a88388b2699ee699803ca3bc1c711f6301d1617c02b70afdcaf4edf37ebce6df9f3a6f79d6587255ddc82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1OJA5EIF.cookie
MD5
110219767f4be86822b09a16b400f53a

SHA1
ed1e6390ec27d35526967ce6871f97538cc687f5

SHA256
4ee5f71752b5dc6524ffa339850dc9c8a69cc1d998c590150dbb1096831aca34

SHA512
603d12e3db084d4482b038e3468ced8e314af140c5c744a11a510c8be3cf950cf6a1217e5ed354f477f7972b2cb9c05549c1b78f4c6ab4494278c0956adce9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\L6V2KVI6.cookie
MD5
bc0b9cbf72620349b5403155daeee5ca

SHA1
37549de9116367885e1ad02cf7b4dc99d9da3ac2

SHA256
9ffc2ede361c02453a4ae4ab51f29a78cd45f175fece1c7976ca0d5a0c5b7cfa

SHA512
eb58a55285f3600cfffd2b7b275fe572b406bd3c631e6c5f2f9bbebb12a1a95f66eed50f0a23e4097a14b13aada3d2e8be6d49b34c502c27f439f6658b72387c

Download Submit
memory/1796-143-0x0000000000000000-mapping.dmp

Download
memory/3876-148-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-127-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-126-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-153-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-128-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-130-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-131-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-132-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-134-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-136-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-137-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-138-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-139-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-140-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-141-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-152-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-144-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-145-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-147-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-118-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-120-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-125-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-124-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-154-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-158-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-159-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-160-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-166-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-167-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-168-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-169-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-170-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-171-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-172-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-173-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-176-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-177-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-123-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-122-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-180-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-181-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-150-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download
memory/3876-119-0x00007FFED6840000-0x00007FFED68AB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing