hxxp://www[.]met[.]com/ana[.]nge@met[.]com/check-activity/

General

Target

http://www.met.com/[email protected]/check-activity/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = afcecd562cd4d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30921772"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30921772"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1469609381"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{826D650E-401F-11EC-B34F-5A319FACDCE4} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c300000000020000000000106600000001000020000000e178536732f7fcb771db32daf07f395e92b34b872125bc96ec84209570bdc4a8000000000e80000000020000200000006190291157f1bed95a8663907f308781e663566a24daabaa680e0a443953e147200000004224b12bb1e7d4267eaebdb0009712e2b6fc2fc9eafe8e63a53cac5c5b53704540000000543f5bd9fde56f878162228646ce83059c748bc5e921fc8a59b9414208a560d0ea38e6da87e728bbaee0fbe0c4752cbcf34fbc276f0d6f86dbc692bd0faef1f6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1481242013"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c0ff562cd4d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1469609381"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://www.met.com/[email protected]/check-activity/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30921772"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3576 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3576 iexplore.exe
3576 iexplore.exe
4180 IEXPLORE.EXE
4180 IEXPLORE.EXE
4180 IEXPLORE.EXE
4180 IEXPLORE.EXE
3576 iexplore.exe

pid	process
3576	iexplore.exe

pid	process
3576	iexplore.exe
3576	iexplore.exe
4180	IEXPLORE.EXE
4180	IEXPLORE.EXE
4180	IEXPLORE.EXE
4180	IEXPLORE.EXE
3576	iexplore.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3576 wrote to memory of 4180	3576	iexplore.exe	IEXPLORE.EXE
PID 3576 wrote to memory of 4180	3576	iexplore.exe	IEXPLORE.EXE
PID 3576 wrote to memory of 4180	3576	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.met.com/[email protected]/check-activity/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3576 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
189cf116bf3713a9e49bf51bc7bfc49a

SHA1
3ab63a8339c980b837751c853e59c6ec3217c562

SHA256
f6bf6c9521ecd07410816f060578a5c8b60500821a95b728ba72de438ebf121f

SHA512
24334290b79fba800b6f87c595839f07144f5f05ef1023214070155ffd78f01aeb794842dd7764b35b7528203fb9618edb7ad0903808bd721e864caea2f29363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
0c5eaee180014b0b3edab7db67e26752

SHA1
cebbd8ff0036433492182dc172d7ba3217c1b805

SHA256
a2d6bc184a69b9d15f4337524970c2ccacd5b7319be964dbe464ba88d2bf5fbb

SHA512
cfff157afd96dc78bf38fe1383f851d3dae2e16a789283ab41e45a373b1d6c63c8addc2d8c7a9eb51cb3f2d7afa56429da1443e3df8c0a7a5bf5d430bec4cfa9

Download Submit
memory/3576-144-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-128-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-148-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-125-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-124-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-126-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-127-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-147-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-130-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-131-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-132-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-134-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-118-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-136-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-138-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-139-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-140-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-141-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-119-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-145-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-135-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-122-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-123-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-150-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-152-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-153-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-154-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-158-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-159-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-160-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-166-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-167-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-168-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-169-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-170-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-171-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-172-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-176-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-177-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-181-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/3576-120-0x00007FFB358A0000-0x00007FFB3590B000-memory.dmp

Filesize
428KB

Download
memory/4180-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing