hxxp://wp-in/9pKMCJ/YWdvc2FyQGV2b2xlbnRoZWFsdGguY29t

General

Target

http://wp-in/9pKMCJ/YWdvc2FyQGV2b2xlbnRoZWFsdGguY29t

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c3000000000200000000001066000000010000200000009470bf2f5905ba64fda51ef61fc13ba9f5c5a3fa747720b6f08072f31bcced0b000000000e80000000020000200000004d0bd24bbc26aa19cfb4e0eae74e749c44b567a0400ff2d9e2de8f7e176955cd2000000022a3969fc0f275462ecc8e9f837d8f49462c7a9b882e5da8dc92413134d7ed1640000000a3fcf22322a57b1f1e13b334c3a2668b47f585425c3c102c6d261205f7abbb22a8520ce3eff825a8f671a8cf4550d53c0195692820ae7c714c2531eb71f8de86	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7047122b1cd4d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "671994997"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "343101079"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "646994888"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "646994888"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30921756"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30921756"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e9922b1cd4d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30921756"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343084485"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "343133070"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{510C25D9-400F-11EC-B34F-FEE0DE99BB17} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c3000000000200000000001066000000010000200000008eb7346fb302e63e57c08c74135fa1c4275aad127bf5c5a1074be8cfca12aac9000000000e80000000020000200000006b5cba74bc8a7e51a334511d889b94bd3447700e72f18dfde6f939a68d0912d820000000fc5c1808b78268faff0dc66b0ca93d1d54200467ad127a79364e01c9c4cbe77f4000000086cd29d147fe99d5d3237f309eab5c8184518f082ad6bc48052d71d9f09a0c9a31470f2931efced0f3bd57063f9abdbef6f6d514e9cf60517d334a7f26dd1698	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4208 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4208 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4208 iexplore.exe
4208 iexplore.exe
1776 IEXPLORE.EXE
1776 IEXPLORE.EXE
1776 IEXPLORE.EXE
1776 IEXPLORE.EXE

pid	process
4208	iexplore.exe

pid	process
4208	iexplore.exe

pid	process
4208	iexplore.exe
4208	iexplore.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4208 wrote to memory of 1776	4208	iexplore.exe	IEXPLORE.EXE
PID 4208 wrote to memory of 1776	4208	iexplore.exe	IEXPLORE.EXE
PID 4208 wrote to memory of 1776	4208	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://wp-in/9pKMCJ/YWdvc2FyQGV2b2xlbnRoZWFsdGguY29t
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4208 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
0c178f4ac7b27d09df44e10c8952ac40

SHA1
f292e467a33e508d823645ebb87dd0fbd23cbd90

SHA256
bd748559b92d6dc02bdcd136848bf8ff059b248ed37a39c7f108a505746c584f

SHA512
862343d106cca95afb753894494f6045ca552991fc844c561e0f9c9517811450cfeeb0ad35ecfd9a8f51f348a4db533281a39c83f57dea4249f56efe848fe641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
7c62d4cf8c386ecf4fd866f37301e481

SHA1
1a76de37e075eec8e7de75ac50f87d784db45b65

SHA256
6a01245207dcfb85de71466034ca9bbc4c46b96a7bba7f6a0d0ec37458a1d18a

SHA512
43f89d99181c5109fb71af13a7da86e951cd2fe27142645d6beac601864be3afa875d44191a590e57a97a3f4a9a33247caabfc247be368237c615e1c70856ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QMP3O8HF.cookie
MD5
81bf9ddeaddbed76827067b6bf4b90bc

SHA1
1d1763a279f933d9fe4a2b94760b33f43f266943

SHA256
4fc134d6e88a42881c8ce88f59fda49b02c743e478578faa3e3759ef73294868

SHA512
670a8c846160b9961c10d19241c4a13dd9abec954aaeac87b29aebb2c737451bbf986c0dc47f55ee1d9ef383504c9d3a48376889a4257b77678916485b3bd143

Download Submit
memory/1776-143-0x0000000000000000-mapping.dmp

Download
memory/4208-145-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-126-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-125-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-150-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-127-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-128-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-130-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-132-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-131-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-134-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-135-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-137-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-138-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-139-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-140-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-152-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-123-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-144-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-118-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-147-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-120-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-124-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-141-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-153-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-154-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-158-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-159-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-160-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-166-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-167-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-168-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-169-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-170-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-171-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-172-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-176-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-177-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-180-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-181-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-182-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-122-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-148-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download
memory/4208-119-0x00007FF9FE750000-0x00007FF9FE7BB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing