hxxps://nawa-store[.]com/shopinside

General

Target

https://nawa-store.com/shopinside

Score

6^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1704 1668 WerFault.exe IEXPLORE.EXE

pid	pid_target	process	target process
1704	1668	WerFault.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73BE7CF1-523A-11EC-9A11-6210CE53DEC8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab00000000020000000000106600000001000020000000a5bedd277ef2b5f40df7d7eba954ac42109ee70d9e07e2a57cad91a1774e619a000000000e80000000020000200000001d585e8ad4876e120e152c5000f8bbb111b08072fa6e8ae79f1f7d0365887ad32000000063f598ce3797242ac038421250c15f1b4953ad35d5a3269aa8f2a1cc41c56a1c40000000a622b35c1548815e146cb73b8e8e9c5f80fb92eacb83820ac6f6cbd58e87164cf720bfe05b1e1f88a6d4b4035552888563e1c79384fc504d8b69ace82667a6d9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "345082133"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab00000000020000000000106600000001000020000000fe1eda6899a5e3872956ed56aae4e50e398942eaa7240575e9b07c97f4383bb6000000000e800000000200002000000039cb3449cc0325bf93cc98f7f221d353712e94e85d2099583ef14af5f201ef6d900000004938b0a2be56711fc4a05f758b1998af8f1d12bda4655641f727dbe1b549d6db227d8628f2384ade73baf1cd462dbb4d4ae341ab744ea4bf2a182acf8d62bf345a8afcf631f69d45817d518cb068837b70e312d5bf45141b1c58fb69c955954fc5453a72a2f5ade4c007c02b61e46e8b08da9b469074e6946c6d19e841d56a16a70876c81d023f7858300692bfb6fd864000000006add6a1e21240199a58d89664cc00c83579bac413d4168f81248a243149fc5d41c67114513168a05b48cf495e93916501744bedc0012dd2f6545fb72c5df4e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1024f74547e6d701	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1704 WerFault.exe
1704 WerFault.exe
1704 WerFault.exe
1704 WerFault.exe
1704 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1704 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

984 iexplore.exe

pid	process
1704	WerFault.exe
1704	WerFault.exe
1704	WerFault.exe
1704	WerFault.exe
1704	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1704	WerFault.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
984	iexplore.exe
984	iexplore.exe
636	IEXPLORE.EXE
636	IEXPLORE.EXE
636	IEXPLORE.EXE
636	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 984 wrote to memory of 636	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 636	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 636	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 636	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1668	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1668	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1668	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1668	984	iexplore.exe	IEXPLORE.EXE
PID 1668 wrote to memory of 1704	1668	IEXPLORE.EXE	WerFault.exe
PID 1668 wrote to memory of 1704	1668	IEXPLORE.EXE	WerFault.exe
PID 1668 wrote to memory of 1704	1668	IEXPLORE.EXE	WerFault.exe
PID 1668 wrote to memory of 1704	1668	IEXPLORE.EXE	WerFault.exe
PID 984 wrote to memory of 1444	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1444	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1444	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1444	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1760	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1760	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1760	984	iexplore.exe	IEXPLORE.EXE
PID 984 wrote to memory of 1760	984	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://nawa-store.com/shopinside
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:340994 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1600
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:668685 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:472095 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c9f0dbb882e2324c1269aaf86759e8e3

SHA1
bd2ac197e712f0c882d3dd3c5d9a1d32b8802534

SHA256
09d22633bcb8939583ff975e3c6d0cc7781b4f5cbd5dfd6ff7de0dd945c458e3

SHA512
daab7f4115a2c929c534e70f7702595406c9d6a62317fe8310922173e662e501d56446d3121f1715b0810f8985e97665051c09a995280eceff444a71154f5a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EU9ERU9I\SSZCB9EY.htm
MD5
060af161d77526eedee89a5bc5931b45

SHA1
e3ea8ce6a1ccc6f290336fa05ff34426ad0a3675

SHA256
71cf2a28cf74812a0b34542816a164aa4d9e8e1476303703ab2abd5a428b172f

SHA512
4ad935498dddcc6212db7bc9d48dae70f1bcda8e2ce8db69fd3c7849551839f35a76f45eb40f15086097976efa7c666f0d519b8633a6d6e618e3706fbb459a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H29VF4Q1\RDDGZMTC.htm
MD5
946f056ccc076510b6ba51ad5b6b7d7a

SHA1
2137e480d6f34d77e9e1d18647814f31c87fa6ce

SHA256
4beec60beed02eb24372d3b65d33c16c9427b22e0d89a5d782065f96da849eac

SHA512
47a219ecc263a1854dc40f2ec4c6561787e2578a5efdad31be3a0ad76a316ffc94b9d402ecf3c45ab9a0760cb4afc543eb1e653f73352295d06ad1ad5f7579bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G47I9EZK.txt
MD5
f5cacbb23a4d7b7af39c9b5fada57ced

SHA1
de2c09094fe10d1cca14ec036a0702eb80bb4699

SHA256
2b9561491d5beb4cc7b754c7148ad460e874855ed7524ba20d051d2800f3cc4b

SHA512
1ae6c277963d28f1d99eff0503db5a0550ac06982bf6d9bc8ebc545b1aaa0ff8b519ab7efd164fc9f3a29b54ccf6aef9690803afd0966a49586a802a316ccd4f

Download Submit
memory/636-55-0x0000000000000000-mapping.dmp

Download
memory/1444-61-0x0000000000000000-mapping.dmp

Download
memory/1668-56-0x0000000000000000-mapping.dmp

Download
memory/1704-58-0x0000000000000000-mapping.dmp

Download
memory/1704-59-0x0000000002090000-0x0000000002154000-memory.dmp

Filesize
784KB

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads