hxxp://636509[.]selcdn[.]ru/tmp/offgen1[.]html#m[.]depree@damennaval[.]com

General

Target

http://636509.selcdn.ru/tmp/offgen1.html#m.depree@damennaval.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d700000000020000000000106600000001000020000000b8301537b0c7174f355bdca5305bece9e56a2d5adc6c748031b463fd4e09c92a000000000e80000000020000200000007a3f5f5467103740acc7ccea5cb51a50c69b04625a6301c83f0cb65f74070cce200000004c485b61bd61704ded05d7f64bea557aaad030512da1db8aec7116b1db998699400000002b324a7f39e88034992f10089cf4a47094ed1c9c1693cd4fc01b55dfa04d580a5fc023296585b4052cd880cc8ff5c4c66bbdb9d910eb6ad6030a49f7815ae2df	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "346967636"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA9E25ED-65BB-11EC-9231-EAE77BAD686B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d70000000002000000000010660000000100002000000028ed28b84ac71622ef4ddfcfa39c4a09adad5c78555d570e696ce6ef02514bda000000000e80000000020000200000007a9171b8ce0e61d70487b1300cb5017bc60ad15ce40e0e03359d53435ef0b7d820000000c0f3d8f7a54585eacff4cb8681457759b8222b932eaadbb6e96aaa6a9bec13a040000000dabac93534d39fcf3b9633edcbe18a2000d914924cd96c37cdcc6463b53eab5e7e58ec372a1a41aea9b531c418313c388e2440563eb175199f8e21d27936daba	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c895536df7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "347016222"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02c66536df7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "346984230"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2224 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2224 iexplore.exe
2224 iexplore.exe
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE

pid	process
2224	iexplore.exe

pid	process
2224	iexplore.exe
2224	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2224 wrote to memory of 1208	2224	iexplore.exe	IEXPLORE.EXE
PID 2224 wrote to memory of 1208	2224	iexplore.exe	IEXPLORE.EXE
PID 2224 wrote to memory of 1208	2224	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://636509.selcdn.ru/tmp/offgen1.html#m.depree@damennaval.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CS952YS5.cookie
MD5
19a6b5c41c770ac733d59e3ff3ee0973

SHA1
28a5ad0299560d58721604831a4b26d4c7f8d8b3

SHA256
a7ecf0ac4c7187a198621ca219e034eefee9f66ed590b43aa3ec86e78c47635c

SHA512
89802224140368d5295330ec50551971648030d8588051e477d4c66627a45142e5282dc6570bc0b88fc0a15f3da6a9554bd53ea5d81a614155c7aecf94ecd9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KFT4QMGW.cookie
MD5
22686574f0f7d7443dbb2d88791100ee

SHA1
c9a0966b98c100bfd8dd197142f8dff701d62a4e

SHA256
115e471449ba2d1969008ff5ec9adb41d4e66fddcf716dd43b7d7b733540d273

SHA512
ad5c4ab19eb919e5e20d72cf438d08c8711f7329698905c437d28bdb63836da989c4bcd9adabfe220700f2ae4785ba704946769563e4857d7c1f33b686ccaa88

Download Submit
memory/1208-140-0x0000000000000000-mapping.dmp

Download
memory/2224-142-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-127-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-147-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-122-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-123-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-124-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-125-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-145-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-128-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-129-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-131-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-132-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-144-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-135-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-136-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-137-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-138-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-119-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-141-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-115-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-134-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-120-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-121-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-149-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-150-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-151-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-155-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-156-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-157-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-163-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-164-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-165-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-166-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-167-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-168-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-169-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-117-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-174-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-179-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-176-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-180-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download
memory/2224-116-0x00007FF9BE6E0000-0x00007FF9BE74B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing