hxxps://youtube[.]com

General

Target

https://youtube.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4002932d4e11d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEB6AB95-7F9C-11EC-9231-6624BAB1FE83} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50478e2d4e11d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d700000000020000000000106600000001000020000000394700f639eba378b331461d8f9ac57d7a8b12bb3e2998eed8a96d28675e813f000000000e80000000020000200000006dbc3475127d225a946dd0807a64b3eb8ada5bedb37d461e9e009707b62ff0cb200000000c58be5477fa4651676a4659437b55bd30834d9a3c1fee0ca4f4972ce23f90c140000000a986223710f3e80dcdd3ae78f7948ecff1fb70169e0e85ee3b4243d7ec2ed90a05651c8991a26394eafef2b5b8228d9c9a3a371b7bbc2cb7a22db5b43460e407	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8db62ff13956941acf514a4778508d700000000020000000000106600000001000020000000c772863a2e6df2c59ab06047fd201e1a24e6dc42fcd7f3da28f14e0c8dcc6376000000000e800000000200002000000072042cf88ef017e53002e93add299523efa87cf27c96d37170e4de9dc18f3a8520000000600f99c424d7c8ea57832d62ec7633a4ec9c605c4665a7e307f46c763bc28b4240000000110b5683eab529d2f47c1657d282c80be423273e74106f170be095dec2df5a3b27f1ae05300fe3fae4701c95a4591f6087245a8c6351732897794691be2f553b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2772 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2772 iexplore.exe
2772 iexplore.exe
3728 IEXPLORE.EXE
3728 IEXPLORE.EXE
3728 IEXPLORE.EXE
3728 IEXPLORE.EXE

pid	process
2772	iexplore.exe

pid	process
2772	iexplore.exe
2772	iexplore.exe
3728	IEXPLORE.EXE
3728	IEXPLORE.EXE
3728	IEXPLORE.EXE
3728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2772 wrote to memory of 3728	2772	iexplore.exe	IEXPLORE.EXE
PID 2772 wrote to memory of 3728	2772	iexplore.exe	IEXPLORE.EXE
PID 2772 wrote to memory of 3728	2772	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
0213524244eaf6a7e638bb1910432065

SHA1
6d854ce619828c2f1bfc4e93d2ee15d5970d6811

SHA256
2ccb09ae116851a6dff4849062a18092d522a05897cecb74dfca383aa2dea296

SHA512
010658183423cfc1f46a492e8b164499ea68cefea28901bf190ec231da967185842cf2d94fc5fff9fcf0362ad3f3ef2884d699ad49acd2d08bbcf506cfcc4ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C15B120C7F4EE6F1182923868E66174B
MD5
f866ff7d1a533d7938a36c851589902c

SHA1
d060e80dfb63b0d29fa36803858f0fac88f69055

SHA256
7302b62fc43148a3bc5c6923280c81da999442e1c353078d327d4f9c5cce2ac4

SHA512
c6c8cb61e3c3c7fed7f57932fecc7576df90ba8123b61c18452df0ad11bc774c5917f894baa752e9f8d701580d2917a15f1d6eb69ef1901b3d3eb6f27fa8de88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
290ae004854b9db95a0538e9057b65da

SHA1
b0e99e5e7dcc8c127ee17cf4a7d7a96c0eb578e6

SHA256
8151493f03697582688dd8a7ed226ddd261bffff2de726727d430d0092fd9818

SHA512
c69a72b0f7eaf1cbbf33d3e7ac4e0ca7031785ddbdbddf4528859bab9c4128cbfa0d066f937700841b6112c64b845d68bbdecb03cecd640ef471776001078bbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
63a3ea334a3ed4c6832c09ce3836992e

SHA1
83cca912508d16bf3c4e4fc5c03096e11d4963b3

SHA256
3eae2c2022dbf4f0481dd20015a8ebe84228bf32246ac073418b5537be4670b3

SHA512
af5c568c03b785560a15b46c41058bcfce92ee2eb303746ceb7825fc3b380055fc3b86e501ac660a247240f8e34a282eb7e8ef6ffc25266a13f3fe83a7e36bce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C15B120C7F4EE6F1182923868E66174B
MD5
718ae54c1f543ecb0d6a6cf09ed4cbfd

SHA1
a34a1e7266bdc601e58d3e705ea71f8d73fd1117

SHA256
c6448fc53c80fbda0ecf1401b0776f23e3cf7a4d7f5b1b66e94567d04d1ec65d

SHA512
3e93b9427055b3fa7969332045b33bf987c66f3c311dcf9a4bae9e3182d6701479f36f0c8e5b300f225948238b348dae7c957cd816942ec28bd96a0ba7e2dfdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\BHQL307W.cookie
MD5
dcc3000fe2139625f1df27c7359fb84b

SHA1
a042657170298446bab8c6ec0734c17c4aa921bc

SHA256
8d35e6c749935b6fd60ab30844bff22e1e1984811a91a2032704935f35a0a2e3

SHA512
03c638a9e2cad68b5a634184901df155dcff2ee6947411cf9c3806da1a2f872e377bd36396308b3fec0e70a49918f9e998ba2f3698969bff6cd818c81a531be2

Download Submit

Resubmissions

Analysis

Sharing