hxxps://drive[.]google[.]com/uc?export=microsoftonedrive=d&id=1wBI_XOY3mYs9X0xbUYpjue12ANnlZWV4

General

Target

https://drive.google.com/uc?export=microsoftonedrive=d&id=1wBI_XOY3mYs9X0xbUYpjue12ANnlZWV4

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2992D661-B6A9-11EC-B58E-DAD612EB2542} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c00000000020000000000106600000001000020000000bac20d12e70077202169167e59ba7943546536af4272321c41e966758d747176000000000e8000000002000020000000e789e2e0a6ad9ef77d41ff5ae3e09f357f89bf83584ac43ec809d8862773a3a120000000eaab97280bc0bc684bb29abab66b673acdb0eebf88ce6e4760badb63ad2664bc40000000568dad552e501232cde03904a870e4a41eb546c6f148201c2ce3bf6eca25748a829450122d342c191d32fdc5c60488f64dfa6c0952c953bf0f5211368b217714	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c000000000200000000001066000000010000200000003b544cff72c7a7f897911e6ac5338aeab4454ba75bc8b51731630c11c5a0ef51000000000e80000000020000200000009e5dffb14b16f18f9da9fa6deaa550175e3397b935d87d32d666c3862edaccb1900000008fc67745cbea101c750a3e296687da38b6bc7877bf6b550fa788fba7f803f9f668721bc1dc45419af0cb480aa3fd6086c26adc58c8bb616454433d280cda55bb2b38bc2effcbc4ec8f0f736cc63e52cf32075ef02e7fdd6c6d0e5707a8b82f885227145b6d13d39c169fff4b2cc9e191d33467f59106b2e2538dcde6f694ae0793262d486f8966b360cda56760fff28b40000000c809936359d2684e2cbb451945888f30fb1b575f343f2ee201c34be7f13b9196970f6eab78dfdd9c885f30740edf51fd2b62a0e21b743d66c25817330dd92f31	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c00000000020000000000106600000001000020000000192ea2676c908e92d63b2ce60a0eccdcc987fb566b458403048cc2c9f2e60f0d000000000e80000000020000200000003f2c3585cd7a957c754d2b2f93eaadc0aece1f56e39132d7dc169d4df7ac6461800100003c262f5d743d4e80b8d926526d2b34f632e135aa1b9c825e83b7e40ca4843e6b2352d23d53373d96d180cbd325e8f1609b64958da888839ca37272cf30573bb9c8467fedbb884f351a30bef1c573b02dcd893c431d5c5298f36261a8bc7533ddedc1ee7103f1e1314acedeff52009ab1eebd8f0d6f60fc4bdf9cdd50d4c1617c96c7b04632d92e5c7eb394866162098829f9aadf5be6aa631ab65dff00e2b94066c466357917775ab41d45c3618e100cda62925756355ebd49a0a35063974e56811b7b21c1ae8397bbd07b6846615e26deb926d3b651e8509b567e3a19277239869b752dc117b7fe47cac7b17fa462c7c9804338c0d8b0786b74670f8269c3b784423d687d3b220184cf8a509f9764c03617138c365e8b3c3f0e74d196b1add554a79ddadc77fac690ecd864be50f19c6db145904984b60adbaa7939301513827b78d83cfd84c3d57a896219cfcd1b6ecf5fae595e9dd29d362b77c31d44b3f8aeb6a880056d8fc52295c193ba2fa4ba1608c3fa8ff3f73f84fa1c6964d101da400000000f41afb950cec55fceb2f9339b4a9580786c9a5d2cc18975f9eeef68f9a173cb6fa795323b42eef6f20c753244e09d5995e994cb793039d127f195191b19aa99	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356124799"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f4a904b64ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1768 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1076 iexplore.exe

pid	process
1768	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
1076	iexplore.exe
1076	iexplore.exe
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1076 wrote to memory of 1768	1076	iexplore.exe	IEXPLORE.EXE
PID 1076 wrote to memory of 1768	1076	iexplore.exe	IEXPLORE.EXE
PID 1076 wrote to memory of 1768	1076	iexplore.exe	IEXPLORE.EXE
PID 1076 wrote to memory of 1768	1076	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/uc?export=microsoftonedrive=d&id=1wBI_XOY3mYs9X0xbUYpjue12ANnlZWV4
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b07136aa3240fbccaec1ba1ce4d4aba0

SHA1
1701c86c9b672f5a9bfb4c0e75e166d449cd05dd

SHA256
fec9d30036bbfacddb05f82f4b8971aeb744ab35a343e8be438c04e16aa8ab66

SHA512
059d657777bab9fd151ad3ab39c5f12a328914fccb27302d4743beff19db224e2ab691c953344b033edc56aa59153d8c16b6bd9876e3e354bd9436c569bb2692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b1rou5u\imagestore.dat
Filesize
5KB

MD5
b22f3d277afba69d356b1218dfb27055

SHA1
69eb9d0afde1bb2b11aff4bb9376bbf4869db7e1

SHA256
dfa1e3bd538b3aa5e94ed0192dbef6fb001677aa90e64c53d4404ed4e18407a6

SHA512
26b9e83367d4e0db6ad605a1e9a7848f53571508803ba3fe49a20217d394c8f7a5cd1fb9ef59bacae5c33d400721769289aea29d4c75cf4a5c2e8101ed583fab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RN33WQKB.txt
Filesize
603B

MD5
b89de34ef48aa21caf71c0b7fc65de8c

SHA1
235071d050e7a1db62d6ea2658ef8c00ec070387

SHA256
d032d63ead0413ffd795b1deee3637617685ff083448f13236018f582b091d26

SHA512
7adc963e6abf3ddbd277b0bddd49c488712567609993c413139e81ce90bd0cf22e7673a9e4fa47602cb385ef2e32ceec355ce277d6c881987dd92c880c0abe63

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads