hxxps://serivce-trackinguspssinfo[.]site44[.]com/

General

Target

https://serivce-trackinguspssinfo.site44.com/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec0000000000200000000001066000000010000200000005ff545995919e1122c7a3c4f710c989b63aa869ad618c7432a354bd6d41e8f57000000000e8000000002000020000000a7eb30626bf8f28401df282e9267cd91db8ce9f9c4ee16e8bd6f0d25daca69db20000000c63eb91cce950cd2c9e899a2b9f2a6d8a12cae8b5e9a4df0d068fc8a644695e5400000001448605293d186820f91e7b0761a319516d3def38f23c188324037c1d6eeebddb6d402111c92c49aa67b5d254ad2fef43456f82123aec891ec1e906088d037f3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000071bf822b242d743f8dbf21a33278ab539dc2eeabdfaff1b7873a7e50a3b64203000000000e80000000020000200000006ae5186848a316b30553482421c506da57ca58ee14887015dad1df6130a3377c9000000029204551555b9f87cfd202962e794a8e9d740f5562736a00a61c631dcf29acc40d05b7b201d87270e4a5fb592d3cfdf35d4a7588663219789935bfdaf1465c86e20406142598cfa029ffc424426fae127096d4f0830696d082319e96cfb44822a64cb1a39935aeac8e4001847d314d81288b3224bbb2b9d9a830a9527c68847b0b1ab37f828c5c241a133a885e8ff2b64000000062dea8cf428ad2a71225b98e3cdbf92392cba8427c8eec18998d7ead302275a72b6b4f89d2053b4c0158768931476a43dc65e6ff14058736804608ed19167d85	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901b9ff70c54d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E839481-C000-11EC-95E2-F2A7A8855ABA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "357151679"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1232 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1232 iexplore.exe
1232 iexplore.exe
964 IEXPLORE.EXE
964 IEXPLORE.EXE
964 IEXPLORE.EXE
964 IEXPLORE.EXE

pid	process
1232	iexplore.exe

pid	process
1232	iexplore.exe
1232	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE
964	IEXPLORE.EXE
964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1232 wrote to memory of 964	1232	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 964	1232	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 964	1232	iexplore.exe	IEXPLORE.EXE
PID 1232 wrote to memory of 964	1232	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://serivce-trackinguspssinfo.site44.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8cabda8ff5543da5e05b44a7e69aa2d0

SHA1
83633140e42f19fce9b5fa901c247b4e80f508b2

SHA256
49417e2ffd2a02e160c831cfdb634c64eda76b08f8ad2069e5bb68bd795d6002

SHA512
56e77b8156ef98ad934b6ec909b0f7618c73c2d0519dae26c187db429afc65df06e8e3582ea0eee3b86b8722886eccf48e5de809159ffcbe8883738f72bf2fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.dat
Filesize
5KB

MD5
56624e0db21f282f684403f97228a1f4

SHA1
39890743be99c96fb83829a9755c3df1b40b561f

SHA256
46c6ae8e55e5b90d945e9762615a3511399772f27799ed965ead2d81137172cf

SHA512
136b930eea13f05595a2eb2276a7b8e214132c2d0ac7fff07e16c42a78b2fdd57423938ff50ca2c048e7eca671a8c53b31ba2d5818797ffe5c7cb2b6562a543d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CC9X36NZ.txt
Filesize
604B

MD5
9754b84f3b276096bfc7751f3747e0ff

SHA1
7849cc233da16cb4a33b85f946fef2964b926e2e

SHA256
0a362fe9be42535cbb4d9d25e2ea9fb0fbd9e58a4aff326c68f701754b4550f8

SHA512
46662acdb1fe2d8de7bf56e9010dfd06834f46c69c60cf7691db90b71960c077f3fdcaa0cae3f360cc3cb414a8920a68fcc43c53e2c52d76187181e7f656f912

Download Submit

Resubmissions

Analysis

Sharing