Behavioral Report

max time kernel66s
max time network144s
platformwindows7_x64
resourcewin7-20220414-en
submitted20-05-2022 02:36

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

http://coopertbrance.com

Filesize

N/A

Completed

20-05-2022 02:38

Task

behavioral1

Score

1^/10

Defense Evasion

Modifies Internet Explorer settings

iexplore.exeIEXPLORE.EXE

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6579A3C1-D7F6-11EC-A237-C2F2D41BD72F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd40000000002000000000010660000000100002000000010bf97cff6ae8461f3682966bde48c15b3ef92ca8464ad9b4240d6c18ca7b3e2000000000e8000000002000020000000c300acb9f9f1d1bec3960b9ede7a254400ce0e8c318a32621ea564d4788dc9f890000000fa0cc6cc8eda79432cc505039936dc66e197badcda8708d972aa68bfd93d33703da053f79c96b82b51ae8b9bd48220aedbe3a86d528cc4d9f69c1a864246c8c09c517a333b003f0bee2b7f75eac62d97da1f6c3acc7c68a039a82ade27a9789524dbbcb5f607f522a5b5c633d9e5a73fe1f516a03698e93115579af0c0158e89dcdd7a1f7886616276fea4ae0eb021a840000000c833d630dbdf1bd1e7b55d718f5123f04d348b07d28d80a0cfee646a4806c0f7523cf03abb3679e2da24429e5bc95fa7f192143fe88562ea7f3fc42045a6a2e9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359786356"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bfdc40036cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000002a1d32e5e5dd056eef8b9f1e893fe61ac68eec7951ff5b24dfe4a3bd2abe9f5f000000000e80000000020000200000000815a42dc2d992a053f5920e399c7b136d07b91535a9cdc64d2eeb043a9f144120000000dc738b645e46c0dfef8f0718cce3b01e536d6c991c816807901674a3bdf858864000000075830958c5c844c00edd6fff0f7e001d0608fb2084398aca023799871c3f19cc19a4aef04e7484fdd8c93238b2108b582be0b0a2b2c43b8b08a5547ad46cfbe8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow
iexplore.exe

Reported IOCs

pid process

1056 iexplore.exe
Suspicious use of SetWindowsHookEx
iexplore.exeIEXPLORE.EXE

Reported IOCs

pid process

1056 iexplore.exe
1056 iexplore.exe
1352 IEXPLORE.EXE
1352 IEXPLORE.EXE
1352 IEXPLORE.EXE
1352 IEXPLORE.EXE

pid	process
1056	iexplore.exe

pid	process
1056	iexplore.exe
1056	iexplore.exe
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory

iexplore.exe

Reported IOCs

description	pid	process	target process
PID 1056 wrote to memory of 1352	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1352	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1352	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1352	1056	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://coopertbrance.com

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:1352

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0668310899df16bd458906bdd2fed72c

SHA1
3f8724bcc17960bcc0a97bb627da3772f9db9ce1

SHA256
5318915aef06af71fe5ddd3c281c3971a5a3b665127c359472a0b5bb2a691f32

SHA512
03b00894b97f8186d70f0e8ed61abd3beecb022b919e2cff8bcba848030bec77b153bae8192def1d711f5b8c69d630079f269f36cc907571f76fe71e662c32ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
MD5
5d7e441614f2c33a250c7d8350df8d6b

SHA1
3965336cac1d13c90d74a50f2de6dd820382a615

SHA256
1f7aca79255e39010c5f4fdf9aaaadb50a9f0df6eccb213820e2bcfb845b0e73

SHA512
016ba1fbd8c9587c43ba55cfff7274ca5468c8900cb4677afe338fefb87e65b00f4a8eb48ec58345447d24d6c53fdc0e1a6e41dabcc2fc517d0ebe0bfaf17a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QUQN5BWT.txt
MD5
6c52047d1b2c875ae7cf2fbb7dcb84cd

SHA1
187c411ac29c9c8eb6cd99f7f9cba312d5eac41a

SHA256
91491b60b62672379bddd0350a17b22b683e7a69e6331cf34393e4a472cf983f

SHA512
bd4e1134bcac6370673ca2998bc211f337a0f84615effe2b688531ac516ce88254b0004486d76cccebccf9e40408989af687c5bd160821dbe3b0ed58eccbac77

Download Submit

Filter: none

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title