General
Target

http://yaohouo.com

Filesize

N/A

Completed

20-05-2022 17:58

Task

behavioral1

Score
1/10
Malware Config
Signatures 4

Filter: none

Defense Evasion
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359841521"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\yaohouo.comIEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec0000000000200000000001066000000010000200000007d9b0b690775afc70795d3f185ce7d3f1a040396996726f0abd5176d79d887d3000000000e8000000002000020000000e0338dbf4e23b2132ae1670d88e0a7d71ea3005e02ab3bda0c06bb9dbaea7ceb900000008ae37357cbc63555b3326e902f983cc5178de32c26e6d4057c753ee4c49fe9f419abecfa205e2a95367cd5a62ae3b3afa9c31c2693046d4415e29862f6212e1cbc95aa4d5935383ce111bfcc2fb0c8f01b88c6df3097920457f1fb14902df9ee1da966753e60bef12add142a09005d4196dac2b507148e36671d94c82b2629e265db7285245cfee598152d88d209279c4000000024d655b1a4191ff49019482abf4499eee3b9dd2408fa09e0a9e480099912d5fb049b524819446543bd27d9d0d94af437420f434fd0488fac78363645b8159061iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CDE88131-D876-11EC-8FF3-F60B165D620F} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\yaohouo.com\NumberOfSubdomains = "1"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorageIEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000061dd9184c284c52fe8d57530622c6b11830e5bf68caa55ce5bf581e4c6d68ddf000000000e8000000002000020000000cb1d77fea954cf4e7db99cf2654a81fee8b47c8d0cd9ea434fd6cb926bf7e1a920000000d30d6be07326d7c6d3f054af340b556e9fd900a909599c9252f6c7f6da809a894000000064dbc3b46d5ada0082c497665846d7b17054510760b91dfa83c3f739f756e2235cdc95c87eea1d1ede939798b7fe13fb6e3fc59b69895f8fbd51a39bb3a70e15iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5051ffa8836cd801iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    1208iexplore.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    1208iexplore.exe
    1208iexplore.exe
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
    1156IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    iexplore.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1208 wrote to memory of 11561208iexplore.exeIEXPLORE.EXE
    PID 1208 wrote to memory of 11561208iexplore.exeIEXPLORE.EXE
    PID 1208 wrote to memory of 11561208iexplore.exeIEXPLORE.EXE
    PID 1208 wrote to memory of 11561208iexplore.exeIEXPLORE.EXE
Processes 2
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://yaohouo.com
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1156
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                          MD5

                          e1f75c8a491f849d989dd4111e5b76d1

                          SHA1

                          977fad1611ccffb0fb194c57b4ab4227c7c14728

                          SHA256

                          8a290ddceffcbf5026457c55c9520d17e2b7491edf8942babd7ffafe73110ea5

                          SHA512

                          3d841d746cf9655d8d9e35ccffa0f80912c599ab14b3d46bb4b1387379586f54bdf670248269537d535f258f487a0f7e9bfae6627d7af8d8d03aba6fc57f4b92

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.dat

                          MD5

                          58b67e7f6d9de230eaf16c2d91b934fa

                          SHA1

                          69894130aed57810532a4fc04ce4d20defbb90aa

                          SHA256

                          7e6ab8181c7b4dae4d504a95662d44e7fa41bad9f65f8898e20f1a1503fbfb6b

                          SHA512

                          5e5d316f42d5b2df03fb2ceab5f3be38028dcb838519869920161e5f92ece1bda4f63c2c10aaa22d3b6bf855480e5d2897b2d0b4dab872e11ad911736b54a0b5

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J2W67U9P\favicon[1].ico

                          MD5

                          178819cc32a7774822e3550c57cd20aa

                          SHA1

                          c8050ec440e8cc1367a6115934edc0bf94a0d343

                          SHA256

                          8565aaa87282f585b8a021ee0e693f662eb179df62890d01e086cc9f23dec1d2

                          SHA512

                          794c0578a7521c093c27a5592ab6f4874742f6db4c53e9b0b07acfecabf8575117ff1808ff0f0426594f4981f5933c756647b146b7ac815decaa9c5fcec246fa

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8BWSPB4P.txt

                          MD5

                          da6a80158d59727106a92ee41423c298

                          SHA1

                          31c8aee9dc82fdd09f56397a2c079980e62e8226

                          SHA256

                          cbe8dfc8ce15ba5963f29308445cfac41d1586b18ce9c2064fc0ef2194ef5cab

                          SHA512

                          426bf23906e625cda42c55abdd586801a934d9348ad099820a3acc61fb7369bb541633f96b6bdb69931cbf49983b68f782cc8786ee2a88b6fe92a17aa6edbb34