hxxps://subscriber[.]jiangcibb[.]top/SubscribeClick?gk=rb&kf2=test@test[.]com&6a5=&gor=Gregory%20of%20helpful%20cats%20It's%20not%20that%20I%20don't%20l

General

Target

https://subscriber.jiangcibb.top/SubscribeClick?gk=rb&kf2=test@test.com&6a5=&gor=Gregory%20of%20helpful%20cats%20It's%20not%20that%20I%20don't%20l

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\ = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\ = "86"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\ = "97"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\ = "155"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "97"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000006869fcc4f6348b3d73776eedb375995d8f8ed1ba229da515233cc0032c310ad2000000000e8000000002000020000000c73b9299fd4722808207b469d14abeaa87bc11683915e38e6ba8fae16379056a20000000032c1f928470a6e4f4220901b09356a84afd6f454a9aa63403f37ec32c90b4124000000075236a5cfc9e461950aa1ec0ff9da4e997e8e5d0c96529a92c02588c2c17f2ed07d78cb92566b24b4e29c4c6a21e2e4a945e761bbee3b6799b6cff463288911a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\Total = "13"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\Total = "155"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2649D1C1-D9DB-11EC-AB4D-4E28EF19992D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "13"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000063dfbd8db78c06c730a008602914a25cdce18869c251d686a86b98367c1fca43000000000e8000000002000020000000cc3699c9cbe875e6818f8414c76cef71d496345422b96afd8102c95ef506a6ef900000007c7172987296de7997df2d3090c3c98766a49898144169875843da29235d9395f24ba1d088be9da691ece880adc71475804a377326178cd4e37250178c47903031f771c95fe40a7854ef159b24ffbf5f1f0bad862db99b704bdf5591b6d3949a1c7977283d97f793de41c3f1b87aa139fdf151044cc7927c616eed0f18f13dbc233589241fbc0bd4e10fe7d26c59aaca400000007c384426e86b3ec1997f2ad44288ac9342006dee9bff3bed3260bbc89d6266693213fd6ed201269fe2de627ba9ec7e6e77e842f4daa05d949da8f820c925554f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ffc2f5e76dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "155"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359994556"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\Total = "86"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\rbusanet.com\Total = "97"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1660 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1660 iexplore.exe
1660 iexplore.exe
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE

pid	process
1660	iexplore.exe

pid	process
1660	iexplore.exe
1660	iexplore.exe
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1660 wrote to memory of 2044	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2044	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2044	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2044	1660	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://subscriber.jiangcibb.top/SubscribeClick?gk=rb&kf2=test@test.com&6a5=&gor=Gregory%20of%20helpful%20cats%20It's%20not%20that%20I%20don't%20l
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
75c4ed30bd228bc6af91e4a7895818c2

SHA1
2240a065a3faa114b48e0731f2d825c0ec63598c

SHA256
c7c791c048c49dda04cb6b04e4364af68fcf85086bd9164265bb44b569fd1c28

SHA512
3cc2f1601c6e1bba10301f6944830a1633bd3896654ac36838f0b1d3b1d16cea853de4f01ecfeb0ded52807c7955ff1a43461725d0f88cb9ac15df0710d95b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
Filesize
9KB

MD5
9099589ce5831103c4c6ab747dcba9fc

SHA1
2ed617ebe1c134dc7049a934c9e13495979495e8

SHA256
52607ecc7e40b7a84a88cd80055970ff255e34eecb10460d9e65a939299ad098

SHA512
f1581762b63672ecc1fb7bcd7e3faa3e8ebc7e613a606c5aca028d876a98f229ae0b7d6a569f16803e01710afbd76f014aa2b7404259f711a7d02696b91b5bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
Filesize
11KB

MD5
bff6a515f469606371f3dd94152df0fc

SHA1
49e0b6bdeeac36bc57a6bc2f5d9316353acbd78e

SHA256
692a69b7e2d12a733f468f66ca0d0a0c6f1fa80955eaaf861e83c7550b0c9471

SHA512
040b8aa9edf5a5bdf0c439397e235e0f013bb4748688b7dc1630ed6df808e743334f7aa2a2542edc1aa44fd034c70d50115c0611bc58739c328a3aba53751756

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NW6WS3CU.txt
Filesize
601B

MD5
cdefd4c23f8642d2e0aecc6c197dc9a9

SHA1
938c2b88854ebdbfac66d92458f9edd138179003

SHA256
a600406b30215674a1366d2469af0e26199f1f00c45f21b698a8c921bf1b490a

SHA512
493f3627d39399bc9a0dac83c4432a07628cde94e7a3f5248f405186618d874bc60b9814c3a174781e124e89551c413d53713c0aea3f15cd873c4c97b19d8eec

Download Submit

Analysis

Sharing