hxxps://go[.]pardot[.]com/e/984471/ail-paths-one-link-Fax-Outlook/8brb2/106206937/massimo[.]panchetti%40snai[.]it?h=Ho1v6XkzwFcBEcy6U-6lI_B6baHTlQy7tzJQVHZUz6A

General

Target

https://go.pardot.com/e/984471/ail-paths-one-link-Fax-Outlook/8brb2/106206937/massimo.panchetti%40snai.it?h=Ho1v6XkzwFcBEcy6U-6lI_B6baHTlQy7tzJQVHZUz6A

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "260"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\blastinginsight.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000009715bb7b016d81a6a945b59c041af1351832cfaec9ee3b7c8eac694550617e4c000000000e8000000002000020000000eca36bc92a31241c697a7838156101dc49a0dd16c379e88be3206e436588879f90000000b2e68dc4d5f569e30764f5034fc048646f97a2b75306d6851f8af28ad38c7fbc9c256d530cf4ed2163874bc959b88bfaa6aca216cab95cdcb8916472c98bed50af0708f021de24c2e103061bad63ff5ba531c16b70a83e01e503ad74f1c2f8962f8a5b0bf4d460be252f73f180136b285752d32b30c7150326f2b0bace57af0801c05c592fcffc54041b7b9e94f2c181400000001c30d85f3f1864c19d8d4e899f7d9831011444ca45c27684678fd08eed3fd5089e7c62cda0a6878ec93e95653abf35bc80fffea226204bd24567e26956486980	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "260"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360061520"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1007C1F1-DA77-11EC-8E78-5AC3572C4626} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "260"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0107eee836ed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000000f3c2182342c9e83daeb1a3bef2d7ae1f1af4b7b5311b4d72193e997874c0ecb000000000e80000000020000200000001257bfa1309edf0c803f074ea1dc5d9fc7f4cc1d495998cdb3dca39d330995b0200000008bb00b44a79fa6503b192c6d963b9fb321926974a4a590e84e675233dd6438d34000000011e2e1e7516fac74920895a2309bec7e01552027f57103008c1357fa471fae26f497f315773fd1d0201b1c1801cad8d5f4d6a5c23d1a617f9afa26ea4395ce17	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\massimo-panchetti.blastinginsight.com\ = "103"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\blastinginsight.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\massimo-panchetti.blastinginsight.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "124"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\blastinginsight.com\Total = "103"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

332 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1684 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1684 iexplore.exe
1684 iexplore.exe
332 IEXPLORE.EXE
332 IEXPLORE.EXE
332 IEXPLORE.EXE
332 IEXPLORE.EXE

pid	process
332	IEXPLORE.EXE

pid	process
1684	iexplore.exe

pid	process
1684	iexplore.exe
1684	iexplore.exe
332	IEXPLORE.EXE
332	IEXPLORE.EXE
332	IEXPLORE.EXE
332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1684 wrote to memory of 332	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 332	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 332	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 332	1684	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://go.pardot.com/e/984471/ail-paths-one-link-Fax-Outlook/8brb2/106206937/massimo.panchetti%40snai.it?h=Ho1v6XkzwFcBEcy6U-6lI_B6baHTlQy7tzJQVHZUz6A
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
1KB

MD5
d69e0688754ca34b5cb349fe5f221157

SHA1
ab341a7d908731585f981f9faea787778c60dbee

SHA256
ce1a716d5582174251790c3e4f513b5759354cd2690f005bfac96390c30e24e8

SHA512
15ba6681c549bef5ae03c9eda8e022bbee47056e186d010d30e6ee4eb7134f64427ec02ada6df4b329bd3f844761cbc8ec6a2baa63f0aefd2ac00a7eb6061260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
434B

MD5
cfa660e99e3b9fd9235c601d7027d948

SHA1
0bd6d23047a0e5d0615b317e3fc86cd4b5cf5f8a

SHA256
39e9cbf224c7da1d2c4e3e185243f6c7abd43b952da2b50d1adc11ac66696b7d

SHA512
baf15180d80f642459d8ba6f3f5b6b74782133bcbef8291b91d9b5439d50405bc4cd213cc15b4413979c6667d617c5898aad09934f380cdddbda66170d77b99a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3d649c84a4c95302c10d267f48a1e240

SHA1
28fc643d3290076fb483060b405bad8ee2fed28d

SHA256
abd4239f3b2817e755c802f085764c7a89a7474813ac74b94ee681b14f418443

SHA512
1c4f2d5ee5b7d2f3592a07e876b00a7a8fe0b3d24e1803527faf219f806a31c4ba1db0f0789a23790279b931a5dd7010a4d7c712ebfbd3721908da8d85795a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
Filesize
22KB

MD5
8c4a78d8d30b3543dd3e5426f4416aa8

SHA1
f03b07257c08f1e54b365fbff1f71485cf212072

SHA256
326ef1943dd809256a3cf5b4e8e9ddba757cbb9a480c13d7fd381336f5a581ca

SHA512
1acc271498dd796397710735aa3bb6c3b261e1055cc4bfbc781f461dc8e82fa67bd673c812653c1becb47cbff8f9a358e5bc835c00bdb649b41ec5bf956613ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JF3NM9VN.txt
Filesize
608B

MD5
5764f96c200ea8b0b244fed011367429

SHA1
fe3a59e5af03eb9365b902719d25a6cf1ec3f7a6

SHA256
28e56aeb8ecd4bf599c932d1cb67474bb5d6422db981c009b14fac957d8918bf

SHA512
2d79882a188b4421179d9d20911b1e0ca2d378e699830c3dfc6e24ff7cece0c83a6b3984ab0d00163a308e88650cac3062b339f25c0e1b4bbe2b62214ad5acf9

Download Submit

Resubmissions

Analysis

Sharing