hxxps://protect-us[.]mimecast[.]com/s/4hyqC31pzvCMP3RigOguE?domain=carrie7878[.]github[.]io

General

Target

https://protect-us.mimecast.com/s/4hyqC31pzvCMP3RigOguE?domain=carrie7878.github.io

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{303A5261-DABF-11EC-A237-C2F2D41BD72F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 104e370acc6ed801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360092497"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd40000000002000000000010660000000100002000000084031922cea8c265213e91d48e136b1c8ad4189261a7de1a75c849a726370a34000000000e8000000002000020000000e368809a7b5e41e3fe5335419414f0ccda5326ca6cf61db2ede79d5a39fa4555200000001322936ca0085d2602da8c58bdfb90a5a4d2e860a3673f9945bb44c146ced27e400000008a182790ec50018fb38bf121473508ba2e423aa7398fcf44b0fbe5d64f38f1580e2edf036e5c791b8a8b77cfea798fa52ea8accc931a4b6d6fea357770e64984	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000000f6bcdd5ea042f2b3776a9cb2edf6c6564a15b503bef8310dc632e113e8d6586000000000e8000000002000020000000f9824e91ae82d4d3b8727344a4f2ed1ac591c043d8120d86fbcc4e97fec8b2e1900000004b5902069daba0ec1d7016f083ec3a2f5ff55b30ae13c6e8b8a10fe778710d1de87063fa6d049ec97b22c6f7623b2bb795f0fdb3d70472bd5bf4cb56856c7aab1d43e2762f8ac9493f79460fc85fffd150da830c13074645f70964ce8d8b0d94098f1ac7d76765cddd890c4399947fc94f0bbf8dfbf40ba5eca8d1de6fb1c728d58493ea9ae7e874b1ac3a2645431a0c400000007e4042dc241207d9049c4e549f273e19ed864c67c7b769d0b6f9b9939b2e08d19cccf9ab1b72fe00ba0d70980320c9e29e98e081b963e5e88740194195a434b4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1056 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1056 iexplore.exe
1056 iexplore.exe
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE

pid	process
1056	iexplore.exe

pid	process
1056	iexplore.exe
1056	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1056 wrote to memory of 2028	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 2028	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 2028	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 2028	1056	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://protect-us.mimecast.com/s/4hyqC31pzvCMP3RigOguE?domain=carrie7878.github.io
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d21d124ca50d5f84386bb7d3b34f3c20

SHA1
5a128d92e34e1983a282a7d78df43fa2b5c46683

SHA256
f2b00ac0220a899738b1a3c3407a7a0397d8dcce6698ce356b885afc67b9ed59

SHA512
0034d62c6b566ce0868b6450fac0ccc07d7d3d39e162ef276efaba8816ed8192f89ad39213f415b80bd03060e897a1131064284c1bbcdf7f32288d14c4436b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
Filesize
5KB

MD5
82e5e9c48ab9979e7d0e5a1896b831b4

SHA1
99b93575a51a7de7c670bb083f8814c5cb5c2b5f

SHA256
c918820f6f8f7565674401974067c1353693891cbb502815a38e145013a8d12f

SHA512
b0e4e690f192ef53e6165b162c0d46aa643435c0403d3bc59dd5d18f8653d41b97ac2df61a0efb9bd29ce67e9c032bb1608ee560889f778a427d4c0d74e14c40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DT6LGE2X.txt
Filesize
599B

MD5
87193ca58b22a5b6f6139f6928929795

SHA1
9ca8f02f03117413b18745d6f0bcb0fcc987a562

SHA256
2363093c1ad5eb3b396a9ad4c96b99026eaf8e276ae7ac6cf8d27644ec710311

SHA512
48a69fc76fd520660878f931fef0fe3c24ce42505837ab221f1e036ba27105355d8ae691ff6046029444b78446ab27895ea4a370399a0dfb186de29673500a99

Download Submit

Analysis

Sharing