hxxps://vine-magnificent-prince[.]glitch[.]me/#YWRtaW5pc3RyYWNpb25AZXNpY29uc3VsdG9yZXMuY29t

General

Target

https://vine-magnificent-prince.glitch.me/#YWRtaW5pc3RyYWNpb25AZXNpY29uc3VsdG9yZXMuY29t

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00faa5d21e71d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000003e757bb60a78f043aa0902079ed64cf31bc01c7927dc1b1b738306763779eb99000000000e800000000200002000000099488e3f20559859fdd75592665a155c5b76c654e47cda2ca1715c04d3c1a20e20000000b6c94d4778d18c17599090594f67ec0c24272532f898fbf7c68c34a9db7c0cdc40000000ebbdbba1d9ff42bebe010539acba55ae50776d2df783b669fada1ae69041adb74b41eda2763e645b5de7297804aefa63659dc7bf36d63c8a73086742eb540b17	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F50AC8F1-DD11-11EC-AD78-F6DB027C05B2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000007720de7e9304d34457ff43193052f7b16bef31d442f897222c62b097aef43551000000000e800000000200002000000005bc80179b9202e13ae0dea379ee500a973ca0d6364fb5fbc0dcdfcf76fa6ebb900000000fb65fe76bc96c80fe5be81b354a6e3a50374e9327fb1c71566299f2a3aa54c47bfa2d1c03c70702c434bf2fb8b9e4fff9e1695b26d6ce342090061541816ab6548feb3d2b1d4d58f7c3a3b0510e1ad910ef1fb42eee1caf226da41134391931a373c942a499652d3fa58d667fe0b72645ccadf57f3694cf6ad230dd7b2bef130bf642bbcdef25c0897e5f1f07ec2a364000000040b5b461b9fa4910e0fe42a8827cedc5e20eb0d7b2be68febfb692193d155b75001433fc32bbe573361a737a84471c2347b1ff68e6d9d40d5750e164f24cc5cb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360347949"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2032 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2032 iexplore.exe
2032 iexplore.exe
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE

pid	process
2032	iexplore.exe

pid	process
2032	iexplore.exe
2032	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2032 wrote to memory of 1532	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1532	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1532	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1532	2032	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vine-magnificent-prince.glitch.me/#YWRtaW5pc3RyYWNpb25AZXNpY29uc3VsdG9yZXMuY29t
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
03994e9563eb2dc07aea6ef0f3ebad13

SHA1
9366f175b7b298df463dfe78e5f4c69c13990402

SHA256
aac9b988f739b86a115f35a1b10563a848e2c9f0ea2110412e5920aea354eed5

SHA512
8a65d596a45a9e3c5214edf2556c53155debec3c78cdaa5b988fd3f56f6be8149a2ffa1d09bde4fc38ddc3f24a6b5aa40e853ed0f2dc5e049ab88719306118ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
Filesize
4KB

MD5
63b2488f74d10015311f98e7c0fe0177

SHA1
66aa93a8966ab93e0299b616df9bcbc8cfa983e7

SHA256
5df9c3415324986fa15c424bf121e45c7c84161afd2ffe06b16b4f2fbca3fe1e

SHA512
f76144481feb6dae4c120c8657e3225c221fceff8c0401062776795b24eda66d326d07783f7c1f223f0f84b5370cd0318cc1deb34cc9dc3a828c567974e41d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V789HYVY\favicons[1].htm
Filesize
338B

MD5
8cc7e58d958b262cf73e9979a22648ff

SHA1
0e44b615e7814ad658fa5f1e9e6e359465e38994

SHA256
1453adac4bc8edcab779ba026236a2e45c367c680e061afe000ed7f4fc891b1e

SHA512
b6874c66ee91ab517696aa48731b062f1510271e9014b6f00c398f9880ff2f726f85b40d2beac6f9d815095cf170fd73605c1bab3f69582a06e2cb047cc6bc29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M03B35JA.txt
Filesize
608B

MD5
fdcb80180492b6eba6d39950e9150aa9

SHA1
b0a175d10eb37193904c9f89bb47e0e8631102ad

SHA256
d87ac2ff310ed04410dbc7db89aa08df6d5ab24154c116b477cb9aff87090ee6

SHA512
d1f151b288bad109af2faf41e32b57270bd33c11d6777b411e4efe6ca0314f805d3df1e57b97d688879803c23114bd194b397b0c3d221725e1008b08c6fab373

Download Submit

Analysis

Sharing