hxxp://rebrand[.]ly/0ljhgr6

General

Target

http://rebrand.ly/0ljhgr6

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

iexplore.exe

description pid process target process

PID 4828 created 4716 4828 iexplore.exe IEXPLORE.EXE
PID 4828 created 4716 4828 iexplore.exe IEXPLORE.EXE

description	pid	process	target process
PID 4828 created 4716	4828	iexplore.exe	IEXPLORE.EXE
PID 4828 created 4716	4828	iexplore.exe	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3338406833"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\3m.com\Total = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\3m.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff00000000002000000000010660000000100002000000094da6cbc8f685b08bbee0a0e2423bafba17a50718d9abf28317d6d283b246b7c000000000e8000000002000020000000358ba3797c22a5dfedef1184a2333a5bde5e8a2c36e24b5a94f989b7bf7a967f2000000005b1ca73b92e4b627fd2baf01190ccde6b19f482312e0b1bdd720f30f894d92840000000f65a852b74a7c85d2b4ea7945106fdac226ab19b695ddbd7c7fa66d58a4384124bd228d8b987892abef35fe00d5cec4890b73ed2403de472a46db8dee0012b6b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.3m.com\ = "1046"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30962194"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.3m.com\ = "1024"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360452774"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05353EE4-DE06-11EC-B274-E289ED121488} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\3m.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.3m.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908576f61272d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30962194"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\3m.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\3m.com\Total = "1046"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.3m.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\3m.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.3m.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\3m.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70700afc1272d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff00000000002000000000010660000000100002000000072b3b500b0bd82e3e7dd530da37e25692d67d00017063394cf85a4e6139c56af000000000e8000000002000020000000aa2615e8a00d00ef19c112505ae2a1101d910537c914143536351f0e8c33b36c2000000044ea279f9ea6a4d24158d1c10579460c24e5f74afe295bd1fae12bcac6d51c7b40000000177fe4b8aa7f1464005a426c02d7452acf446ed54cbb0663c5ea32cda85041055d1825ea0d0d766c32963081163fa6d58b3cfe85499b76599335d562e84b3ce1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1046"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3338406833"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4828 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4828 iexplore.exe
4828 iexplore.exe
4716 IEXPLORE.EXE
4716 IEXPLORE.EXE
4716 IEXPLORE.EXE
4716 IEXPLORE.EXE

pid	process
4828	iexplore.exe

pid	process
4828	iexplore.exe
4828	iexplore.exe
4716	IEXPLORE.EXE
4716	IEXPLORE.EXE
4716	IEXPLORE.EXE
4716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4828 wrote to memory of 4716	4828	iexplore.exe	IEXPLORE.EXE
PID 4828 wrote to memory of 4716	4828	iexplore.exe	IEXPLORE.EXE
PID 4828 wrote to memory of 4716	4828	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://rebrand.ly/0ljhgr6
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4828 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d98925a17463438f8f6b145650b0da57 /t 5112 /p 4716
1⤵
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
37b13d6bec0f9d6ad3f77acc6e890814

SHA1
10154a64ec63c85f1412787b3e4a60fbbd0a599b

SHA256
6f11a9154d2bb4945e5b3c92ad4a573917b51734c08fc38c2d77ab9323b1a2cd

SHA512
148d102e23d1d9df9446ab1777cdabd4f0d5e1b89953ff75884446e13f16b851fe8fa6c23ecac742c7864efcead2398f356fe02a150f5f5e208ba32c72cdef21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
b3311b0f15f4d8e1f92f11b31cf5de77

SHA1
88299574d981f33453599e54e32fd159b0bfa5f1

SHA256
1de074a9ff2f4ec3572096bf3a80eaa51dfab0357cb88f8c3ad278f3d87007e0

SHA512
6c507595fb1cfcbfc3ecb20d6f6fc57289ddcb2c50efac49627a5495fd24ef549e99ba1e1c2ed539f5943eec73d8bfe1da940ae3976ffcf3f8ca700656fa16d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1dmutkj\imagestore.dat
Filesize
2KB

MD5
f8efef3c2e344069c9edb089ed63aad1

SHA1
9c5ece6b3947505ed1a0d97443c2016736a39f22

SHA256
bee9844cb1f4b5ef18a35c5951535d7eed9ea3f1de0162b1d9fe9018091736ef

SHA512
c586b549f19a86ee3bea6eab3a7b0fe1d73fb6c201b7e0d6b7772c32ade78cdd80249437eaba86d2dd82ed52363fb659a4fc263d4dc0bf887fcf0dccd240d1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZY4V0BL6\favicon[1].ico
Filesize
2KB

MD5
79986902129349e2e4be24ec29797b58

SHA1
185e9e3737e9e786d222241acdb9bf924ec42c7c

SHA256
5ae4ab61528007a712ebfe7d7a9a237cc8beae0a339a953a79ee43c5b69cc8fc

SHA512
452e3cdbed2ce9ddfc1041ad7f793b2160b204b0cc06b2aec2c3f730e3dc5eba910ea3eb07903e25510aac35ea54a2fc2e43cd8e19b21681d61fb009ade55805

Download Submit

Resubmissions

Analysis

Sharing