hxxp://www[.]norwii[.]com

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-06-2022 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.norwii.com

Score

10^/10

google phishing

Malware Config

Signatures

Detected google phishing page
phishing google

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2578"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30964331"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "1794"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000ed1ba6a34468c470615b9b0a73e0f9b50bbd128f09decbc6f142b67ec24f40c4000000000e8000000002000020000000b8fa816f4f323a4c5471550ae5a5da554aa5c1b24215330bbbd40a8a34d7c65a20000000ba2c5802ea92812cd459c11c39d8720e5dce5766fd0d9db9820b7dc265403d7d40000000737b2fe5091952a0d7b7e0e9aabe5e0742da46e06853cf3abe17c5650c0e618a515fa9eaac7b917e3073d9443ad1aeac318bc1754977357125d285f8723063db	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b09150000000002000000000010660000000100002000000046c7f12e81708c797a553beea00a8d6be7631850bfc97755c64dbd6ef532244a000000000e8000000002000020000000281ec4f6062e86999589643dea99c476fcf7375cc4757743b0b86880365398c620000000c13089e604c2b1753f189e0ba879b70b49ef9a658e988a20078c04905b76020b4000000049ea4d221725a1af7a901996e37358e2c5ef01a69500c0c6ea45d4a9bbe08ac043a349425190831251455417fe7b4df3df62b39a6367044de9353adb7bd66818	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "1780"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80850a766b7ad801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\norwii.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.norwii.com\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "1780"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000e0041d0474d9df917f0c14446fcb88832d561adc9d714da5488a2c3eb09ed71e000000000e80000000020000200000009b7c43582f3d08762cdfc9b32721c9e63db8f67a06dc3b118981a62f798545d120000000bd7c2f2ab03c8d9d605ca36b1c14910b4a37f14b881d58e0a4f116977c63aedd4000000048ebe0ffc516b62ba185baae833c06d3687ee245e0915367a1d731d2dfd7599b0272f15956fcfa4df1c5106ade27bc16b804e928c7a0324f48f3ac8d0cc35abd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2578"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000e242a6341b1de51801878f369a0ded81c0a85e348821539f8cdaf0035e6331e6000000000e8000000002000020000000ee7a5bb7aa6dd7f95555b574842665c1a749a00cbf092f4b744abb48b12415a0100000008b9f58447f8d3287faef2e1d9c8c5d48400000004457023af4fddbd03e3d57854e871e4a57d1671914349859e9882a22d9e423584cca4293cf63b8c71a19675454c074057f8db8cfdcd83f4509553d6f8c5fc578	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "23"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\norwii.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.norwii.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60801f6d6b7ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "2552"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703aac5c6b7ad801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2697"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\norwii.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1434174089"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "2578"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2690"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "2690"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "2715"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "1794"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40dddb7d6b7ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.norwii.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\norwii.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000bd81a33279646a8ddc003ca1201224c5da64933280435f887d0b73c3a39e7576000000000e80000000020000200000009d3686c4c000f09ef2c1c1fc672d680bedd6bb56d8d6d7b76dc84a0f31aafc5d200000007cb8c3d97df29fa38d2080198edfc1007e5c9d0d4a97b5401a68e9f763fbd2bb40000000d5d1afacd20e50ce877d06b182b4f397a68f072e504907fb4e3ef383c2c4ce8b48273cdb023fac2604ad91c69dc89920e3b5f85fbfdab5dc209740ede50b1e6b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 404b126b6b7ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1794"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "16"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe

Modifies registry class 5 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3751123196-3323558407-1869646069-1000\{0973D790-964C-4F52-9A9A-79C1929C3E2B}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3751123196-3323558407-1869646069-1000\{AEC5A9E6-5E9A-4FAF-BAFE-8A4915028262}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3751123196-3323558407-1869646069-1000\{741BF427-EA2B-4B51-87E3-973A99787017}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3751123196-3323558407-1869646069-1000\{33F85639-F7C9-45D4-8DF5-F74886FAB767}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3751123196-3323558407-1869646069-1000\{C622A9A9-218E-4017-A4AF-ED269999C849}	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iexplore.exe

pid process

2480 iexplore.exe
2480 iexplore.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2480 iexplore.exe
1836 IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

IEXPLORE.EXEAUDIODG.EXEIEXPLORE.EXE

description	pid	process
Token: SeShutdownPrivilege	1084	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1084	IEXPLORE.EXE
Token: SeShutdownPrivilege	1084	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1084	IEXPLORE.EXE
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: SeShutdownPrivilege	1836	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1836	IEXPLORE.EXE
Token: SeShutdownPrivilege	1836	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1836	IEXPLORE.EXE
Token: SeShutdownPrivilege	1836	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1836	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2480 iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2480	iexplore.exe
2480	iexplore.exe
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
2480	iexplore.exe
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2480 wrote to memory of 1084	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 1084	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 1084	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 1836	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 1836	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 1836	2480	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.norwii.com
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:17414 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57E58F1183043B615D462F924DE97F32
Filesize
471B

MD5
2fda009ffe0ff33f62a3aae5685731cc

SHA1
e774bab966782800d0578f0d3040192d5d03b6c2

SHA256
2b91e2d6cf8ff93cc4abd96db2aff4c0fd5896034c48c71121f174a0362b2aaf

SHA512
3ba34f121a7d704de3a3cd3865c33f6d9c890335a2a14c8b903e7b82f7ba5cffb27f03debd3d52f0595e2b929ae96e17d065171772dd1e4676b0764142618297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
1KB

MD5
3bd69c297b622e7067420e85affa9571

SHA1
cdbd66d174032a993a237fb96a6f804904239a2e

SHA256
5d64be4745b86ab8127ac29b437821ddab97a96fd7d4a72ca959947c3d56d07f

SHA512
1c309d4c21e49d216b0b5a9d0dc0c82844ad6a3b6477b2b15eb32342e8bf01c2e5a1eb210ce5ec4559b878d404fd97be81f0505440524837039f99b0ffb23fc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
72d8dd0a89cbdd6c9b9d2153c31aa72b

SHA1
72ac332edc384dcd49d3df012ebc7dffc98bc551

SHA256
3d41ce927ede4146938f9ece87be4f70357fc4c4c72f81fcb22bc13eedddb331

SHA512
0f5e8d7ec3bf92381b75f0d0d825976df6dea0f0993ecd2b45b132052394a30c7b04f9f1b2a660b8967f1da2d0c7ce0d7fc4255c6dfea722f25bb2cbe5eb7e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D
Filesize
471B

MD5
1a7e9e9a8bb7c686c48f4e5c606b6b3c

SHA1
dc3d973733eb5c7d94c17ade49f1bfab37d4793c

SHA256
9e89c2a9e6b9c8abad562e99865cef3ea4c85613e107ba1147c6e5e72e0fd3b7

SHA512
8d15396eade3854973541a049b1e8560200b5323d1c652547f83d4732f4b108d6752f2d69c1846e5fabea4981613de04294785ff7dcfe92012248f548c0ee416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57E58F1183043B615D462F924DE97F32
Filesize
430B

MD5
40f3380ecc94cd52d4343cc53263638b

SHA1
eecb5a0b7529d3558f77ce45f1a0afa5d2e087f2

SHA256
f77a792d16a70b14008d329e9aae6091beeb92e86a86327ebbb1b2f52beefa76

SHA512
673a7b3c03dce62aa8e811fe89ae5703b9096db300d95f5310e39f2bbab0e6ed3f693caf95a29166c349601866b0ad66e85a4010ef7262748e7a467db1967bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize
404B

MD5
4a0bdce7f6da1451ebbf4cbed1cf8453

SHA1
1792b9bad9f190c6cfd00598d9375ef88bb659e9

SHA256
050c72935e7bcfa956818fb1dea8563a78b336deaf7d7203f82c61d2b162a92a

SHA512
abc064643d1dad8400dfa87b24cb2c5d26b117c116257568144638feec3b09b33dc881f0d7f36af3588b72a66d7fc378278832aec1f19a4353c85fc8af4be19d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
e63a7c3d93eea2005a832b4be513f62b

SHA1
819b68e3e73b789658158e98d40d549166741f95

SHA256
674dfb95b9c63d37e04aaa3c688dfb0a2b438deaa6d17ea7454aca264ccc09bd

SHA512
127fcd660d6df8824ebd980e349fbd6b8aad1792c8dfbe3e3d53952006bd446a7b9bb8d2c4ca36d9223474d38fe64e170e046e85107f6d15f50cc58ea2b49f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D
Filesize
434B

MD5
35832c22745d1a99a8fb431f1dd4c0a7

SHA1
5149452dd95ee188f830728d3660a762de56df18

SHA256
87bba252015c05687f24758c100e125dca9ae36422b85cd516782e47f0cc61ad

SHA512
0a963282b9929ef657019d2cf68853baf74092952d86022bb179ad320222c2d849fba445b29b7bf28a424b47a21430c74dae4785819d9c4fda7507499ab834c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\98M6I3Y2\www.norwii[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
Filesize
4KB

MD5
3f68b2a82c776006db9d59b16db7fba7

SHA1
1e1a85a65dd672c07d58d08735f1ef9057a4908d

SHA256
477e566a0c1c24c612b5d9a1f4437f07e1e25160c2a09470aa5ae46abff37705

SHA512
c6096777d4d9475d05d544a9ecd2e6ec082b7df83cb9f28cf2de32f58247ecf0b01e1055e339e82bbff4d37f862217cf6da5fc99bba9b3be2e47da109e54e7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
Filesize
38KB

MD5
9135f1b0ed3c8853d2a13224a4711ac9

SHA1
a37c265eee62ab3a52821a151b21a97d261370f7

SHA256
7ea949167043e8146e6b7020a9acb115908870b170c29405decea41345aa7e72

SHA512
d5ca61c457420b0cb562b29c40e59b5a7fba33ef9ea73f48838b4aea580de2c56e20f1f2f07c2b5330283e677f36976b51b65f0c3a662e064e030a5ebe38659d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
Filesize
47KB

MD5
24221362700cdd13b34b9c04d1fd15b7

SHA1
5812a9d348ba2e55f62d66a8cc29cc3ef9ed9cec

SHA256
7706e6ddb375c95d0fd3c94cebbeb16314b7d8374b0328fdf1c3fa94caa0b616

SHA512
49a5ca4c898708e616eb255c6078f259c6414ddc8be4c341d80e019c8dc9dbb7fde49899b3ff0482dad5539e49cb12f569fd0e5c131dcdede605ed0197a698a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
Filesize
47KB

MD5
24221362700cdd13b34b9c04d1fd15b7

SHA1
5812a9d348ba2e55f62d66a8cc29cc3ef9ed9cec

SHA256
7706e6ddb375c95d0fd3c94cebbeb16314b7d8374b0328fdf1c3fa94caa0b616

SHA512
49a5ca4c898708e616eb255c6078f259c6414ddc8be4c341d80e019c8dc9dbb7fde49899b3ff0482dad5539e49cb12f569fd0e5c131dcdede605ed0197a698a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2klo80q\imagestore.dat
Filesize
52KB

MD5
7e2fce9cf71c00c1a2988941d5f0c3a9

SHA1
9fe4147e51a3160a84f492d1d95020a09040f50d

SHA256
9797ff93a627463350d32f53ab22026806e42fff7f7c3fa79f17250951ad31d3

SHA512
db80023c717deb19c1bf3802bb6e3bc1c6ec2496d79a991edcd009a58c2666c418d93632611bc1b4f0e8c33de22b2164c5e564adab107e3f42966408805aa289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0E6KZTGC\comment[1].css
Filesize
11KB

MD5
9187448bb8f997988282ac990e3aba9a

SHA1
3ea01f0572dbe36c706ba33a53c2fda0d1f16cd3

SHA256
0db5f466658b50d0f0b48055ce148acf7262411e8a6f4f83b8133f0bedd7e106

SHA512
f016dabf8252505da78d53fbf9de31ba8dbf48823c910356b8be354dcaa0b990a3c88ad2a0338fbdf0263413ad6a28789f6b54a9850971c0a5d1542d40f5ee2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0E6KZTGC\metinfo-icon2[1].eot
Filesize
48KB

MD5
e26eb3886a94354d1337350535b681e5

SHA1
308f66a39001e6f69a6c7f811bf68c54bdb26448

SHA256
b202fac7bd8acb338f43db45bfddf25d67487a640cb78c8d78d6931e0cf8958d

SHA512
c12254063e0806eac5381404ed4044a7eeaa3e87f8fcdf9f2f46a6ff4cf1f43e232aa753482f66309c29bbbecbfe633916a1c6e200eca2dc3141f7506aa8f573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0E6KZTGC\videocover[1].png
Filesize
946KB

MD5
d5a33a4b88eb76841d89c45cd69daf0b

SHA1
e5ed02a3c10e4c29420b9961a81059f202280c76

SHA256
cc7c6d751a6dd9160a174b293dc57140ecbfb81b428a4cc915c3ba4507625e1f

SHA512
efc0e9d6bcc2421e2070765d953bbf5d0afecebff8d015113e7cf02b14bc655976834ac36f3e33085dc7abfe616073911f81349d6a5d3645b4bc5ed951346597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\basic[1].css
Filesize
325KB

MD5
3a262a5b4c8e75e92e6d9b59413d32f1

SHA1
d85338842659a1634337536976df602ef9ecfb63

SHA256
8fa9778fafb6bd5f5974c768377cbdf3cc8aad43234468fff7f1b91762c360fd

SHA512
947bd8ce70cac540575ecb92c0f2914bbd8687bde589d572cf4892ac7c3914561d9c05cc66285a76a8ccb13864f486902fac85ca13359254ddbf3173da776004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\cn[1].gif
Filesize
1004B

MD5
08dfcdffa7bd6bb632575abb671d3ebb

SHA1
2a20d0f437f6818bc84dfeee4f1f6eb48e26600b

SHA256
005aff666a832b5d0929eee756f9261f1dcbb4b7feb03bdda28d19b4776f59ad

SHA512
7bb5a33df99a520d69aec11d9a464b9db694cbe7ffacc9267bc6c65af5f52565cd1ebdab33c3fa40231c4f6f0d891588a2cef7910d92d90edad5be2a3183e1e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\favicon[1].ico
Filesize
4KB

MD5
518427a176698452f1298978531102e8

SHA1
fd2c5f628fda69cffe214622dfc6d4b71e2ee687

SHA256
eb809ea15cdcd8297232ef211514fbabec460e920bb0caba0378ad33aa4d0b5c

SHA512
697dfddfcca946e7fd707a19a0d79c38f326d785bc8126a105fde5a853e5c72761b1ca0f9a4b475f6dc423e3f034719ee003bd4f93b55594be0b9b65879c0847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNOBF6Z3\basic[1].js
Filesize
241KB

MD5
ab093ea6e41576c1566c4052624593cc

SHA1
1ea72cc8be4ee8038f05d4ca1416e5af4f52dcaa

SHA256
a17ff42a60c95b70472d26aee7f52cec13f0e420651d4aa373e67add9d3515ad

SHA512
17704b05ae0eb11ad2dd101bc0a006eb2bd0901147f51cd6762807af3f40caba21a29b205d0640274e9953396a65153a3d0d93fe3e834c80431124ec5654d7bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNOBF6Z3\flag12[1].gif
Filesize
1004B

MD5
4c99aaff03be359192b1b78d0f3716d4

SHA1
dc61653edd9cb4631490e6463eba59906a26593b

SHA256
eeecd629487e7a4dd7b84a5aebab3cd651c9ea0eec34e8410495c722491f575c

SHA512
c5b54e794172ba93d81353ece53fe8d4fa0b793b9c2d826285799221d6c08fce1646e44f8817d9e98086e0c80eb27995e40306d9268e9ebc556c582e58b72abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\html5shiv.min[1].js
Filesize
2KB

MD5
7b7a4e3a218061d489d18edc20018200

SHA1
c30ffb887c1b5a7e0fd6ed2772559b0025ed4c38

SHA256
dd09d170aca1c1eb67a16f0e23fda993989a3333a0c495080b4e83e8e270c3dd

SHA512
58f0d375441821a512aa7def12404bcf8f51fc4d5f42b84c8b98cea74c5f7061b2fb02da72eee9e4602b7d1014b99e8f2491b52a96aa8d8b610e154e87349006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\met_comment[1].js
Filesize
14KB

MD5
1dabbf18df23103c3fac8f47b0805b22

SHA1
02b600085742784d0fda31e887c047175e0f4fcf

SHA256
071fcea994a1e8461a97aff7226534b7a007b3b2e495282608fe3c28497f661d

SHA512
73b3a9a955a4acc01f8f7e44d5bc3ee82f37189d0f455a54a7fc13a828a0fd7f6168e178ebcb6419a00c3cef1e53f02e0d13fd035922ba330de0ebb4ea2b28b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\metinfo-icon1[1].eot
Filesize
265KB

MD5
6717fd508577d27e89029fe097f20370

SHA1
e4586e6fbd752114f9e2472c89290b9746c2914d

SHA256
97fd3d02798fa7a585f40e994e91dc14b3088eb12dddd75209b8319e23edba42

SHA512
4437969fd1cf38f6b534a1a7051200804ca19fecd76926e7903a45251b1c5792c2324ee681672f3910ff8f75edb9d397dbd08dfebd95b9a8b6a256fbc0b2a066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\sweetalert.min[1].js
Filesize
16KB

MD5
f7824c735542866854baeb7a14eaa106

SHA1
a86525f7ff226db0eb96aa2a22be351e462f8603

SHA256
917a3b027553c4d336fa3978f80334ec62a01d15d6696493c08b8885df79d261

SHA512
f9a28dc25ef002da37c7f665539afc0badf0b2c746393a563b3ffd6764317941afc08afc32b5e8accd960a633f55bdd6bf50a4afb74439652b5a4e90955202da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\sweetalert[1].css
Filesize
14KB

MD5
3c31d286c360731d1915c9d1abf01bce

SHA1
a8419424dc4ecf136b0722ba4b5f6b3a98e056f5

SHA256
595dc0ec1b04f5087b66f070923a8ace8e69091db8d83ce79822b2e8f8637912

SHA512
0afc79dab9ba2a4f1c07c63afb634ac543d1afc5950c01cdcfa1da0613dcf57be714034bcc52446f482f11066727202e092d10a87390c309634b21270a4e6e74

Download Submit