hxxps://dweb[.]link/ipfs/QmPJxMfVhb62gJy6dLSDJKDwfeFpGFbPgHDrqeAjyuKmRz/index[.]html?email=alejandro[.]espinosa@begrand[.]mx

General

Target

https://dweb.link/ipfs/QmPJxMfVhb62gJy6dLSDJKDwfeFpGFbPgHDrqeAjyuKmRz/index.html?email=alejandro.espinosa@begrand.mx

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000c051f5600d56119877bbe54e9b9294b5157b9a58a48eb86bc388740a7c85947e000000000e8000000002000020000000a16f1ef90a4878a60fe5c2d765e2ac71050d95648956f834e004c7cfe731632420000000ece5b981e509b57f6511891ddb2dcf0b984d98237aaad60c5f6ad2b30dbbdcae40000000dfc7c2d491c2a9cabd2038f6528d283fb8bf0262880eab31fa61a2389dd5b4c2cdf81f9aba0a651c1e85450717f1cc23cdf1d971ee5bc068a492b88e43489ce3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362077081"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3014bdcad880d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000009321482e9df5f9975003b02dc548c621422b24273fb564ab832c8099d8bdcb13000000000e8000000002000020000000f68ff65183a76fa86d45ae7c5eeaf8eb21f54ded565a4949326e459dc7c3fb1b90000000deb280a625ebe45281e10ddf861079af354939089b7e9fa85ddc11dd63406e0fa01d88edf865f4a2a925dc34bb734a3525ebec2f6651c6be3cd145f3a58676fa304a08a2833a605ffae09db87ed60870ef306396c1504ff94f5d1cd706accee02455b49fad796f8d64f5c6bc3dbc7f188c075eddcd8aef643c028e453aaa13302c93834bacd537f330744e42551873b840000000d5912313097f9695671f1b1509ab56bce6cb35922cc305810b8606c8b63af9139416621ef551f3ef6e01b5c267cb2465895870ed65c7a3e51771497ea09f8238	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5478AB1-ECCB-11EC-B1EC-4659A2147DF1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1120 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1120 iexplore.exe
1120 iexplore.exe
1132 IEXPLORE.EXE
1132 IEXPLORE.EXE
1132 IEXPLORE.EXE
1132 IEXPLORE.EXE

pid	process
1120	iexplore.exe

pid	process
1120	iexplore.exe
1120	iexplore.exe
1132	IEXPLORE.EXE
1132	IEXPLORE.EXE
1132	IEXPLORE.EXE
1132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1120 wrote to memory of 1132	1120	iexplore.exe	IEXPLORE.EXE
PID 1120 wrote to memory of 1132	1120	iexplore.exe	IEXPLORE.EXE
PID 1120 wrote to memory of 1132	1120	iexplore.exe	IEXPLORE.EXE
PID 1120 wrote to memory of 1132	1120	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://dweb.link/ipfs/QmPJxMfVhb62gJy6dLSDJKDwfeFpGFbPgHDrqeAjyuKmRz/index.html?email=alejandro.espinosa@begrand.mx
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6bbb904c560afba7326d16b0da861f6a

SHA1
4f4cbc5e91abc0e498451c18d81af2d0a37bbb8f

SHA256
f24424ee56b827acb73bb8d9d4e57f271b4da2b498f557d1556ff9aa5801cd88

SHA512
9979291ebc2473e5351539ff087676c251c2265378b82e17ef5b626f76df06bd08533590ac6371e23c4d85867305589da3c0d61e07fdd98654f00e9837d8a6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CSMPMU9R\index[1].htm
Filesize
31KB

MD5
7dc996c03f6e42f3b2d7ed704486c4a2

SHA1
6783d9e8a15aa55cde03f7503d5269b3c588fe40

SHA256
284d57522876e81b007594390510ee6849c0c6b2ddac7f1ed8431ef174f29354

SHA512
136fca6ec6e2a1b99216998bc5751dd4529a9ee028561a43e42fede65ee1ba0bbd068701b754b360cba90d394badd2e6be52bd46706e6e80c6e8ab58a8eaeb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6KI2D8WN.txt
Filesize
607B

MD5
493c733936112f762809484a479385a0

SHA1
edec5f5976178399c9f2399432b8e4c0644cfc70

SHA256
7d3f91efce88330129398c5e4e8b02de0b2b1a4250455487d9dad3ba559c25b3

SHA512
9fb5a9d37cf14293576b180a04264d8816879bbc11d5b0f18c90d039f07d9cc64ae8d8b40bc9b8eee554e3dafa54b49b81a857840e6755bc555d74c63abac001

Download Submit

Analysis

Sharing