hxxps://docs[.]google[.]com/document/d/1M-xyAHNIllWsSOANw_w68k_HMj5jQf7_B4jHbAL2F1k/edit?usp=sharing

General

Target

https://docs.google.com/document/d/1M-xyAHNIllWsSOANw_w68k_HMj5jQf7_B4jHbAL2F1k/edit?usp=sharing

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000003e2b978322533a09aec5c8c63dbd9fc1e73b851b31c1fc6a118389f680f85fce000000000e800000000200002000000025630a546d1ca87bcc7bc65bddc763545961f8bc3dc859046609004adf28551e20000000a7d822bd9e69ceea063abb0387bedd412cdf965431b1f5ab1f79d927ee2e986140000000ade39acbc08b7ab31f49f06f9aff0cd176027c102e6f0c9bf2c7d6cfe59bb3c7a89fd7ab2282140ae951547ebda8470c04662d5a8f84e80ff43cf23c43415450	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA080FA1-028E-11ED-9F7F-D637792D7258} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364469707"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000090be3cc3f83c63cf3bbf4d5e5d77ca01e6f186d4b8ad51d66b624e715ae5a84a000000000e80000000020000200000001c7f1198e4cec8f811c53b16fac3a78d1157b0dff73b281807e900d471198a0e90000000517b7c2297bfc58a319f57099cf27b2679bccfdc2ba582c6f42db99d63c56f04110e1b542603dd86c221d81806952f3eb83b85fa34118b72b2b06b158fa73a988310e7340fcde52f3c759902fbabe19f2af6eddd9457d1e7e40f3aac81a30b5aa75616ea7f7362e8e808f3b86ba38d02e71927427ef784636669baa70a71b31acb5aedcc1508ce9090b7e23c4fad945e40000000561ca2913a3af07d7a8de42380974d147f6ebcbdacd8bf8282cb0fa7fca85e0651d36d3b12a5ae47dfb18121694219cf639748d7a498680e56bb5d256bc24a81	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b7408f9b96d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1660 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1660 iexplore.exe
1660 iexplore.exe
2020 IEXPLORE.EXE
2020 IEXPLORE.EXE
2020 IEXPLORE.EXE
2020 IEXPLORE.EXE

pid	process
1660	iexplore.exe

pid	process
1660	iexplore.exe
1660	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1660 wrote to memory of 2020	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2020	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2020	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 2020	1660	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/document/d/1M-xyAHNIllWsSOANw_w68k_HMj5jQf7_B4jHbAL2F1k/edit?usp=sharing
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b2aff495398fc3d1173a4c246cb781db

SHA1
b81e5d455fd98ccfd312785f557a8219dc351244

SHA256
69e3a5dd8812ef3e5ba3a4a474cf7d93ec2434d31a5fb06789099419470d0feb

SHA512
15b87044fecea197cce9d06c758f6759baf19d651bb7ab73bca8aecc483253351791bcf1345ec0a354e65e5110255e44562eacd88fa341aa3bae29a49cf8c3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat
Filesize
9KB

MD5
26f06470fd2048cf99e51d4a0d3330f1

SHA1
3bb042388a86ca03bfb6786af121f0a83424da81

SHA256
c5c4059ebb533f5b0d0980da69da1d41158db9f4cf388673d48ee5c924878991

SHA512
4eb3fa46f7c4327219a4f57821fa2ced7e83af118cd74fdb48cd36787e7049e4448038f87913e7ff8ddd3ec160f8178742c99fe3f38cfe8221cab33124c63ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E30UJEX0.txt
Filesize
608B

MD5
4f0fb3c4c1ee53ae4b76e2cb76a85199

SHA1
e76b8633c68051c1715660e9d1f487f65a2bcf7e

SHA256
ffe67c4d3890a70dda247ca6c9e5c0dd357d93486ef1fde36330d655e7b5aa48

SHA512
568f72c40a1cf2f39d62c07d257d35e3b23e74e2b7fb0487b5c7b44e204b9a7a2e81f3d13602ebe561a3edd3bbdb2407c8871420eaad1a4888b291bbabc8cd42

Download Submit

Analysis

Sharing