hxxps://redirect[.]viglink[.]com/?BLZENNMKAXPYLWSPNJNT&out=WJOKNZ1688254193drzoopTSOVNMGZB%2E%76%64%31%6C%2E%70%69%63%73%2FHTK%2FVDJJBC%23%2EYzJGc2RtRmtiM0l1Wm1WeWNtVnlRR0p5YjNVdVkyOXRMblY1Omd0Z215dmhya3c=&key=537988228e2fcbcf4abed7388e7a38ff&KFCWZUWCXGFRGTJKLALK

General

Target

https://redirect.viglink.com/?BLZENNMKAXPYLWSPNJNT&out=WJOKNZ1688254193drzoopTSOVNMGZB%2E%76%64%31%6C%2E%70%69%63%73%2FHTK%2FVDJJBC%23%2EYzJGc2RtRmtiM0l1Wm1WeWNtVnlRR0p5YjNVdVkyOXRMblY1Omd0Z215dmhya3c=&key=537988228e2fcbcf4abed7388e7a38ff&KFCWZUWCXGFRGTJKLALK

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30972811"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007155c84ebe0c16498da68d9ff24e7e65000000000200000000001066000000010000200000008570fc6676ca9f8a74805168a0e3f64c9ac45b273816a627a434de9ae6d01278000000000e800000000200002000000059dc606d52cdc8732c32be2f52f099a6616b9bfd1f8b484cc3a3f7d4771360a6200000006f61644119fe719767376d25ebbd5843a70787aa537fc7c5b2502f2a45500f12400000008a6bb36957b1feb48b646e46281afdc54f78bfd1ffbe12b8756cda6fcc89d2007adb0c22207ef587296385283925206f6df7fc8a06b799ba761fcb32a9bc0ca3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3439510547"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30972811"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3465447750"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03e70cb8b9bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30972811"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3439510547"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F868D129-077E-11ED-AD90-7E7E0F8D8E49} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4756 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4756 iexplore.exe
4756 iexplore.exe
4136 IEXPLORE.EXE
4136 IEXPLORE.EXE
4136 IEXPLORE.EXE
4136 IEXPLORE.EXE

pid	process
4756	iexplore.exe

pid	process
4756	iexplore.exe
4756	iexplore.exe
4136	IEXPLORE.EXE
4136	IEXPLORE.EXE
4136	IEXPLORE.EXE
4136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4756 wrote to memory of 4136	4756	iexplore.exe	IEXPLORE.EXE
PID 4756 wrote to memory of 4136	4756	iexplore.exe	IEXPLORE.EXE
PID 4756 wrote to memory of 4136	4756	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://redirect.viglink.com/?BLZENNMKAXPYLWSPNJNT&out=WJOKNZ1688254193drzoopTSOVNMGZB%2E%76%64%31%6C%2E%70%69%63%73%2FHTK%2FVDJJBC%23%2EYzJGc2RtRmtiM0l1Wm1WeWNtVnlRR0p5YjNVdVkyOXRMblY1Omd0Z215dmhya3c=&key=537988228e2fcbcf4abed7388e7a38ff&KFCWZUWCXGFRGTJKLALK
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
d29eea74f050bc7315a858980e1180df

SHA1
540b2a1430112b1bf987437bfdd746d234278dda

SHA256
64938d4cb84b765cca9f32a8825588a48322a5d6dd5c21244b98eedd422d2e88

SHA512
871723ce52badc3001df5eec0305ba1d0d634917b1eec1ed8e151fcaad837cb7613b1816d437fe2b1f655fb3a3743ffc5ee79437a5772f4f2c3c00f42e472777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
3599c18017a77f2f6a3916b01efc1ec9

SHA1
8818e5fa362f2e2882d7f6e60c31d227ceebdccf

SHA256
8f9d546dc879f7ae2fcf1b87864a9154d8750bf73d4aab76cc6c1a3768d4a72f

SHA512
86a0b9b5417563ea741730af42aeb507074c288756c4c7ab57d8fb14b586910a80c141d47273b007d2ab7bab85f1fe6756967c33af7d60c13cabf608d5e9b5ad

Download Submit

Analysis

Sharing