hxxps://securemail[.]pureskyclub[.]com/

General

Target

https://securemail.pureskyclub.com/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30df7ef8849cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b1900000000020000000000106600000001000020000000f08aed3fb56ba09e63a72f1cfa168b5d8c44d2e47f02bda24dfb477f9781db94000000000e8000000002000020000000211ccf47846c1f73e0726dd4197b2633a528ce5f2610341dfbc886e0156e28b3200000000d6a45a67d6e5e3bb5794fda21469e7ecf9bd4202bae0984d48e2dcfc81ae0c040000000bc76412a72370a810735f2064051b348a89f6e83571bf3828419b2a13398d6a16b6327527c5201f1562abe837f6c0e706502d03264513747971291f68dd12074	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{03C38FFB-0878-11ED-BCFA-5A024AE95DAE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hcaptcha.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\rvaapp.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505e74f5849cd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\rvaapp.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30973060"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DOMStorage\rvaapp.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b1900000000020000000000106600000001000020000000193ab18471bfe11104235dbb0b585a01331b0de79cad574aba45f31c84f77f2c000000000e800000000200002000000063e5ba4a75cff7cfdc7faed8abd2a7837bc591734737e5a4e2f972dbfca4ba9a20000000aee66972f1d9c8870def60e8dcffc9b51c66e9050f3faac8bfc24b9fe27279c7400000002b3d1951a808840c80fbdc6eb1667d5905db94d0f7ca77e7191aca2682e25ba0c808f28f5fa71887b8cb30102e6dcf17aa804cf7f5f8e8927e83c3242ec808f1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b19000000000200000000001066000000010000200000009fe9befc41c65bc8290cd08fe574835ad02c4644002f2945cc043c87bf86f56c000000000e80000000020000200000009faecf26eb5ea06ddcb7c1158670c68da734d502873b7bf9b0a90956d66690d4200000009032d7babfd3eda3a1b57d1d6a3abd4dafe00459210686d799d17eeabc7881c840000000a8a56b10c5ca300bce8b6206a2557ac9f7ec8feff742ee97a8f0df6071cbb3d713e614b53ea3d075c26fa59b7cf6f9f77f139d99ee23da7e1a51de9a1b6ca9ba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b19000000000200000000001066000000010000200000005e7593fea3b09d8bd7c1719ebc928993b201466a24f71bb8bd18ef1f3f34e7ff000000000e80000000020000200000002b462e7df3701855c2e590d29eb4a09d5e31cba5fc84a30eb87fec21672a043720000000319f24834826854cfc8dce30bb064656f083bb207c0ce7525eab6dfbbe868fc6400000002d6f684a805eed4256b68779c864e49e5462080d1affbe3712374a9612b9fef330b81b6b0bac111dc0b2da6d06fcee33946d75dd92690af7478ec390c735dce7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0fb4cf1849cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3684498754"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365119696"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04c140c859cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DOMStorage\hcaptcha.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30973060"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b19000000000200000000001066000000010000200000005023f118a6d8d2b61b11c71031a2ac0e453365ede307a467ead98c6eb0369a4f000000000e8000000002000020000000b77e74cb7af3f832a3094782feb55a5bc172eff702e7e744a0738d17ae19d2fa200000003d0dcc7ef857dc5a0f103299dcda2d7da3f83960f78c97a9ace96302805bb69c40000000fe5eb89a9ea6f4477b0b1537bae73451822a6be643f647c00857a777070bd53df62a939cba7510ee24421812cd6309541b79f5afee1b40d40d84810b65ae8982	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30973060"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302b3b1d859cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3684498754"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3735747836"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

iexplore.exe

pid process

4084 iexplore.exe
4084 iexplore.exe
4084 iexplore.exe
4084 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4084 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
4084	iexplore.exe
4084	iexplore.exe
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
4864	IEXPLORE.EXE
4864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4084 wrote to memory of 4864	4084	iexplore.exe	IEXPLORE.EXE
PID 4084 wrote to memory of 4864	4084	iexplore.exe	IEXPLORE.EXE
PID 4084 wrote to memory of 4864	4084	iexplore.exe	IEXPLORE.EXE
PID 4084 wrote to memory of 2304	4084	iexplore.exe	IEXPLORE.EXE
PID 4084 wrote to memory of 2304	4084	iexplore.exe	IEXPLORE.EXE
PID 4084 wrote to memory of 2304	4084	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://securemail.pureskyclub.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4084 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4084 CREDAT:17414 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
954a26cecd9acc81ecf7b163ad05e3d7

SHA1
60f84ea5aeb972626ef985f405abbdeb70972bdb

SHA256
cf87a638fc760c079c55a6e7645795066e106db0dd558254462ec48fe998a66c

SHA512
532651b4df55a4e6b40fe2345ea184818ce9518a9f3958716af8c8271a3f58aa7fd636a58795ab3a70dbddc7578e14eaeff6a4a2a4f051e15b41ef08c5e514d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
71d40f5524a8e0c2eb57bac45da7596f

SHA1
98c578c38acb26399cec05ee0df7bfb310c1fb62

SHA256
cf8e7b92fbe7156b25493938c905b16deb8edd9e133801519402f8f59ac049ec

SHA512
b3d4f2bcd3bd491f640f8c0f9329fcd85af38fa4832357844d3345e6841e18046f2bf2e25b7e1607b28b1142979b15cd984899a094e66e8b3bb25ba63c5a9e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
396B

MD5
069cd90190af03518c149a85e72cb0b7

SHA1
c770679270cfd85ba1d7d3e3c1de4674f282b874

SHA256
3283ce3d863a56416e0fcaf624e3c8d8e87e2dce4bea4aa052da01dae2b9d3e9

SHA512
d66c7943f307edeb65ffdad9297a2fda70b77acc941d33e81541f313b20b153dc9feef39ed3e9048cca5a38554c66bc5743198e7585e0840dece37dbdeb25a5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
400B

MD5
accc2d316b6a12e8b35307d501ae79c5

SHA1
045e56b6c7253bb7b7f5ec00f07431f776dc76b3

SHA256
e507399b3e38f6223fc99a92bf39f064b0f50306f03a74a553bba2bbe052a6f0

SHA512
21d38e5b851a075e188925e52dea7e24478b0ea19d3d9cd0cce15ac5288779e6854c2e61cc9e81dd44c782ae778b14dde3be21b9d23db4262986830fada97453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ao17cnw\imagestore.dat
Filesize
1KB

MD5
fb359438c7ad7f752f3b399e701f592d

SHA1
e19d41e406b451148591409ad3fabebdd82e2695

SHA256
24c9b11da7ba82f77d550f29727228d6792f09a133a7e12a98ae575a860284f9

SHA512
445a81e27c9cc7f942bcfd3451b4b3708b41399e07fa97944ce9fb1f7ef95c3774d69abaa5c63c67b0362612aa426614b4ae0fa1ea35ef4edf100123b65d8fd4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads