78bcdef2a920a1927fee569803826bae3425e507d354eac71136b2a103abdb24

General

Target

file.html
Size

305KB
MD5

d89d3c3cea154915a742bf8b52abe43d
SHA1

acb97f43a1e6e8602e8d12418e5b5b71a2a1b083
SHA256

78bcdef2a920a1927fee569803826bae3425e507d354eac71136b2a103abdb24
SHA512

344cce22843772d22e37d543d698498e335048e3fe9f07bcf380b99f26f53847ab25c185f3ec4ed2319d738c9dfe3b71ce4f70f93d971dc4f13ceafbe1f260bf

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2EDF3D71-0F3C-11ED-A239-D6EBA2E337EB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fbcd10b409412459e4a784628514125000000000200000000001066000000010000200000000c9c3174d20ed0aafed3dd37305c8596edadb556cae359e948b70afe10efa086000000000e8000000002000020000000de55e8f602459d064d8fd0b4666a316bf38858d8a5be270f45f46b549054c82620000000cfee2fd417cdf622bec03e04c3b48daa89f7e1c33987a7087ec0313eb1b988b140000000df04e2d9dc936f8716ccab75f123cfd1320a27eae05619157d0da7fd6568cc0ea2feb0275d882473be876ba6d8d3cc97d31524c8f8ada8a649d0f14f22d22ffd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08b140d49a3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365863643"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fbcd10b409412459e4a78462851412500000000020000000000106600000001000020000000b1c44dc7c25cf0f85474495df7b691e95dc4b4274c2c2066608a7df655327613000000000e8000000002000020000000b729c7b1a1f79a26a9142147dc4929b386789ca67edd5739b522bf2cb637e66a90000000c2d4c0c5484943dbaf9232eaa2c94d8e5bf3d6b4b3ecc2dbefa5eae2deca44a982cf917d27e65211a74921db1b9a84adbd6974ccac5b8ab1d39b4b0caf13b3b5c7576d97cb28674cae9ae64aa37825bed9d00f4e33430c44ab87c4fef6d1da84acac3fbda8f6c3b9cd7c9b46e75328c14f712daca6dd38707e3f20c7be87c580305e41750cc094d8234eb8310adfc53440000000fe72bc56c551c37869236ff1effbbf628ab8838165c4468be746cd882df3c1d6135b259a16384e7c0b7fbba06b8546b9ef5f89e19db99833275b99d5c45f0368	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1500 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1500 iexplore.exe
1500 iexplore.exe
1512 IEXPLORE.EXE
1512 IEXPLORE.EXE
1512 IEXPLORE.EXE
1512 IEXPLORE.EXE

pid	process
1500	iexplore.exe

pid	process
1500	iexplore.exe
1500	iexplore.exe
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1500 wrote to memory of 1512	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 1512	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 1512	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 1512	1500	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
4d616cc7e6bb92490331a2a98f7721ec

SHA1
2a76e0f22ad046ae3baa4e3592a229f47680ebea

SHA256
d85e8e25dbd05f121a30fdcb1d8e0f6dc477e7fb85a385b6c53b9a0846b9a60e

SHA512
de0877cdb03fbcc37fa6ca8de50bb1bc4bd58b571476067771d67f258731baa7f7c908716444d09ed1045bd8feec8b1fc9ed10f3bce24ec80a33bd9955c1ca8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7FO1L0RT.txt
Filesize
603B

MD5
3aecd7d041d87d430b8a3b1aa989cfb8

SHA1
4b1f4b217efb3006582a009a21e8f4dce0ce2a92

SHA256
df691735928a4b43e69321269c30a7b4ac58d0fa8ee73b351c775107449a9517

SHA512
49d6855d684fb4038b016a0147780274ee5c1bdc58c191e1a7979d816c57847252981ec967729b5c5d3ac3be791d0f700bf6fd70eeb278dad9db19dcf94d826d

Download Submit

Analysis

Sharing