ad862528e36df357f1cb2446ddb86e31c63fff12fd2d030f0aab849d2535e685

General

Target

Payment Schedule-PL-PG-1693507.file.html
Size

6KB
MD5

f581aaeff4b8396cf7c965df6579cee4
SHA1

8c1df650d31c2dbde202bd2df6805074f15cf977
SHA256

ad862528e36df357f1cb2446ddb86e31c63fff12fd2d030f0aab849d2535e685
SHA512

90c0a4a0361e113a08bb7363c978bbf136b0f439ce3f1e4a26216cda43c0cebc235baca80a2a2f8b0a56a3c526dde5ae9aef5755179d51a591b48ea7789c965e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ffdf2458a7d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f000000000200000000001066000000010000200000001ac7ba928c25c8c4ca30217676a8e76958e45890f2a6c63919e14f36e48b592a000000000e80000000020000200000007f9b5e92113b58511810f0aa6fb2c935a57f46b35ddd444182b605bb62a7e89990000000f6a8e45af1029f993d0fafc465d242304d8e547cdf3b58e23e148e7732746a07b25619236c44160303055575fa99cd7b90925090f6d16c706be820ac883b0f45ffd53bc74730e04e78c49bae96873a9b765de24976cf79646aa2303711229f9c329bcef8120ab21b1ddd16739e2631322645b45027d708effdbeb7f03fc61089d4ec7905fc6735d37434742b58105e08400000002d8b593f2e790bb697758f8029c4d20151c768ae333d79eb9ccfc55e5b5763f5444aa296ff42ee0d012ef0dfedd0bba49dbdc12a5c553c42f34d5ebba6284179	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47414C11-134B-11ED-B8B1-CEEDA865684B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f00000000020000000000106600000001000020000000e2172e659a8da57a7b2c5150c5844d2d010ab498c716aa21df0ca70931f6c139000000000e800000000200002000000073c1e62cd68997018e88e9d96d5c5eefccbb116523c25fa8d8b8dc4b016752a120000000cd6167f1d4853da1d95690a29425cc32724538ddb32c0fa2cd1aa5a50585730a400000008caf8d5d8cd9a2e771a35db01dec07244aa6b950675b0aea8a827a17ce3ca13e960a34c4608f95f66b448907c4a47b3d9fdcc8f8473b7dbff092c990bfca4450	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366309931"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1940 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1940 iexplore.exe
1940 iexplore.exe
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE

pid	process
1940	iexplore.exe

pid	process
1940	iexplore.exe
1940	iexplore.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1940 wrote to memory of 2036	1940	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 2036	1940	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 2036	1940	iexplore.exe	IEXPLORE.EXE
PID 1940 wrote to memory of 2036	1940	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Schedule-PL-PG-1693507.file.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
71ccbbfc2b680f426750131c648c0ca1

SHA1
dc9ac41d5909173922bd3e9c5f0c659b20d1312b

SHA256
fe332aa9d3e45d656f84d99547090ef5aaa62afc48ee89596d5f557fd3a0f357

SHA512
446a75a5139a97fb1b7dfa385b019d4f52b5ff7758cdfb1f4049b89f400e8967e3a20186079d59c3cd72fa991805c87337e63f2050a4f3e9a2e791ccf237beab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WQ7LW93V.txt
Filesize
601B

MD5
3842d17656371719bf7664ca267822d4

SHA1
08c06e80f627f49fcab1ba0b37ef8761804d3a60

SHA256
8947ecb05bc68999c4e4db4c8e91af07dcce372c3f8b9c5d56eeff7b28e8e09c

SHA512
8723480d26a113483498cebd701c1c7ec2efd7b360d4a5733554cc6f85d9d34395ede974c871de29b2feb4df45f7dad0ada4f6437b78c8eac95b799f088374d4

Download Submit

Analysis

Sharing