Behavioral Report

General

Target

Fatura.Vivo.html
Size

96B
MD5

7e41be563457d6038687186692eb52f8
SHA1

fd4ade2d432fbd5f0670238cedc3deef7034d364
SHA256

627dc49bf0bab971d202383338c17f06c7416ebf9d1ac3d602114a6b398a1feb
SHA512

a42a7be4d37f3c255c2597e32a5ac350916a36acf96ef3b5634449a9e83828a0f424d6e18b49596b3e6c1a17c51a1f38deda3fc0984e0e30ea9d1264f4f81db4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba542700000000020000000000106600000001000020000000fada6d07696c4bbe89cd5ac4f5838fbd42f4312689b238a7505910439ab41aff000000000e8000000002000020000000bc2d5384a98ee23bed62ab5ecfa8b398d5aed0c9746def838ddc1af661ff17242000000005375b110eff8924f4591633b6d2b3d41d8c9f8e562787b995f5f9e0ee64defb400000009a47e60f220fc3b01d8f958923040796493ddc440a9c566b269b0ca78e32b032781229fc743f79a724fcc832d0dd12c0b900ad1544fb40dfd9cc3d99782eca7f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366455225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e2655baaa8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FBE2E61-149D-11ED-A936-E2ADD9BA1437} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba542700000000020000000000106600000001000020000000b428894dc92b9396f1664de47be45bbb3751251b776a8531fa506f59f91bea8b000000000e80000000020000200000008ce28401ec2121ff6ea5865e711988d2599ae6154050f5750ac8811b86422ec790000000852c87f92a7e46c7d4dde3cfb1e96932af786e6e2f88374ad9bb058ea5c1ce2066fafd6982d5a04053bc74770136c4d9350198ca4016f03e3391a4c1e0c894779cf93801bedb390b1689024c92e627cb4b2ca88f4503b9a464eb7213628134489b6efd98eb647be85e7e1040ed394fdee79f8f611b5016ec83fdecc369206475851f7a19505257fed38e7a3d66d63ec440000000cad4e9a8ef8b8fef8559e125e226ac4620f8b3b0969de6ac7e1a774ec39ab89f97f53eaf0ccd4bae1b30b1c61d964439bb5764ef640277f1d337b596b833f961	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1672 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1672 iexplore.exe
1672 iexplore.exe
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE

pid	process
1672	iexplore.exe

pid	process
1672	iexplore.exe
1672	iexplore.exe
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1672 wrote to memory of 1264	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1264	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1264	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1264	1672	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Fatura.Vivo.html
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
8b97368f1af1cf4d633e9f799017bc79

SHA1
5188e20a38a5724d2bc0de41f36620e0c4864b16

SHA256
5944f4d8671cee48d8b84ec2d5c1d64ba24408848f47a21a0caa9ad45573c578

SHA512
4ba641139f1ba99cf64ee09f5e779a3627930907ebbfeb47dfe492c69e412461b711cee4a79ceed12ee7b655748621ffaf7f1f5cf6f085c7534dcdf7e0f2e6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3uhj3kn\imagestore.dat
Filesize
5KB

MD5
b5602450ac453c9c1f0185f2f7653a76

SHA1
325c7fedda61d05bdd68482bcda7bad0bf7564ab

SHA256
d7eb23222def3b02f75ba0adf55f0e843e0e9666428e4a865e52b1efef68e6d4

SHA512
36372242610732f83d326ea6ea15d611218222b70e9b863b078dd168b5c7fed43e40d96a649867d42eb3597bb7b5883a2827520d62879c2fc420cf7a23f38f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3uhj3kn\imagestore.dat
Filesize
10KB

MD5
5f4e24c24846f146458442125e90af05

SHA1
1ae20815307733dfdb2ae23bfa8f06d9d5a3259b

SHA256
7b772aa7f0814c0c9e232fac12acff2f8f027cd80e06666bedebf5f3f47e558d

SHA512
c4389610290a5a010179cad282fa677c7764f6829415e93f2beca7c8f5f21ec39b16ff46dba2e3730555878e91cf4a17b8e4138fda5c545de50f88826612a219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E6KWZYTD.txt
Filesize
606B

MD5
19e7e3c73e7bf234fb2f57527fdecf47

SHA1
555d9e1ef524e2dfec0545ccc53eed7b1098c863

SHA256
d85f276a6f0c245223dd4464d284daf79f82e014d8dfab075f54deeb85ce0dac

SHA512
09d7cdfe578608420c98861d64fc9b02d38de2deefb9e1ba2d5b745a5626eae72b8b476f65da15bc0ac24c4b9e15d55bd6845793f805c59871aac7a63e366ce1

Download Submit

Analysis

Sharing