hxxps://s3[.]amazonaws[.]com/zedertgfdgtrg/zedertgfdgtrg[.]html#qs=r-adjkfadigbkefhhaffiffjeakfiggefafeijdabafeijdabagiadhaccacccfadeihacecdgiacb

General

Target

https://s3.amazonaws.com/zedertgfdgtrg/zedertgfdgtrg.html#qs=r-adjkfadigbkefhhaffiffjeakfiggefafeijdabafeijdabagiadhaccacccfadeihacecdgiacb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fbcd10b409412459e4a78462851412500000000020000000000106600000001000020000000c6a64b44a0cf4ce2ccdd6f46618b026bb522e4d182737dbb76b87d03c35deeb2000000000e80000000020000200000009f24d43941a6d31a0a02c7d343bcb7686f63b27c472ee8a18f69dbc6b4606813200000005c5fa3274e0f5c8a817258d8eae3a3add3aa824fe7b2eccbf473b9eba33ed273400000007d0f350b25c8e64d0131dbc010b0c5cda6025e9b1656c4dc5fdd0a9a851cb67ace134ab0c411708706544f4636bcbce7f6e77eb8728dc4304465cdb07b89d103	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f6120e6ea9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fbcd10b409412459e4a78462851412500000000020000000000106600000001000020000000a80c33e89d1235aa6d71f33a04c4fdc177707b7d1d202f951f9ff704619f555a000000000e800000000200002000000046d424fa3f1661102ac9e9327cb4dbd9a6abadc4bd0983353dbb8e104cab245c9000000032568bd7febebb29a2273f6379d0853acba3d3ac439d42075e8f9d51e7b2f3303b1186d18aaa2c30b602716072316418a8a7226d4dcbf6e862a197e37368b34db2aa04390484d5b5a118e208d5da7d11da4b8f20628a1be1e691e92778c3526b5c77add695dca603d2db486306e3fee777da3d9798a7cd167a0bdb0df8435ac730331c4ad57719cfc2b16845ae5b71b4400000008be04132b82086893bd80ed0c260a9344b7e55def9c1123cf4c25a8e0e54f325540535823c4acca5efde883936c89aefd221538065c39e627215ecd9521f87f7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{307E2DA1-1561-11ED-BEEE-7ABBA42B243E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366539245"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

552 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

552 iexplore.exe
552 iexplore.exe
1548 IEXPLORE.EXE
1548 IEXPLORE.EXE
1548 IEXPLORE.EXE
1548 IEXPLORE.EXE

pid	process
552	iexplore.exe

pid	process
552	iexplore.exe
552	iexplore.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 552 wrote to memory of 1548	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 1548	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 1548	552	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 1548	552	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://s3.amazonaws.com/zedertgfdgtrg/zedertgfdgtrg.html#qs=r-adjkfadigbkefhhaffiffjeakfiggefafeijdabafeijdabagiadhaccacccfadeihacecdgiacb
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
b556ed8cc2f55a2803bc7ef963d7cce2

SHA1
3f88deed22c801f5321986b27ffe73702368a585

SHA256
9a6994c1a05766560bdad99435f8b2100f358503a114f4be2e54fb917b447c5a

SHA512
d4a003b88dfd3ae2252ae0dae77865c4b7b7496bcdcd257c0e74e4ca0a46c8652688aac765346cdb73eddbf1273789b5d1d43a2c7398cf0b6bb98c9715861e66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YVFPB1UE.txt
Filesize
603B

MD5
2515f48736d445101a1d6492732a2e24

SHA1
19ab5dc09cc3addc95c6a98d5d84cc8bfeb4e516

SHA256
50c878823e2f844ed45d2b2b2d4b9ae0cb3f958868005159e31a13c5ae8b32d9

SHA512
5ec94982d0423bfab5a350971e5d76e17c14202828c08dc44563b6733a21c3ef4f24beddc5e914f764dd4c454e0b6f1dd9e4439a5f092d42ad4596b8f4957cef

Download Submit

Analysis

Sharing