1e1c7387c2735feb16903b1c721b9c3df4b6e5bdd9475a21a0ae244546e4ac25

General

Target

attachment20220806-6895-6g7ijn.html
Size

1.1MB
MD5

337e45102a47c376dbe0c96319c1b64d
SHA1

844b820ea60c3611ffef871b05632f8993dd460b
SHA256

1e1c7387c2735feb16903b1c721b9c3df4b6e5bdd9475a21a0ae244546e4ac25
SHA512

2f9a73c397e7eaaba537a9f7bcf343afcc486bc1285f4eb6f6ce9688b826c6cc3abd9d25ccb462c516075b8f9e4bdbe8644b8d5498634cf4b4baec1e09a616bc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 60051dff77a9d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f00000000020000000000106600000001000020000000e4f43fb1a3e37139f1f5d48d2fef1a4e413f0f0a3b3f8614be689bdd1c507cec000000000e800000000200002000000010a3f2496db58309a9e8664040f421ccbc69a963942aaf3b286bedf20d0fb67b20000000514eb0d9b99c7abe27dbc769ff4c7ec4eece2b05cff51b33e02d3cc5b2a721f540000000a0d6c6ced4c3007dcbe8b5f21fd2d4bb45e2cb978e14b2ee2ec019a96941dc383f3cdbe464ae855ef9c38c34dd843d50ae5d9bb72ca82081fe83d4f298a724ea	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b094721578a9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f00000000020000000000106600000001000020000000b81fe683a6e65eca95c13999913bb3e81cc2e5bd421b2902f485d4fd9e6a59d8000000000e80000000020000200000005c87499c138b024d9d280ce5ae3735d1485a1e9412598a944964e79e74bbb609900000003c5fa1b18d2e7613bb5e61d78e7db9fd81e512682c7fe1cab17dbf8637f294bbedf21c4d164f3febc986d88edf1a7cc7c740024a24c940354e4a5b42f28959166ca07c6f373d89df790dd7aa8593d2eba44f75e22fc1797bd33fce24cefab34d7c4bccea234d0210c036270c59d15b91e01100ba72c8eed1f372f1d925d914e569a71174f4c4a75288f79b4cced5db1b400000008e599b480bef26613c26585a4816cb09608602224ba246d0cc157443cee75f3dccbbea9c84636b845570d3f3328a517cda9750e1e8280ab2a06512eac933aa2a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366543557"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B2D1E51-156B-11ED-82E1-7ABBA42B243E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1224 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1224 iexplore.exe
1224 iexplore.exe
824 IEXPLORE.EXE
824 IEXPLORE.EXE
824 IEXPLORE.EXE
824 IEXPLORE.EXE

pid	process
1224	iexplore.exe

pid	process
1224	iexplore.exe
1224	iexplore.exe
824	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE
824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1224 wrote to memory of 824	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 824	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 824	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 824	1224	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\attachment20220806-6895-6g7ijn.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
71962f8603bac85a6955f52c9dc6d25c

SHA1
5d245a9a50df325a4344fe29a3e8e98435639011

SHA256
3e3366a070b2a7f1c42d969adb19318e1935bd54d34160270d6ef2035656500a

SHA512
586eb6506799a3b6166390eef542138c0dc97b226485ba9efc73ed49531b8d983afa2f0004211398d1c2970ffbf162fda53a0c49f4f1ce44e0054f6b1d6cedfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K1LPJ7F8.txt

Filesize
603B

MD5
83e957035744983a33c39f34695ec654

SHA1
1f50a1e936c1db821c1c21465bf9b91a26dc5003

SHA256
2a7521f4e52102fe7f2812b891b9cd420a1761ad8116ae236a43f0362b2729ea

SHA512
40386bf6c22d0fdbb3236c4777c94a2e9d551365213ccc9f7ed504bf7f24604ff51824161b76d863369c89bcad2972d6960a65f5e96b65e749619da99c7f877d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads