hxxp://Disa[.]mil

General

Target

http://Disa.mil

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1518033089"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30977320"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c035039d28add801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "366997713"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006eee23b14d26084abd5e588734d201d50000000002000000000010660000000100002000000048ef01e8407eb6a90c3c1e9fb472cacb3d74ac69682dcc0a6f05cbd5047df2ce000000000e80000000020000200000003fad3208ab59b73f2e0bc9426abeea84b3fb05a87cb467fe5e653fc1c608a24d20000000fc2e961ac9c625e5843d6e310e4a786d7481084f4299f1f779cad66cd4f50d43400000006600fc2806626fa49b177f37514c6b7cfa56dbdce5e99c98605de6f62f2fb03d8c2f062fcd648bb2a1bed58154c4a1d3a805cfe68b92844fbe6615ed6393ed28	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{849CD5ED-191B-11ED-A926-D651C5AEF321} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30977320"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366949127"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006eee23b14d26084abd5e588734d201d5000000000200000000001066000000010000200000007e907ff262758555043487a25499b1309775f5717b21a1a445ab27205e608bd0000000000e80000000020000200000009ba238645cbca5b07a4bc7712dfb2cdb3c8d0a83c16bcd20a6338ba894eacde320000000e5cf7615f569c135c98ac32b82b99cd9b8ff48c6f1b96da8146c9d0f7662147d400000004c5763447fdadcf0796a44573a0a954ce2a19a6ae488b18adce9f6021f2b3482851a414f80b8f121e936f7381cf587a45f0b1ab644fc5c446b7dfb764b4007b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1518033089"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1513502315"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3037dd9c28add801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30977320"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1513502315"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30977320"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "366965722"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2644 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2644 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2644 iexplore.exe
2644 iexplore.exe
2288 IEXPLORE.EXE
2288 IEXPLORE.EXE
2288 IEXPLORE.EXE
2288 IEXPLORE.EXE

pid	process
2644	iexplore.exe

pid	process
2644	iexplore.exe

pid	process
2644	iexplore.exe
2644	iexplore.exe
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2644 wrote to memory of 2288	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2288	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2288	2644	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://Disa.mil
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6CFED4E1A8866BE87BE17622BFB4D726_C504E346ABB7B669748CB7A4CDC591C6
Filesize
1KB

MD5
1ba94ba5b2585fed45ebe462004311bf

SHA1
abdf491804eee485f023a15f76553f9558590884

SHA256
48b3bcaad83558b3a38bc56bc882ddd8ef9efefee23e9c5ecf2bf46a2d11c33d

SHA512
c4665ccdab1c9ceeb5e77d295e1ba30c72e4553abc662ddad68e84f6d7646268851108f2f35831c2f684beccec38e78e840e9d20c84b882cdbf2b6c0624f4244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
81ca12044c6aed1a9d496c3d72fa8298

SHA1
00347efd9335cbf146726883e76955d0d8ae632e

SHA256
8cecaa2d2bb2c736ac544da7bec9f733c893cc01632034c1b934b6cffe6fe87b

SHA512
595c8da8c8df6947aabdcd99ebba11aba212b4408a515f66e7c67e58d533a8496d1cfa566900b850f4f7a8993acf621eb93b4dc361391dca649fb376ac05b1e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DBCCDE09C2222F0FB874FC8174E0AA4D_F05A00A191000A43CFFCE23F1D3927DE
Filesize
1KB

MD5
496c8697fb368f3f04297c68450cf137

SHA1
51ceff100627028eb00fb301099044e8f9249693

SHA256
782b56ad94b7f5a5dbd09fd733a6a78690384d2f701427d2a592a7c05f31f72b

SHA512
e98b9860cd079d72bf6be471d56adab8e098889116b9c397f46568bce33af281013d3ff2d95a2e4d05a2214e86115ffa0ec480957774bb073d6ab69b52d33895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6CFED4E1A8866BE87BE17622BFB4D726_C504E346ABB7B669748CB7A4CDC591C6
Filesize
518B

MD5
f333b2b42b0e61d0c8f19e24f5946831

SHA1
1de28d28b93a604c348299aa1221a01dcacf4fc9

SHA256
8af19685c542a933b3e3b7ca4188f314c2f85af84ec2f47aea8922921c130840

SHA512
ef216e5177d26849be52d8088630dc96b84f4b050956b16ada4e04c501f78598bf9031e003ca18c7b5e9264d549d82a43c8bbfc9f9d2a9f7c09ad64357975b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
ec218a9737439f1a91f4638c55d7991c

SHA1
cafe64901aeafade6c2565624dd7712d640317fa

SHA256
b7bee0f14ee896c41ca9e0c7c6326bf1ecee3e81d6760569c509a59c92ab4f15

SHA512
8b8f2715c6e7a613738823159d37a6faf13b99779a682bb80b39977ba0e1929b9f6c0857c063b05a843254f8c67dcc0a870fa911430ba8bab05b38b8c5c8288d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DBCCDE09C2222F0FB874FC8174E0AA4D_F05A00A191000A43CFFCE23F1D3927DE
Filesize
512B

MD5
fa3ab87b6326477233a1f8af41c94a6e

SHA1
f2d23037f4d4eccb44225aeb52139cb6862b10fc

SHA256
f0332b3243f939dd32386a7da38c77f2e232f181c2d693560e4218d5544c7ff9

SHA512
6246e1a8105afe4bfe2f9e2e1dcdd35d77ff64c356eefd99cdf2c72d66c68a223475f92e244571b11a919ea8b3ac27e88cdaa07f7b3f1015c0cc2d0bca3883f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FH7RPRLH.cookie
Filesize
339B

MD5
ca2106c29e2b87acb407ca00a4ddf7c6

SHA1
230a5b0c267c193007698583a6a09dd60f89cd08

SHA256
e24910d33867683d4f499e2e809fd8eb06b80403dd3d175a5655cfcd77d8c77a

SHA512
646102e2374e5e21417d33750ccc819b0d09745a61944ee5029396d3ed3e335ecbfd9f9b84e9c409e4eb4a9906b97e0d9301ee5707217b9ebf29f73027722cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P38QHA0F.cookie
Filesize
615B

MD5
e99752c4e0a2e5eaac1b675edabb2443

SHA1
c11131082c25db43849839b4ca2f27184eb177ff

SHA256
a3555c27df6b3be2f6fb990d8d9e99f4413521894eafc6b8860f71d572f8aa21

SHA512
af9e68150e30a5350c2442abf9f8a5dee743422889d678b310e1903356cd8d52be8d4c8537432d4ee82d627a48508af9eaac642ed90acbb58e5f4e8dd6f59b04

Download Submit

Analysis

Sharing