08f0b9f5964b123365d4b29e9ccd535ffefda0d66e8a6d3b5e4ac0e8d15d197d

General

Target

view.html
Size

66KB
MD5

8c3dd54647d7436a8852c7a8ed4d14d1
SHA1

d74f33a21938d9a829b1dcff51b59aa939aa8088
SHA256

08f0b9f5964b123365d4b29e9ccd535ffefda0d66e8a6d3b5e4ac0e8d15d197d
SHA512

c6077fc2045b2a413b68a7eb9bffa989d8e0764c911fcf662e94409aa4b68e574a7ec0ce9fadbd2f5637e58312dea56a2cae94ec2820994d56da35dc08fc98e7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000020be9f5c2d6f904992889f55b2fe1a3f000000000200000000001066000000010000200000009bb29528d5fde58387a214d78640bb2081871d0a811ebd5ebdd406b13eeaa894000000000e800000000200002000000052212f1c0ff6a30527c87361e1a6f3ee4bd8797c291e5c860440d896f42e0e9d2000000014a101cbd5cc9fcecc34a5b9ac61e2514351ee345e23cffdac227607f55e3749400000006e4cdc818a17de7c4f949cbbfaf5f0bcb405cfbd20cbff4d91c5287177e9a6c59cf0616550a8dd4381bc1d260bf5c55fc0dba174dad0aeb568a5118e36896319	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a020364168add801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5166F69A-195B-11ED-898E-5E29FC3DEFE4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "665515218"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "366993132"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "367025123"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "665515218"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366976538"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30977384"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30977384"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30977384"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "753795832"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000020be9f5c2d6f904992889f55b2fe1a3f00000000020000000000106600000001000020000000befdf07588e4b953f42e3b30d22d38f4b94cd4fe973490edfc58f965124c023d000000000e80000000020000200000005a46f8a87948ca4cf6e9727deef6e95f6659a1c2971966415218780280d33b82200000009b7fc2da1677da2793336f178b89f3e1614a8c8aac6d0a04e1568c7046228f3c4000000087820e91db822e86969f765f8e04b1ef6a8405f9f8fe5f23cdfaf22f20b726736b0469504c82ce6de24f450d6a0349cc56a4a254a1fc03de58ffc212a78d2e04	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8007424168add801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1608273745-3137450291-1597631108-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2160 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2160 iexplore.exe
2160 iexplore.exe
2452 IEXPLORE.EXE
2452 IEXPLORE.EXE
2452 IEXPLORE.EXE
2452 IEXPLORE.EXE

pid	process
2160	iexplore.exe

pid	process
2160	iexplore.exe
2160	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2160 wrote to memory of 2452	2160	iexplore.exe	IEXPLORE.EXE
PID 2160 wrote to memory of 2452	2160	iexplore.exe	IEXPLORE.EXE
PID 2160 wrote to memory of 2452	2160	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\view.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
81ca12044c6aed1a9d496c3d72fa8298

SHA1
00347efd9335cbf146726883e76955d0d8ae632e

SHA256
8cecaa2d2bb2c736ac544da7bec9f733c893cc01632034c1b934b6cffe6fe87b

SHA512
595c8da8c8df6947aabdcd99ebba11aba212b4408a515f66e7c67e58d533a8496d1cfa566900b850f4f7a8993acf621eb93b4dc361391dca649fb376ac05b1e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
67621897720ff1c30e309add59a082a2

SHA1
db447ed6d9d52c6b9e3109ed665e5db3d18fbabc

SHA256
8e7616bac6c296522ac3f1be0f79f659fe6d526bc150bed10debdbe894b1bb25

SHA512
22895c53d2ded6ea867e0afeeaeccb30de58636f5248b609f818434126ac37c40f4489a871e13ee83ee16f4bda508c867259efc47f1bc09dd2bc9f7d1abec0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0AJFFJUR.cookie
Filesize
610B

MD5
8c1bc8e62a6a618f03779bd91038b21e

SHA1
f19d6a10cbfdfcc202c436c2104cdd10c12d5f37

SHA256
c7292cf23ce9ec1b94c7b5355a545711f050d2c8ea571c622d7096d950cf6178

SHA512
f5c735ae3622eec86d2932bff1ef95f7bade72454d81bbc076a271c4f9b7ca774f23c39248b27351059570fa1af08500ba26e2d8df0ece449560a2461ea7e39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AOHYFY4E.cookie
Filesize
609B

MD5
b30f5b6374f31e12b49e0976cc88817a

SHA1
e93470c536a445cf645b0fe3f7275dcffc00d89e

SHA256
aa91063c12bc93c852ea85d3e31597a105f2d716b611c92ed948742a287a6c0e

SHA512
a1a990c412a9504117586111a54b5cc6290adb49e4bde1e96dcacb5490f67b352d23aefce7f5422372a5fffca162734b9cea165d298d6ebec64f047a539f9b23

Download Submit

Analysis

Sharing