23926e9185d8d43c02807a838ffb373cc1977726094a4e46807c66ada9dd7660

General

Target

sample.html
Size

1KB
MD5

b81150861bf911f947660cf73bce77f6
SHA1

905146c739943ce189795e234f1c6ebcab2f57a9
SHA256

23926e9185d8d43c02807a838ffb373cc1977726094a4e46807c66ada9dd7660
SHA512

594b18ea476c41b4aac1f3a900a45915cd8f5f75c3bcf3f8233b9d56dc5e924903f9915db4138bf10d46eac70b088d138003c8fc85520acc5ea1b27d8d0ee8a0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "367312819"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "367280827"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06d001206b0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "84209490"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3000E897-1BF9-11ED-9767-FA105A7C9F51} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367264233"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30978054"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071970fb893d695499343397d1df5287d0000000002000000000010660000000100002000000092e46d71668b060832c9d9477092f229fb3364762771cf20295aea2350456025000000000e800000000200002000000009d63485ef4daa8b521d685c7c2b731b4f854fbdded1db11c72712bc7ba2757420000000bfcb71431cc735f5047122e5ebbe8d5bb4c95baa09610b9a33d11c6dc3c442734000000069b473b7b0251a12c397be3118ae26b938b953bdb818bf45560eb0ad9b5c93d3170218d627b471399ec742d8c7a96646c918b0dd68de4b82e9aa7281436e6128	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "74365491"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "74365491"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30978054"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071970fb893d695499343397d1df5287d0000000002000000000010660000000100002000000088b276ac733c3696ccf451153bede43f041eb24b11fd32d3116759d378ad4a82000000000e8000000002000020000000232584e06facef80cf4569a22aa460e904f555e48b7cf15af889d75350101c5e20000000eb4a081cfd8870faa3e67114e947825e943e6fb698772ee0ab1379a6ad3fd51840000000f67d6f3df337cfe68c2d8c5b599eb5714dda20029fb46f75790a021247b105bad17eb4a0587e0ebd82043c2ca38fc568fda309114be28d313b4267f4a3f07f37	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30978054"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f041f91106b0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1676 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1676 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1676 iexplore.exe
1676 iexplore.exe
3748 IEXPLORE.EXE
3748 IEXPLORE.EXE
3748 IEXPLORE.EXE
3748 IEXPLORE.EXE

pid	process
1676	iexplore.exe

pid	process
1676	iexplore.exe

pid	process
1676	iexplore.exe
1676	iexplore.exe
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE
3748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1676 wrote to memory of 3748	1676	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 3748	1676	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 3748	1676	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
1404973d38eb7c7ef1b558195003eaa7

SHA1
6dda05cdaea6633a74daa9d2a4af458f682e16ef

SHA256
68e5eb0edc63f6f77c7b1079f2e5993e422f99a4fbba3101d9bea193642f6a27

SHA512
f272d05775f463471bfb635ae17e204913d63388996251be8df59d644217a8c8c23d2e60c264b1b5946656c424a36e78e900f079a42b448a947de5dabdc8b10e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
3115d3dd2fed2d60c027ba73689d3491

SHA1
65661b27652de8ec86283a095b49a1b4db9f6dd3

SHA256
5d9d7be395f8e89cfd6a42ef4424688ff20be1000b54bd41d2d51757e0d13234

SHA512
bd5003487337b2aa43dd41ff05e2e56a4d7add09dec71c32d086b248c9441bf232b7a8f05ec0c0ce290446232a645f641d694aeb251544a31cd55a31380df561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3OFHQ4BS.cookie

Filesize
609B

MD5
f83d95acd53efbfae9e5b18199df6e80

SHA1
cce987521e7b88ecca2128361a549aa713e51e6d

SHA256
e75a7fcc59edde3ebcd72defddac3dd7393fe783a8a66e4a6bfe536d688b685b

SHA512
5ef5dac741a74830a7ea8000274b8b55a641823616896d6b8b68ae7842aff661ffbf6ce3d0d0374dab6cd7f231839c9fb5b2f63c1919c6e7702590bb667f935c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UBSK4XIX.cookie

Filesize
610B

MD5
15d0901460b83d853ceef4c10d52f57c

SHA1
00fea7c94aa5bece5120b55628eb1ac44e3f6747

SHA256
be820acbbaadd0f2b54a7e23f10aed63ba877358e1b3cd419cdfa69532fc44f3

SHA512
cab07c5f8271d2c404cac65d50192cca6581ac2c15f90ac372bc29fec9855d665b3e9bad014e02891e3900db3a693a071128b7f554dc5a40756d026a55f3d1e4

Download Submit

Analysis

Sharing