hxxps://api[.]viglink[.]com/api/click?esrvfxmfpitopnouymfi&out=%68%74%74%70%3Aftxhwxkqsi%2E%6D%31%6E%76%2E%63%79%6F%75%2Futpzi/rx/YTJsdVpHVnlaMkZ5ZEdWdUxXVnNjMjVsY2tCemRHRmtkQzV1ZFdWeWJtSmxjbWN1WkdVPTpkZnp4bm1qa2xj&key=fd5de1d096b38be9fffd6ddc1948df4f

General

Target

https://api.viglink.com/api/click?esrvfxmfpitopnouymfi&out=%68%74%74%70%3Aftxhwxkqsi%2E%6D%31%6E%76%2E%63%79%6F%75%2Futpzi/rx/YTJsdVpHVnlaMkZ5ZEdWdUxXVnNjMjVsY2tCemRHRmtkQzV1ZFdWeWJtSmxjbWN1WkdVPTpkZnp4bm1qa2xj&key=fd5de1d096b38be9fffd6ddc1948df4f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3224 4608 WerFault.exe

pid	pid_target	process	target process
3224	4608	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000261092695e6b99edb347c81a00e440694abf3ca5730e5e42e66a4dcf072cbfb9000000000e80000000020000200000001150a7598401e999de86eef0d1c158567dbbc0f7fa1c8321c6976adee164598020000000b855c503bb43c32020ccdfc8f11efcc8c09fb8e9b9f786c7063089de03b29a7a40000000b116c7dcdda181db61f347aed97875693da0f9be251100820db2298c99301f39d6abdcb23b30e39a9ba86f00686304941ac3c20b9a7fb9be01763d2283bb343d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000001cb06b9829908553b781c7dfad04d125511245746c060ae9d6a2c60158e7582e000000000e80000000020000200000000e092f9cfc20f4dd60c3e1bf3b5db8daeb90f4f3365eb1ed383ee5e47e740c1c20000000eb47ebb09c554543a53effc8144ba26ed2f51c020e7301ada4df1b92a162ae68400000003fbc2a35fd10b3a79378eef5a7812132698c4634de4321fe8366c90fbaa6238007458851662dd1966e0ae9136e5d18d18e1244570c2758accdecab10d68de76b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{61E3BC35-2877-11ED-89AD-6E8712CD3232} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30981252"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000ec9474eeadfecfbc0c4ee23c87529ff7e4bb717c430b9ade319d5aa989381017000000000e800000000200002000000053d17cfa67d8f8f6da04640f5c006b26720bd388ceaf28e062a5f23fcb5b89b22000000062195ca5000b69b0515d407dfeb713f032d48fd2c6af6143fd101e8ec7efba604000000038de86d4948d8a6672513acbb9ca848616f1df15f170d3f5b00e3a65ae96d0f8f6da69e7629c6d3a0705dceb4d108a2b5f878b3174c185b3c95a5e17b0ec92ff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "911211999"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30981252"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3054aa6084bcd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "911211999"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303d2f4884bcd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "368637863"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b9194884bcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4644 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4644 iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
4644	iexplore.exe
4644	iexplore.exe
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE
4124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4644 wrote to memory of 4124	4644	iexplore.exe	IEXPLORE.EXE
PID 4644 wrote to memory of 4124	4644	iexplore.exe	IEXPLORE.EXE
PID 4644 wrote to memory of 4124	4644	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://api.viglink.com/api/click?esrvfxmfpitopnouymfi&out=%68%74%74%70%3Aftxhwxkqsi%2E%6D%31%6E%76%2E%63%79%6F%75%2Futpzi/rx/YTJsdVpHVnlaMkZ5ZEdWdUxXVnNjMjVsY2tCemRHRmtkQzV1ZFdWeWJtSmxjbWN1WkdVPTpkZnp4bm1qa2xj&key=fd5de1d096b38be9fffd6ddc1948df4f
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4608 -ip 4608
1⤵
PID:484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4608 -s 1772
1⤵
- Program crash
PID:3224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
Filesize
7KB

MD5
b7b387462b4bc93ef941473fa1638679

SHA1
09687d0460dd1c54114d122392c757adcbcf7683

SHA256
09246dc5be245634edb3592f6910b5886ade1cafa3ee18f578ce95b634c331c6

SHA512
a4f13f35a609b0d7d06675e369d652a5012bc57ca2e78a94cc9e9b15008723ed622cb5e8422697bccd7a0bcf6e9869fe61172ac7288a95518485956d0c5f3ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
Filesize
224B

MD5
0e6a3060fbe166563ca87bec92be5f43

SHA1
172f41e53c5f40cdb961ebd3802e5abbfdbc54c0

SHA256
003126fa01c36f9761ac5dad9480fb313408c804e00c6ac0899cadbbe8ac1345

SHA512
a51e23538b3b0749e9a1fd7adcbbda024b71f038a51fd6774bbf23e897682d8a0e1ed4db6f6e74c5b4c1fae75fe9bb7a4e4d72ba7196b6c6b95c6eda7789b423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat
Filesize
8KB

MD5
a399297ba676604a70aba910126f170a

SHA1
9f30311feb305bf8cabec261066965d8eba27d3f

SHA256
92120b83a5aefd1098a8b38602d5eea3f55d1c36ba38f0c213f099898bd4169d

SHA512
43fe77da907be6f73619cc409528c820ee0e5dbb747413f9bd0795a7383bf28e0ade4ee23171254a759263ffc1ae2cd867988e830f6495ead88f943d0024ed7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat
Filesize
8KB

MD5
a399297ba676604a70aba910126f170a

SHA1
9f30311feb305bf8cabec261066965d8eba27d3f

SHA256
92120b83a5aefd1098a8b38602d5eea3f55d1c36ba38f0c213f099898bd4169d

SHA512
43fe77da907be6f73619cc409528c820ee0e5dbb747413f9bd0795a7383bf28e0ade4ee23171254a759263ffc1ae2cd867988e830f6495ead88f943d0024ed7a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads