hxxps://firebasestorage[.]googleapis[.]com/v0/b/rdrt-bca53[.]appspot[.]com/o/odrv%2Findex1[.]html?alt=media&token=1c1280e9-b8fe-4a64-b030-b75ce494b7e3&data=eW91cm5hbWVAYWFhaG1haWwuY29t&subf=Open%20Vacations&foldr=Human%20Resources&file=Open%20Vacation%20Submissions[.]xls

General

Target

https://firebasestorage.googleapis.com/v0/b/rdrt-bca53.appspot.com/o/odrv%2Findex1.html?alt=media&token=1c1280e9-b8fe-4a64-b030-b75ce494b7e3&data=eW91cm5hbWVAYWFhaG1haWwuY29t&subf=Open%20Vacations&foldr=Human%20Resources&file=Open%20Vacation%20Submissions.xls

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B55BB581-2BFD-11ED-8716-EAF6071D98F9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "369025397"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000038133debc303de3ce068925da8400ff66542cce1d09535b63f6d2da83303dc2a000000000e800000000200002000000050846a39a2efe008a2cb154192e528ce0429df30f5a648cc2eb2bd646bc73ca72000000032ed4901f7d2d05c222574d6a07db8502f5f0276e5bc9d2730247521634027ca40000000643948d19f6af3e509464209b5999f68ae318e81c12db981ac66430526039ae07f42820203c26c9f023fe2ea0eb2a943fb6ca68f965308c8fae793fc4844f2a7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2031c9900ac0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000b6b39d5211d502ef8ebf23453480b16409b2181f5830ea69ac965e3c2c2cfc95000000000e8000000002000020000000e198f2567a2e3947c7b98e6dd7fe7e8d7379bfc7dfa7e52d652f4f3cd3784bff90000000aad202f15966051280056a0cf784d070a5aa8da58ac00e6f76219d6376434816738dc76c254dfff44806eafaebcbee006530f0c2926d769f3697f6dcd0e33bafb9bccde44fd3b46944d110e7beb1b250e91701072d9656e0fef07273ee6accaec376f3012060086dbcc0c2e42e315e6b5ea3f920009192f659a5df0edbe281d69f286f9149e7a227ed36372a275fbd7d40000000491a94ba69380bf83f5496b4352eda3c8d0525d4fb479ddb875864263e94ec9597c0257e6f638154e733c74074beedca84fcd006f874e6458f37573d0905bf9a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

536 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

536 iexplore.exe
536 iexplore.exe
1396 IEXPLORE.EXE
1396 IEXPLORE.EXE
1396 IEXPLORE.EXE
1396 IEXPLORE.EXE

pid	process
536	iexplore.exe

pid	process
536	iexplore.exe
536	iexplore.exe
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 536 wrote to memory of 1396	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1396	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1396	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1396	536	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/rdrt-bca53.appspot.com/o/odrv%2Findex1.html?alt=media&token=1c1280e9-b8fe-4a64-b030-b75ce494b7e3&data=eW91cm5hbWVAYWFhaG1haWwuY29t&subf=Open%20Vacations&foldr=Human%20Resources&file=Open%20Vacation%20Submissions.xls
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
d8999e4d4632ea43c702bc7641bc8ea6

SHA1
1790347259d248f1273bb1596e604bfb0ad9aadf

SHA256
b47b83ecc10359b5a372c4a6539b9c110e29cdeb5e7b08c81da211cf4e6dfff7

SHA512
eb6dc11b54a7e82d80c9815202e899bee37751db3c289962b83af49fe914797d88681176524238c429a006ec2197d36cb97024f63c8e197762d6a999309a8299

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QABLG0UW.txt
Filesize
608B

MD5
a2b032d6d3fc3971a9713d70c50c4c52

SHA1
856524b96d9df2e53f8c9c3e3430589e3214751d

SHA256
54fb75c76cfbc59457b55c92c789263d21bc7695d15ee8e58a473f4f87efc5fa

SHA512
4b0f94e0c26f9c60c2c11a59e9392a595c734cf627ab3264c6bcba142cc1631e0b8b54f2866ad6100381b69718c31e901837861b76b77d0c549de87cb2287990

Download Submit

Analysis

Sharing