Overview
overview
7Static
static
URLScan
urlscan
1https://whatismyipad...
windows7-x64
6https://whatismyipad...
windows10-1703-x64
6https://whatismyipad...
windows10-2004-x64
6https://whatismyipad...
android-10-x64
6https://whatismyipad...
android-11-x64
7https://whatismyipad...
android-9-x86
7https://whatismyipad...
macos-10.15-amd64
Resubmissions
18-09-2022 00:58
220918-bbje1seebr 718-09-2022 00:55
220918-a95v8saed2 718-09-2022 00:53
220918-a8r8raeebq 718-09-2022 00:52
220918-a74v6aeebp 6Analysis
-
max time kernel
72s -
max time network
113s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
18-09-2022 00:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://whatismyipaddress.com/
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://whatismyipaddress.com/
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
https://whatismyipaddress.com/
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
https://whatismyipaddress.com/
Resource
android-x64-20220823-en
Behavioral task
behavioral5
Sample
https://whatismyipaddress.com/
Resource
android-x64-arm64-20220823-en
Behavioral task
behavioral6
Sample
https://whatismyipaddress.com/
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral7
Sample
https://whatismyipaddress.com/
Resource
macos-20220504-en
General
-
Target
https://whatismyipaddress.com/
Malware Config
Signatures
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyipaddress.com 3 whatismyipaddress.com 4 whatismyipaddress.com 87 whatismyipaddress.com 88 whatismyipaddress.com -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatismyipaddress.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatismyipaddress.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3847377124" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b937e809cbd801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "370283166" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370234580" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30984969" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3854566841" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000742693025ef6ab4aa9808eab4c23bc9a00000000020000000000106600000001000020000000b4fffbf475c60425ad79d4a42fe7a80fa7a1d0b10628da826a8072baac0d7bda000000000e80000000020000200000002bca0475d3c9770c4082e3c7acb2b2031f60b65a2a6907c50b76032613e05a3c2000000043ec676292417ab6b7984292a432db8d199e0bb012017ccfd871454ab1f65487400000000181ab331308e5cdb8d3e3594824485267f4729e1705a70d953331cb8cbc5562308fc91f55595eaabb58f6990994496fb4dfbee25233f47c29eb2bde38c543da iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000742693025ef6ab4aa9808eab4c23bc9a00000000020000000000106600000001000020000000ba3046f40a82bfbb27e9b181e98d72645e07f51682c6f009656dfb7efc65b613000000000e8000000002000020000000ca382523c29271454090440a022b1779dad7eea73f5fad0899749acb14f0b3ef20000000824cfcf43256b4bc6607b062eb6162aae8aaa0f23c8acfaeafca4d50520ddc6440000000c760a26b28ae557b25f55f927ef75581235c6d8f0c810bee6ccaab8e4cd16f5df164dd064aa5196da5486552c7e2fce7f490045f2b9fc88be3185cf39021ffb5 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3847377124" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "370251174" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05641e809cbd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatismyipaddress.com\Total = "18" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984969" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10BDB7FD-36FD-11ED-98FA-7AFE47082869} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\whatismyipaddress.com\ = "18" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30984969" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4236 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4236 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4236 iexplore.exe 4236 iexplore.exe 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4236 wrote to memory of 1976 4236 iexplore.exe 66 PID 4236 wrote to memory of 1976 4236 iexplore.exe 66 PID 4236 wrote to memory of 1976 4236 iexplore.exe 66
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://whatismyipaddress.com/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4236 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1976
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize1KB
MD569d1997fd391c6d6968f422afb7347aa
SHA14f5e9d2c442d57d26938ac27c9f1285e1c3c3245
SHA256a6a50e283bd57890c0b61a4f45f6e2ba914234333a76678620ca881820741fa7
SHA512b61b311b0aac7d6c4b87de8495ca1df3905a1a72ab5a770ecec51c005a3d63de86303beda1c3cd3a236f6eeb774718b234fcfe467fec15447f5bbb879bd88a44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize1KB
MD58e669bcee84836a2cb39f86dae0946f0
SHA1358f7624dd802fcb679633d4c667018596b03de2
SHA256a1afca6778cbd56ea5191582b787e25cae076f1b5fbb8ef94aa577a8baa2a67a
SHA512828ce8d671f3c369fe799c74b198c466c6ac74d80c74f00de59bee72ab417a4371969a028cd3189f19f84a018d84a03bc60f008a5b1a43284f92050516e12ac8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD510220c349e6b662ccf862322bec4e542
SHA15791f2c0342aad353ae7e5c8d1a2aff1382504e9
SHA256b30f79bd9b45578fa9858426c1fca5c15a600f54c97653982b767bbcf0b2b8aa
SHA512543df1b315a192d0170c0083d3a30441a2d76d4ab8c92ea043d6612c7491555a0dd7f154fb9666339e13c3fe52bf42953b6906fcd0c9b62e5c6605d2a171eb80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_74AF856BCFFDE02D38442F50E7D59981
Filesize280B
MD5e9bd46962ba5d0584001c02f28a46ca8
SHA1206d62f06a01911d610931bee2f296165b35e027
SHA256f12305918de7b007c861bf5268491fe65fd3a1ec5e4912e67f1c6dfec0b906cd
SHA5124fc9479ea135d7797971e608ce5222f522fe9804fbcf6f4820ddac885d2ed0d3691d75b713bce51902b313abe46fc0f42792aeda0f88c80eeebd023d9149de48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize416B
MD5b95fdeca51db7df7cbff6b29d4e8f8c8
SHA1428b525c4b45789b341d45c9e9f9a3727629bce9
SHA256b9e8d6376b441a4d1de232dcd418bdfb51a2274a5f0d1bf0aabc0cda04b287e8
SHA512c09e388d3a176371908ffd0f47d134049d83c74fa2bb80f39c20be99467820aca839fadb934261def78c9b3e2f88849b804cc59ca6e9fcd5176193b5787f2092
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize408B
MD52c7152bc14ceec667e6aeeccb4a4646e
SHA175b6f7b01b2a21c6a4d02f8b66c49446fcbd22db
SHA2568dfc8545fd795a194ddc2e87f19172950040151c6e9570a099dcc17c6546325a
SHA51248a25b0fbe62db50ea11a9f9952984a87fdd09fadf7c639cc6a486ea71d13bbf89fa4c430c506de65ee4d9edf235b44d5cf6c61b25976c6652e9a87496c1775a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a1b9756522845f14ee69d8bae6669776
SHA10c25d8684b3686affa561149e6781e16e7e3b39b
SHA25688849c7e8165cc8a298477e189ab11ba065de4db3ddbb24baf6612be79abd974
SHA512e7e0b04774bc2f27363994235c1025ac7d1031b1fe98527336c05bee5ef742b4261954d60189088f2cb340830f898cad7158e6a0dbd06f336918dc9ef81ccc53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_74AF856BCFFDE02D38442F50E7D59981
Filesize396B
MD5d087c3aa586e26f22d50c15d2ef51315
SHA12832e213401208d33f85f72dfdc0216710acb0f6
SHA256d25e6e0a13cd56465d6c19673aa4d77148e7ac81c782c349a8ac7c8f0f84c343
SHA512c4867f7da12694a04e507f573b16ea981590f6f517ccb3472819f9a8e7d64b6fc98578297c5464834856171c428fbb6469cf5b47704a46523f3387038ae56591
-
Filesize
615B
MD5b29a8229ac3077e450eb0c261ae2b9ce
SHA1eeb85cc808e22ec79cae3962dd52b53b699eb643
SHA2561296b8496b18069f78449a8efdc7804a3e5ef694e0631d1af0b1efd67ddd6f40
SHA51208bfd7408ee88d2413997fee3725af987ebb254291819bd4faa3806e07781b792a806be5f7273fffe080ca5d939b7d3b6dd82562d1ab37e7297017bcb2b64b46
-
Filesize
587B
MD50fd50d6e847c13b931c256e215d1a184
SHA1e4725ee65326cde8c62a4f96cad9bc08f0364d77
SHA256baeb2ce125450a6cf948e6cd751b24c436d16509ddb19f4e06921adf997b8b80
SHA5123a39cb7dcdf583157482d666a1edbf0212eaccf13a64af35c843933910c1152f17f20fec7bcb8dfd3aefd4458c7ef9c00978be2f8d2e55bf19bb24741959b88f
-
Filesize
615B
MD523c8ef02b82b829583a63879a329d61d
SHA1cc065eb167c9a90bd01b6f70883741b24dceab28
SHA25629652e98d0eea7e1a4ca7c265fe8ecbda4b43b5b2670e8e0aff0ba22f9c9575f
SHA512fb4349c832da194618d1fcc257e3ef4bff8735818c3bd150e4ba44b4225aef22e5330cb9a79f0d97caef592766aa1e8b2bde5135e1f5bf20d179a5e7c4b166e9