hxxps://access5[.]matne[.]ru/$Y2xpbWFAYm9tZ2FyLmNvbQ

Analysis

max time kernel
66s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/09/2022, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://access5.matne.ru/$Y2xpbWFAYm9tZ2FyLmNvbQ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9538B5C1-38F8-11ED-A94D-C6F54D7498C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370452557"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000a874159d4b800d3453138932bedae7c2b648eef536ad8fa449cc477c88c6c0be000000000e80000000020000200000008b27e6bb916d4f49a60822ade2cc303f9ef4d0b340c473af671698a3d3c578df20000000ba2bf32526d4a9a087d78174676148d627f37f3c471a87fe18a375d00e7d164d4000000086d6920dd3fc71d357434d37b3b3e7507c333d13a793f9b4c0ffd4616fe92da16cfa18a2d33b76708e15307ade7db74ce6d8edc35989499f441e9ea095dfeb96	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fb527605cdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000e2219a88a1e18a3ea3e0a42727088ed6d8233413d42ab3ce24e7292cd27d3303000000000e8000000002000020000000e60e7b62c35319cebecee2eddd9410acc787acaf808ae345be2c5b7fd80df707900000008ef1ae86a3c1fd3be2f01ec2e7e50edb3d8304ed024ae46b94b286818dd6209711b62207c7a676cd83a53ff26446cac837a6505aa61aceb42575b225a0d006c7de41967d6be6f1701e801a06de889fa23c21e0064602b97971340d9806ed07b8dfa0d2fcbb0775daf6c3fc02b2bdd1ad45e06fbc2c32a203bc468c041fae5edcfa0955229aca2852ed37d3494863e85640000000f926181c677cc151af2ef4628b9ecc53209ac9928289c714723f32071f93ccf2b03e55dcbbad76c788d6f3bb7b60449c2f8e77738bfbf984e97f0d1002ce533d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1048	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1048	iexplore.exe
1048	iexplore.exe
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1212	1048	iexplore.exe	28
PID 1048 wrote to memory of 1212	1048	iexplore.exe	28
PID 1048 wrote to memory of 1212	1048	iexplore.exe	28
PID 1048 wrote to memory of 1212	1048	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://access5.matne.ru/$Y2xpbWFAYm9tZ2FyLmNvbQ
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
30232b2aef21004b9c41f678e2e19f48

SHA1
020a79b36caa521641f4afb15aea28c2d5d4d574

SHA256
d3e6fcf8a9a7b1889d36cb46c20a2eb750fa4b96ab66c1a5496f2a217cad6255

SHA512
02481095b4e6ad46d5a124793169639976074c7dd713bd551e30e01f6aa65fe6b552864ca40359b931f089f437f2e2acd1f29c80db9561af49202929732d8fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
226B

MD5
e61d1cce63246191ad0deb007c6cc03e

SHA1
1b6cea783f40a78019bf4b4de161e9f4092b4a71

SHA256
4d550a09e754d14ec6cd2a7bf10dd52610df1b0ce9a21f04b2d6a0b91321d1a8

SHA512
e2db4cd476cc8dfd543f663b29931524e397569452090c752a0e0a491550868d2b3b6d837462217a3643b7671e263f596d3e5ae1e4482ef86007bcf852067894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0402a722d3414e5ea3c9550652251776

SHA1
a811393db529afb047565263418d1f0c13dd586a

SHA256
b3090660fe441a11124c096f3c39664b9aae8c85f43af44a40df176f9aaab770

SHA512
96a6d77d8dc2aa16fd0fdf80d50a1940c5840f1fd52bae8f070af923d377f6afa15852c16055363e9ce18cb4e50eeeeb15a36d1b33ac2c9dfbee3b860e70ef3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YM3HE7JX.txt

Filesize
608B

MD5
5e10893d77c5b81eed88a6065e8ab335

SHA1
c56050b5b365460deaaede3272dc89884a4bdc4c

SHA256
f48205d376dee894b7735d32ef12da52925391723d4a7f7801923f6e8c873d76

SHA512
f1083fce95c515206724365fc6969d44b898d6f8ef07ef9b08a27e05023bd802c7406c0c6bd4adb788c25c6b81dc9e5c1f891bd01132c41800c637bdfae578c6

Download Submit