8b06588cff3e70d469eb148537967a3a1d425ea6435b3a711194dd569b16ed55

Analysis

max time kernel
283s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/09/2022, 10:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8b06588cff3e70d469eb148537967a3a1d425ea6435b3a711194dd569b16ed55.html
Size

607KB
MD5

15c8d84761b78ad404a3fd80bbc5a06f
SHA1

cae776ae13bcf746dde0b7ea1a03bc948e2abe0a
SHA256

8b06588cff3e70d469eb148537967a3a1d425ea6435b3a711194dd569b16ed55
SHA512

ced507676caf7b4094c98310fca504e67e883652e5217bae5070f9b36b4a348bb65d7a4cbb1d71fcfb1750f2f12a9969ca8fddd7c8ea7f65a93d24dc50ecb9fa
SSDEEP

3072:OClpGTetRqXgwR6bTTwRudiV1ytfVrbWCUkPDlJtLn6CVhJc7MwaMyFeqmqDCMA5:OClpGTCRqXtR7RCSvLF2RPthZlXMDp

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9DDC2A41-3CCC-11ED-9332-6A94EDCEDC7A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000bc2a42ce733cddc2169df7a8a81c41ce90b81a7ed8ab05f18796e309e8d412f2000000000e8000000002000020000000f44e822dc4596c13976e8fbb29b2c4fbabc0393207ba19d9a661e3e68f44995a2000000009d2e479013ba1843c78b805d093516b02733624c80331911fffa40099eb13074000000008ce7d6cd7c6d96dfcd05536fd08f3d4117d930aea89b88136b03c08f69bb5ca22a1d3ed4984a4e7af0e26cb1490a3d3102c9dc4d933246bce3411f7d40932e3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000078d55f95ac2508cb315fec98b9bdaec1b482e89f8f99c0647148283681c6f6c4000000000e800000000200002000000048e63cfd312a0866de37b0d63926b05c5f8ccba31ec61999088f19bd345a35a5900000008de0af2c8ec6d759c5aea1f0145582d8a28caba816232d1b0e2761273420a89f07a06c697ac205ceed0a17c1b339563ba4ca6533c651549bea2813632a9c6711e4fd74f430e2c59e6e77abae7e7ddff80fdc1285631ef2dbe2bd70d1d6bfcef3c61c0f3f30884940299be49c211e46f676749ef4e53e2742fa04fd49a83bd3273b3c755fdab95b3800c69be831e1e2c0400000002602d71af595f8a00ed67265d1d3505298165c893758df3ea0179835a161c1b2c6196a0a5794b6249196bf3d5efea7eaa10029191805648e8406edf49a54d6d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10544f81d9d0d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370873482"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1424	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1424	iexplore.exe
1424	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2040	1424	iexplore.exe	27
PID 1424 wrote to memory of 2040	1424	iexplore.exe	27
PID 1424 wrote to memory of 2040	1424	iexplore.exe	27
PID 1424 wrote to memory of 2040	1424	iexplore.exe	27

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8b06588cff3e70d469eb148537967a3a1d425ea6435b3a711194dd569b16ed55.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
640ffbcc70a630661ac5e53d813772f2

SHA1
ae412968fe3f484cb0e70d31eaaeabeb97e92a15

SHA256
7f8aceff81c5d040dc2c90614dcffd4de43cf5c2840c0e60e3aefa9b160a3be9

SHA512
15eb9f51518036581da1f93cf8fe7e2647cabad78d0a9347f57b35e88675eb027c6fb176af0be64e27ee5dd82e6133df02b593ee77153686121e6de5bddc0db6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O42BC70Z.txt

Filesize
606B

MD5
1533769e9fc1a65c77f97dca240f1049

SHA1
e4cf0aa963a0e4b1f232d9514adff5e8cfc26bbe

SHA256
e1666213626716fec3e5309f852b7d1458f38f0d4442330d0a9aeb97a6fd165a

SHA512
3ea3de1545f386086457ce87305434e00c39ea39952bb12e2e2c4c348a18b07c4c0bb93e8ad6f9f5d7291f424ee533c12e69ad37024b50b5651cf9cd87bbcaf0

Download Submit