d2520eaede1f6f07a4e8d23607a5786f7e7290f30afaae3bbae0d3784a41bfbd

General

Target

hola.html
Size

792KB
MD5

f8463962698412317442b7fec3e90e50
SHA1

db969a6149e6e7346c18f56430b6d12fffc5ffc8
SHA256

d2520eaede1f6f07a4e8d23607a5786f7e7290f30afaae3bbae0d3784a41bfbd
SHA512

94715707aed563a2c128f98b83f4265a4ff376b863bc87e46d6f623ac829ff157557338c8c7645e8ad4c28a29f102dc657e61e8ea448cbfeb2d4c2822cc30704
SSDEEP

12288:+73GOdabXoA27IkrwQql0tfCal/ApRt9IGase9CIZZl7X6bfEogvSeOxjKWE0:+7uXG7qQJFC93gzCSIfRU6+Wf

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d01d31f8c3d1d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{346EF5B1-3DB7-11ED-AD72-5E7A81A7298C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e35d0ac4d1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000cb0586bba7dc0e4cd5d60b7c86de68753f67f57db11f9571295ac12d670907b6000000000e8000000002000020000000ba11da0fac9f17baa9dbb932e319f190d852955a790b98d7c1f1bf1fea6ec7a49000000049dc4f309cbaf42118b079a20a1187c967f9b98ca55218a10ca337e4bf58ddf1b78a9c287419c048ed6a5c1800c308a1ed9a8fe2e74f439fda0d8a6744d258ee86a36f341e9c58185dabe352446edb95cdc1e1655794eaed823c943394e45f7c7c06539ba2f2fb2ebdfef48a7a04a271cffebdcb3e62c1f607c6e832fe8c022e324ee8fd9222af9d50d86a4cb399fd684000000095809ddb9788d15ef8b55e211ae0ec95c2b1dc1b888dc9a15af96ecb9cf80b4fe97ebb6c88488720490bc82fc0445fd1a6bf5decfabbd9651565a68d713c7b92	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370974240"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000cdc808345454b6b9555ae6d490f19326f7b2f0a0793e35d158d8a3a2e6b11c6e000000000e80000000020000200000007668ac81a40836377d31eb2e8aa02665ca6557f5b570aa78c6dbf2d200d46a6020000000a5211852950f8e9d1fed506b1c7b2e7d121034512e1fb7f5d1e4dcbe037e276c40000000fbfcd707740f227bfe289f85413bc58d14e7489491c4d228cf088ccbb1f7c5d414f310b69f65bc4acd44c80b1ef7649ffff7763dffa9ec841a73d296dc3adf72	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1928	AUDIODG.EXE
Token: 33	1928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1928	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1056 iexplore.exe
1056 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1056 iexplore.exe
1056 iexplore.exe
320 IEXPLORE.EXE
320 IEXPLORE.EXE
320 IEXPLORE.EXE
320 IEXPLORE.EXE

pid	process
1056	iexplore.exe
1056	iexplore.exe

pid	process
1056	iexplore.exe
1056	iexplore.exe
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1056 wrote to memory of 320	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 320	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 320	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 320	1056	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\hola.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Art#1015(Sept2622).zip\Art#1015.iso"
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J4G7E86K.txt
Filesize
603B

MD5
69438ae1d8e8f0326c09f3439b854c13

SHA1
4733ac42413da048c2f0bb5c054edfff1f75414c

SHA256
1f0cfc970de1766f05e235140eb0cd3e8c004225eeed53302c0746e9d037981e

SHA512
2b05eb2ac3313fc4b2769e1ba9df01feea272ab44df335a0b22a45373388590dfdf753d81c6708198f6629e20b9a683e0d84e4d162ec133df5c4b3042c851f28

Download Submit
C:\Users\Admin\Downloads\Art#1015(Sept2622).zip.gnmpldt.partial
Filesize
592KB

MD5
b09e1bbe558cd40e3b34fd486d06aaa2

SHA1
e1c8c0ff40cf05c4065363cfa29cfe9b02525794

SHA256
684d62ff07a87386bc347bedd988b89b3f15866b91cd4912666447e807adcc1f

SHA512
bae625a452f234ac0fd50eead983f994b6a3a4631089cf5e230745c895433b9eb2c2f3d93b4e603ca20f342e696d29221cda1f4695119a710985fbd23044929c

Download Submit
memory/640-55-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads