hxxps://milliken[.]iad1[.]qualtrics[.]com/jfe/form/SV_cT5tsyGlFTkQjXg?Q_DL=5PyYlOCvhkLM7Zp_cT5tsyGlFTkQjXg_CGC_hC9IhnlyfoSAk1L&Q_CHL=email

Analysis

max time kernel
138s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/09/2022, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://milliken.iad1.qualtrics.com/jfe/form/SV_cT5tsyGlFTkQjXg?Q_DL=5PyYlOCvhkLM7Zp_cT5tsyGlFTkQjXg_CGC_hC9IhnlyfoSAk1L&Q_CHL=email

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000005da4f24b303bbb823d87d480635c2f6569f2c6f99775c9d8a70bb381631850f3000000000e8000000002000020000000fe99a61046165d6c43ca782e38ff401a2cc31fabdf2fecd72ce8d7cdb9fc7c909000000044ce5f5bf2a4c668357b909d5c403f5a1d3c2ccd1e2e7d4a07ce8666544c9d29bafe3a397aa4b99b503dc9c13ae1c704533a3186a6717132380ce9eb0620950d19022c3b9e2625a8ac7b1a2985267c2e18ae2f594c4738bb9bcf95ef17ce55f5a6ca09c7a6f9bed1251d89e77f8c7c36695d007042848aa31f477cbf5eec426d13edb08290901e923d043530c7f447f34000000094fe42dcf51a30d1026a55a5e2de0c99d42d6d110e25c859cea0bf89fb70f8d64204cb4603d61b8a0401068b26aa31bac0a41cdf0647d7339ad2d59290c640b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\milliken.iad1.qualtrics.com\ = "112"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\qualtrics.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371315022"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "344"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "344"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "344"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\milliken.iad1.qualtrics.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\DefSpellLang = 65006e002d005500530000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "64"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\qualtrics.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\qualtrics.com\Total = "112"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000c21355fa19b46971bfbacd3ae86a1dfbc66ff53bb1aec3eb7cf5947f00f80fb7000000000e800000000200002000000086b34beb62df14d4ec51645f78fd08bceb82d877ea2fc7034fe517584e95434a20000000836788799cd48a3ac773f65887e1fb0fcea2093e04545e71529ed9d1dfbf746440000000e1e785d2b4f38ad779f008185e871d61ebfd0793555719dae3c7400d1adaa97d9eeeeacc5313d6ed890085b979b2a9963a4371a0fd8a330e49f079872e57ada2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "137"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09ede73ddd4d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9D99E61-40D0-11ED-BDAB-FE41811C61F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1736	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1736	iexplore.exe
1736	iexplore.exe
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1756	1736	iexplore.exe	28
PID 1736 wrote to memory of 1756	1736	iexplore.exe	28
PID 1736 wrote to memory of 1756	1736	iexplore.exe	28
PID 1736 wrote to memory of 1756	1736	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://milliken.iad1.qualtrics.com/jfe/form/SV_cT5tsyGlFTkQjXg?Q_DL=5PyYlOCvhkLM7Zp_cT5tsyGlFTkQjXg_CGC_hC9IhnlyfoSAk1L&Q_CHL=email
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1756

C:\Windows\System32\MsSpellCheckingFacility.exe
"C:\Windows\System32\MsSpellCheckingFacility.exe" -Embedding
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
7ba74bbd3af4dbbfed6e29a87c5e87e6

SHA1
d81c8af12c2a69fd334cb6ec87280e44bbbc9976

SHA256
19de08c5ab98964786ebf9b2872c60babc307a2222fb163f71f1a45a7e8847f5

SHA512
73df9f3e15823d7c9cad49c78c7e8624a79e0e4d221866bff2f1b31d24441a303209d8b2cce2fc75aa05a481989c317818c92b2f0f0b96d22f679a5987abc5b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
19KB

MD5
e77a2f1687786a5129967d530d16d20f

SHA1
677e17ce5ba261bf179305630393972db8250a67

SHA256
3a0997325a3d9594bd4a9bb0196ec23e99023b7d9a0cbb5786e5e07a24d446c3

SHA512
5bcb8eb7676437945ebaf12f62b108b9b3c579564e53735bd1492ededfa0f916585682f8673c3759305a65934cbd6c72e25f3affd89d5713f66909b6a4efdbd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\favicon[2].ico

Filesize
14KB

MD5
521269841ff7f01a1772f3856e636d01

SHA1
7deb793c8e6cb57c23cb3ad1da6ceaca9982adb2

SHA256
65e99ee3b805f7b1c8b08159161e3ad53960640a2c3f952d282af4900d1ae572

SHA512
d72849a984866c1ad66b88d3aaae7cff27cac05ece4a491cd7afd8d31a05557e726f502f4223802d10212a1cf8f769c1484263cc20ee1064e3ac2b0be7ad9d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZAZFA5CC.txt

Filesize
608B

MD5
356b63331e60efb983f59e544e205274

SHA1
807ab593acf2f28e5f4936850f8c26aaa5e93a75

SHA256
9053b4860924b2a3e84cfde96e8b21d31697e046cd0f79bd60154f6293942b65

SHA512
2607db6fda6fdff9d75806da9f6f567eb6ee7d2ff4980ef24885dd4aa6d512af57233893d73288fe60da139fbe1b3037809e3b294709cc663523e57748ab1072

Download Submit
memory/1140-58-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download