d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

Analysis

max time kernel
106s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2022 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

onno.html
Size

315B
MD5

a34ac19f4afae63adc5d2f7bc970c07f
SHA1

a82190fc530c265aa40a045c21770d967f4767b8
SHA256

d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3
SHA512

42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000001882b72d3a3b2d538936d6fb017db5453372da6f44029722b694f28e7a7e12ff000000000e8000000002000020000000422b0650ec967e56c967742a0886539cd13ee0e010f294a2606a375795252201200000009c54a650974ec737c1a0ad72e2c94acaa433ca09c09b5836cd2df61784c4587640000000fa540d69acc7735ebbe8b76696ef830dfbc5cd1a02497848b1ef6a6371634493a096e2ae889f8f253cfd8d03d16ebee00d4a8e2c204bc289690097dd10a695c3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url7 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b142160000000002000000000010660000000100002000000004ad1c061942d06bdd0905105dcad03e87b79a9de457519a29553c9df02fdad8000000000e80000000020000200000004a1c5020c361b7b46c9dded35d10e219558e933b8d807c92df39955c9343c93f000100009318e685acc27667141b14d077b7aa8630a1f5e7bb3351d6bc60b07de47194e332ae9fb706f29dc4ad463bdda57fb074e57277c4202a1a950a8e1b7b171269f96cc3118a7335d4b5966d1a404551639afa667d5026b97500dce2e5542d428c5110144183370674021403bbc014a31ab6f1519b7669b05c5d0d7630b926dd1982710d4b685a250785b405dee1f123d8f4734b3771e592d93bb4c67ced0eca8e4b8a1dc2cc6877be50b23c4e3dc760e2f8892c76cd759e762caf9d9254ffdab745ee73033e6195846fba4d58c794b69bf137a9b78e0f164c2e07e8bbfab4c6933ce5e62f2bfd59c7a72c1a089820d63a79b707d237c62c137830704f245c97056c400000003c58984c71b7bd216fbe8914fdbc732ab460eeaaea854a7af6e20107ff4bf9119c79f85767c7c43aee8747edfee891002953abc7cf46c0c162bf9698cf527a61	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url7 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url10 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A4D7061-46AB-11ED-B696-DA88DC7FA106} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "http://artemusa.cl/index.php"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 06a7d6e6b7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://artemusa.cl/NewfileReport/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20bd7feab7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://artemusa.cl/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988983"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://artemusa.cl/i"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url7 = "https://login.live.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901216f3b7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.aliexpress.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = f3d2a4eeb7dad801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 06a7d6e6b7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url8 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 303ad8f4b7dad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = f3d2a4eeb7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "http://artemusa.cl/onno/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://artemusa.cl/newfilereport"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 303ad8f4b7dad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 06a7d6e6b7dad801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371958596"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4008625505"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 06a7d6e6b7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://login.live.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "http://artemusa.cl/onno/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988983"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = a90303f3b7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 303ad8f4b7dad801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = a90303f3b7dad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url7 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3046dbe6b7dad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://artemusa.cl/onno/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 54e43910b8dad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://artemusa.cl/onno/"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1120	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1120	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1120	iexplore.exe
1120	iexplore.exe
3440	IEXPLORE.EXE
3440	IEXPLORE.EXE
3440	IEXPLORE.EXE
3440	IEXPLORE.EXE
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe
1120	iexplore.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3440	1120	iexplore.exe	82
PID 1120 wrote to memory of 3440	1120	iexplore.exe	82
PID 1120 wrote to memory of 3440	1120	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\onno.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
2ff7625e84887471e8aa67e6ac11f735

SHA1
cf9396de83f5822338529f1c0c51f41da5eee8d8

SHA256
27e0b6144c294a9cefbba0145baea8e299a0fc3b1bd897bf9c3f6dc0109207e9

SHA512
6fa10ff0000cd4ef9ee689e70adbb5f181019be9d74e0fa74276e3f1a045a2f735e4f705d3d0cd9acb2f1a7772bd56be2166a3bf64da9024bf0d9b3dbfdef556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
50e10d0c1d47ed3dad34cfcd6a9d764c

SHA1
7ccc215400c6c89e794dcf3b8d7b7ed006e94fec

SHA256
4e194f75beef2d97e3b4e3fdf4a49b5ce0b5f7f112097d3093b33d257b2912a3

SHA512
7f67c1ac984e0f2de6cb3e12fe856a86a0e6f1d690ad668fa11c94932c5846f12008fc375187e0c93f40026613096184e36aa4804896f736aeb1bec27fb265aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
cb41a99e418a6fd73d64bc21eb118ab3

SHA1
2e3ead40660c3842c380a5058c43f788be777ded

SHA256
51cae0d8277462e1cdff9ef940173b0b99592ace29247bbeb6822b341b0e2778

SHA512
c24c0f859605f1206799e43c2771a88cf9cabf55b61e87f4ca833a01f4caa536679a7175d0362be28a0c1193cc777c9d3582f3e5d8898c935329fa0be3d8b4b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
08b8c1dc96f562138953924ad8a3bb10

SHA1
efd308ca1c9fa32dcb9e49df1d97152c0cfe94a5

SHA256
6f61b8b2ac8dae453ffa898aa31800a9001819ac3ddc5ee47c28a7fac3847340

SHA512
2e517382ae2e8c659ff5bb7818b066ab7a489e53b91926928c12073e12aa58bae7b361aaa9a02a48ce7893f681987d8185d400b121d9973da87aa6c4dfa5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
1KB

MD5
f879a46da1e7540b839f2a025dc5d576

SHA1
b7a8cb1d75c139b8300f5a903f99fc488e5cb5f1

SHA256
56c829f392650c401f4743ec461944ddb75c093852f709764ebc7151fb45775a

SHA512
31cf6553eeedbb515c970872349bf050285fb03a2ebed36de3acc57931cb2d379f62ea3c030ceb2c3b09d7bb014b401e2051153ef70eb3d7958d918c69e75385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\26HZJLHZ\favicon[1].ico

Filesize
1KB

MD5
90cfde72c2d8a88ec0ac752061b2630a

SHA1
8d2c13871e3163a440dbef51758cba902b6f91fa

SHA256
3a5e7871d31ac005df07314a0a61a38aaab74aa986e7dc7c04e1561d907a4b6b

SHA512
50e0cab0d44f3bc6149ed60f80458ae62c7649c06cb69ac7ea8feb7a05d00ea1aab27f45331e68b5a92b68a5623f2359dbc6dcb277d0e6d44d240bd0d650624a

Download Submit