97fbdf3fa750b4dc8ece261aadf20f6eeb3ac9fe36fab31ec797df750bd5d38e

Resubmissions

17/10/2022, 14:48

221017-r6y2yscbc7 1

17/10/2022, 14:47

221017-r6bxescbc4 1

Analysis

max time kernel
138s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFV05KJSTW093FGSQW.html
Size

197B
MD5

44a996bfd69170b3ab20fc34e8cf203e
SHA1

0705154751a757b976ac23f852854205d153c290
SHA256

629af1c59e3b773bccda809191c580569d2b3b01591dcfe1cbc13a6d3d17777a
SHA512

2977e4ab10a6e0fc43302d2277a67850c6c4c6dda8d7528e79f4a47c80d0b161fc0add2aaaade122b0dabc3c635124dddae6eb36f227c91f039ef507fa379e7e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC6D7FB1-4E2A-11ED-A03D-460E09B1FADA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000c7b9901da890b3c4825ca1a4ac372f679a7e626a921c4f90026e8f65da7852d6000000000e8000000002000020000000b90b9f5814e8fc0d144c0291be856bc0e36a1bc399b630bb35f8f0c99c7f17362000000060484e7c21d187b04fd03db0ca9371651477aa707db844ba197a7d5f92600b1240000000470270442e8e6593f0c34b75298c92d11adeccd9e4057ff65c1202c7fe60865bdeabfac1faf68804219de59c643012d287f515b8f2e42ea6bd04fa5012ee1178	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000bffb634cc5bc28a18a53efd14e8c15eacfb0936046b8d7246b6336b84d9157b4000000000e800000000200002000000016afccede799afdf4a90dfba18bd49f8d4515270f079feea2a046bb4ae6f9bb690000000379fa01b112faae810684e3290f00461ec0b3ada952a2b9d59d8ed4ac75dd1dfc3e2982c4e281e1a5b41d371c1f9a5e56982fb5097e53555f1ea8265a8817fa0eb708030d97c16b2528f6c5cab347cde3cad45f9811f5fafd16b7f07fe5a0d0cb113b62ba759114f8d25b59671307744c37a59bd1ec8ac942a4dc16628d2fd16ee647e118a60671d26e36685c83e3f5a400000001504cc4ba8a9497ce34d37fff9177326ee71db5de459d888c063825484c59230f3b29d17d6c5e3b427def7a0e0bee80df46839a9a11aab6d69e952a5d1c9fd44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107db7bc37e2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372783130"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1152	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1152	iexplore.exe
1152	iexplore.exe
464	IEXPLORE.EXE
464	IEXPLORE.EXE
464	IEXPLORE.EXE
464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 464	1152	iexplore.exe	28
PID 1152 wrote to memory of 464	1152	iexplore.exe	28
PID 1152 wrote to memory of 464	1152	iexplore.exe	28
PID 1152 wrote to memory of 464	1152	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\RFV05KJSTW093FGSQW.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cea94b17aa828da817f304089b2bb9de

SHA1
f93e0b6103536bec9c15d18ccf0c6d47bf8aec80

SHA256
eb9bc6acc7131f23ca2884af0f691ff25066572b68ccd40ea635993b5909ec7f

SHA512
9a09873e00f04b75b8ebc4f06d075c9a45e2453a0eb4359d1109c32998e0b2206f6e818fc67d79d6acc952229665455d0f673a5bb3c0a9b7b96b5d4fb9172df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\favicon[1].ico

Filesize
32KB

MD5
c1b7b01a77373a4052ced836ad18e760

SHA1
a036f28f8c38f0bbf05bcdb1478af1b288d65011

SHA256
69721f70a637170c940ef0553d60ecc7fd9525395502aca8e4ff278285b949a4

SHA512
a7c6b4bedc0d16c8053b65379e1320a87a4e6019ddf675e25580c43729b11f0b7bc93139ad950ec459d0acb08794c389af7909790feb62f014da871e3dbe3a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TFI52I0F.txt

Filesize
608B

MD5
8efbc12cbafab42ff7cc54b0ce0b98bf

SHA1
0fd21875684fe135a524f2e4439ad41829155262

SHA256
b9581a3805b5a202106ddac99109e7f2b359513a7fd16e67fbdc3542c2c591ab

SHA512
bfb6313157af9717bf30048953f460694179180adc41301d7277e227dab0dce37b34aa4df824bf864e142030a9242ef93e292cf4bb51c7392ff80516e5c37d0e

Download Submit