hxxp://mygov-onlineservices[.]com/spipi/power

Analysis

max time kernel
81s
max time network
135s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 00:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://mygov-onlineservices.com/spipi/power

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BB8E211-4E8D-11ED-A503-626C2AE6DC56} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000070bb0f0e01d9821536b937ec401f2fc1c73ac89fffa24c38533d923c244766bf000000000e8000000002000020000000d78e8cae38eb49b8b01f1b22d9e0307a74ef24cddd25401e1e3a65efaf46590b90000000e4b94239548064da5a626747924c1f7250614f7a9e9ed134758da42e65db655f102193d4e641caabda7f42583afe7e5e4b16e2c37f09bbfed33be1cebd38a90aed86160b7c6b78b2b794a533216e968e169740bbad1e8997a3b0f8e6a8b4c14867050386a6f4fbdade3e4b92d6b78188d2a2f9bbc07869aaa2485aee3936a9f5f0cd352e6b4e770f8a732874ae450093400000005c9d8031d1e4c510af1e5c7e6d44b38744f72c114854b93dc96fa27c4562312ad56bddfc37129d855d055ff4c0bce53fdd4249d8fa5f8652c34839365f81f573	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d05bf899e2d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000cde9d19c5b63c9a3ff2151163f475884d8f8a832ade503c98ec5ba5b13f656ea000000000e80000000020000200000009117f1f909d45cc297ef94ff0963acc7827da7ea24220dc86516906bc2f147b1200000008009c3eb607c8070b8396603852cd996f6e36f751da89b4ba70eb3f16f1c6f3640000000207bbec7ca8db8c7f0e8261699e2aaba87aea01dcd8965ded98cffe1f48cfdbaf590783ed066ad9c0878c0c177594f0c5d64fefa28fe9f48bface80ff0ee0ac8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372825324"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1516	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1516	iexplore.exe
1516	iexplore.exe
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1612	1516	iexplore.exe	28
PID 1516 wrote to memory of 1612	1516	iexplore.exe	28
PID 1516 wrote to memory of 1612	1516	iexplore.exe	28
PID 1516 wrote to memory of 1612	1516	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://mygov-onlineservices.com/spipi/power
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1516 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
d43ce09b99f0dfd517e73cd28ce6c538

SHA1
09ec31a7539056b8a752fe6ce17e8c7eec69ba89

SHA256
e7c118a8b90b81e22aabf70be3c6ac804dd6a3e17c05435e9e1940bf12fe1686

SHA512
ec610f71c86734879b25232ba6ab97bbdd6a5c0ca9fc25ab2bbdbbbf37fa8871218bb55bc7c15c685a36a120f86e3b7d3e31115f867a7e3b5edfa69920b01be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
21KB

MD5
834f3542b2b05211f147a4cd146ece56

SHA1
365546abedd281ff10f15b94ebfc7b39042df28f

SHA256
4dd02a9034a2489de299960b024ecbcd96cd91780984aeb0c90d80552fdc7412

SHA512
9587c5d41563f8b0753c0cf0580fee63830ce0e160925ede0b08078dd9cb49296c9866ed1ba72404b38623b805e8dc10a1ba0b368a50a310575c530eda125750

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EKMJEPEX.txt

Filesize
601B

MD5
7c499f2bc1d47bbc6d9c30049286cd74

SHA1
d3af7e8b3dd37a54547451d32c5d2bc32f0be95d

SHA256
e6529080e5f5514ec5828668d9abe7ac54ca71cf118c2cfcb9048cb261174d8e

SHA512
1034749b67d3d509afe45d10f6881b5836ba58f7880a67ed7f5dcc78664238be68ab58abff6e197561bfc3219c1cbd425252bca93bbce74f2d43d58e36fbfd61

Download Submit