hxxps://app[.]funnel-preview[.]com/for_domain/darriusjames12[.]clickfunnels[.]com/optin1666779151787?updated_at=9da17a5105295512390059049bcce9a3v2&track=0&preview=true">

Resubmissions

28/10/2022, 11:30

221028-nmlezafde4 5

28/10/2022, 11:26

221028-nj1qgsfdd7 5

Analysis

max time kernel
139s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://app.funnel-preview.com/for_domain/darriusjames12.clickfunnels.com/optin1666779151787?updated_at=9da17a5105295512390059049bcce9a3v2&track=0&preview=true">

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b1e8a3d1ead801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C31167F1-56C4-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000003e9951e7a37a60bbd486a5eab5f8efd7a9261f2e24a7014a569ce7ce291eda26000000000e800000000200002000000022018188bb1c8bb729f8a98945d77bb803a77dff5dee5350f39dc4faf3e6a0b590000000d78ad58f7682bb36baf6bfc6c0c1aabb4da314c4b29ea7a0dd4fe9a8fbf57b2bcfd3f49d986dcd6577cbacacf605cc9ec780975386d7e01dcf444a88e28843519ee8a42e95c8c244232c60a9a4dd55df04f309260022c3faa47a565b119261c926bca178d105c79143de665ffd1dc2b8ce876bb82e586fb5a0b80500ed197c4e13ce0471fe04890243dad3811c39a4e140000000196044650ee1e8f1df3e2b24c7dd9acc6644faad58d2a14c865ce8bb06ec122587a749cf3d4ca208a2d19ea469667f3e068b18afd03264cacdde7b462a2144e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373728835"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000003f05578e5226ec236e33dd6327097a82fd0cb44e45c2909248894a6ed79a7e1b000000000e8000000002000020000000936b80615a0229af745e59476d5d2c4830fbc9a1ef888e5ffb45d87c0133bdbb20000000fbd803f193f55a85ca9eb8766e8927d135c99e6886778a76cfa61ba8bdce1adb40000000c50c668438ace963a3a2dfe1f40942cee3470f16650e5012c785b0b91e21d57d8b6231ce86f0ec723b1310b50f766275890ac7918be97e9067af0331ba5fa8c2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1688	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1688	iexplore.exe
1688	iexplore.exe
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE
1096	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1096	1688	iexplore.exe	28
PID 1688 wrote to memory of 1096	1688	iexplore.exe	28
PID 1688 wrote to memory of 1096	1688	iexplore.exe	28
PID 1688 wrote to memory of 1096	1688	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://app.funnel-preview.com/for_domain/darriusjames12.clickfunnels.com/optin1666779151787?updated_at=9da17a5105295512390059049bcce9a3v2&track=0&preview=true">
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
4563380771ebf6adea7651fb48155d9e

SHA1
465e61b8534ffe9a462618d56a358eb39a15479c

SHA256
f9706c0856c657e50eebc1d948f572a6122b732f12f340fd2e666483d09b526f

SHA512
6c8845ee4ac504982ed4336bfbf0de66671499f138001271fac97a27eb7a0f826dee6a60904256d7a31a869d6fdf19cdaf9dfa6f1ef6d5a9ffb3e134fae43a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
318736f80fd0ecbe37c0ca03df74da19

SHA1
14cf83b93bb9f3d367e114860c5732d66887a6df

SHA256
25b66c3fde044605caa69fdb27177387280fbcae57021f7c860fcaa623f9be42

SHA512
33dc9e1f09809737e85c217101592f9e51ee925ac64381aaf1b0fd2b6395483deede7f1c7d36c24b83c5983aa1b36636b7d3ffb8b85594e215982dd3da7016dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7db10e017bdec4df07045a5128fa2fcf

SHA1
77f917aec42305d1ea2b9e66b53751e8e18b3547

SHA256
aa59e59e45c8ab4a7e968614954dc4f13b8c9eaf50873202caeea0a2fbdef4e5

SHA512
1ae7668e61422ecb34bd02e82256ec456f82ca4ad37128f79c3fd7db97139a00ada13d98113d4bdd6aacec0c6b050d36b4886151a37ad745d19bd6b20be8750f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
19KB

MD5
31351c100d07cfc7422c26ad7c5a201b

SHA1
ce9f9fdfcc21b715be895037ad0c586a685f8a62

SHA256
3b51c1c45f08b76c4d347f074bc98884818ea1dc9f785b58c1d07ed3d0a53c32

SHA512
3742f96b38f5a9828aef95db85edee66e2d75fd3f03a5530d22194093f671633dbb87665609a8911dee1b84dbdb7207c403ca3cd501eeb4f39ba0288c82f94f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LEYFTU0W.txt

Filesize
608B

MD5
8b3713faa0f6cd93a40b8cb9187d5f00

SHA1
700348b8fcc16097bc8c739c22cd17fd82937f27

SHA256
71b655917fa7a3c5b855d22322f2bd585c45e3e67b16d0c3c772135c6e67e486

SHA512
6aef76b01900373e9f21822a36ebd4e9edf3a064ecaa989f9ab14c03a35d5264f89ee6db7e685b877d97a606abecc807bb9a32d806d9b77e61036f0e352ed252

Download Submit