hxxps://wakasapp-stores00-webauths-ospiz[.]ondigitalocean[.]app/#bgi[.]novo@baltic-crew[.]com

General

Target

https://wakasapp-stores00-webauths-ospiz.ondigitalocean.app/#[email protected]

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4EFBA211-69BE-11ED-9E35-7AAB9C3024C2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d39830cbfdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000b1ffff3622cccb3e10e0e260f826bf71c38ce49f1748c4275db396a302ebcb70000000000e8000000002000020000000061d93859fc075a502bb023c7a265c46c9f01940b90f5da936f74a9ab2726b1820000000f1f0c7f3ed8ce9d527e1752eb04ef08fe017335c5ebcc4904391ac4efd1e0eab40000000c61160b48853717e2c6d45a1d3a37393f4395fce66879df4788a9f44150e44fd27e93af85dd6166b24872a557b1310c5f79ef1a06d6fa6ba760ca83f79e9ffeb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000ed7563f595833fd6f9d9045a1b088612580e28674a01c233401df3e960f268d0000000000e800000000200002000000009ad071f87fac02a3d4dd653ca84a6e1b460d0811c094f2ffa8af5d6549c288f9000000043690a716628b9647ec710317fe24473c2244e48822d87f74e8f0fbbd439a3969866a05d154bed94bc994371678c3b9a4c92492b1725ffc5fc2bcb6b6c0b5c9c3d623d64d8dbc02b13a0f76a804f774e601136be27b7d6e1d5af835552590a34a11a4c140680bce72d8fd7524b532f5f27a693557efd1cd1b73a2544c861c8622679354ce84e2029297b30c01ed0fe2e400000000c6ea8fef4a32e8409297c3cae2e28ad9697eb83f4ab82e630a75c9a30b15a42efd53526793a5677b64788b0410c8cc74b1c39227a02128fe0740f2b84129a0d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375815142"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1396 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1396 iexplore.exe
1396 iexplore.exe
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE

pid	process
1396	iexplore.exe

pid	process
1396	iexplore.exe
1396	iexplore.exe
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1396 wrote to memory of 1324	1396	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 1324	1396	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 1324	1396	iexplore.exe	IEXPLORE.EXE
PID 1396 wrote to memory of 1324	1396	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://wakasapp-stores00-webauths-ospiz.ondigitalocean.app/#[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
f739b394d30d392d8eb28922bf5a7e12

SHA1
78124ad341a0e03ecbb7660011409767e6678fef

SHA256
4fff638b8a8f8004eb7a6f5d71ba702373ece50bbe85f499d00d09e7c86dc543

SHA512
48cf40407485d1a22f728220a64dc15e85cf051a44104019efa868cc7fccdefcfea2169eea8fb72be819a8c67892aeee72fd22deca31b8bfbd3f8018e55e215f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
9d6f9bf1d8e1b29be1a1d8650bb3f855

SHA1
399b7e4636d98de974e478cf15cfa5c93770c0a0

SHA256
e434d4280e060a8a0f958bb399eb35858c6d29f3e425e2c87ba60e6399c6413e

SHA512
cc86d34638412aee3747d96bb63dfb5727d00180568b153dcdd0dae78d2049a38891f4cc63394f145a73e61d900cfd15d930ca0da61982a37ab213d43baade95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a2ec1d93c42160b3a5a638a91a9fe27

SHA1
19c2393b3e01a60141a29fd7e5033c805eadd75e

SHA256
f043576fa5fa96a172c041839928232a8e812a3eef82e97a9e8a8c9a89437676

SHA512
6103d591f719377488825ea19ecc355098b39457bac97efa56fefd34f4d0cce9e916998811a022e4a782b7eed8c6ed37d4240e967d740801fd67b11d4df4c610

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C1RFW9YR.txt

Filesize
601B

MD5
f83fdf0a8003d37cce56b942e4c43177

SHA1
694a1d422dbdd32185262a239ec772476ca79825

SHA256
d689a6ade1b05ee301b0169363afd96c13ba6edb7458342a5e9d1db123c6ec3d

SHA512
02ccf47135c9558da578dd89dcdb66846f6f179830ad7cb9e9bc4c62b82bdf5ca7a571e6552399e04999552af387f25b6e82a364e72cfd4c4f5d7b2da8e75404

Download Submit

Analysis

Sharing