hxxps://www[.]google[.]com/search?q=Michelle[.]Hamilton@viha[.]ca

General

Target

https://www.google.com/[email protected]

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000099015186469155828739940e0cc74db4d5abbf77473c580a4283451851e07940000000000e8000000002000020000000133da73e132f07c6f844c3e9e0be79fa6445e5693be77b2e73ca2114de901f18900000008263836dc933ca7efc556aa8a07a4eb817c32a0df89d9dc37d4e652d9de83b9ba25d792aab3fad8478112438221ce07191294e1ae0ffd603dd0d791a6c58fbe370b244de96be4dbd0c30b693e698c3ac0ca097579719d31eab10b07d0c13f8461c226c96d6d3aaa621111f6bc445492a1f5995b3f9009bb079ededa9822eb82dfd3b93041c854d59ef425b85e2ad8aba400000008095493e0df3b0e434d09cd9bb38cfeb3deebf5db06e1e905fd3f055f77f4a6701a9ecf3a63a5d5a14d37416185329a6e044933c4787641fda2286f5d16fead1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a0a4471e7b97f34a9a2c4756a3c6508058104f148b0a5bbf1015ac9144a1f560000000000e80000000020000200000001ed51335e363d6990cd22b3a4367cfd20a1067b345252a246f08bdf2b4776cc520000000a446ffb6c686b6322049c9a5b5d6ee35775f357edb337fc4f4cefa17610dd54a40000000fe69b18404b384e9bd39c79ec12eb8e1a8594e3f0597cd645a2e08d06fd78ce72b5bf1662f6e29440fcf0f2994dd92e4b11d685311040e68128d497b1bcc9706	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02b06e9eafdd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375828779"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{129F9D61-69DE-11ED-91F2-D2F8C2B78FDE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1244 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1244 iexplore.exe
1244 iexplore.exe
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE
1148 IEXPLORE.EXE

pid	process
1244	iexplore.exe

pid	process
1244	iexplore.exe
1244	iexplore.exe
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1244 wrote to memory of 1148	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 1148	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 1148	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 1148	1244	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01540d2f275898cc5ca0ad9883776979

SHA1
019a25cbdb1c3b45935641246e11bca1a126a83c

SHA256
7f294737848df1b9c4246eba717af78304f8deb21b683e7b63d44b57696fc21f

SHA512
5a400448250de97be0d3f05f254c5ee017a9d822fa6bd68ae74b78d98d438da844cf48ad3b63182e2a1060ebe4ff7171d3e8d823b4cfb3e540456841cb7316e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
5KB

MD5
ee0e022abf1f20062e1fd9c1a5641289

SHA1
ffb13ce8a406ec136daf91289856c99ba6b6e64c

SHA256
43f3e3a8cbece3d75a84e1268c28e2114dc846c6884c7badd5de3e5aa6ff089d

SHA512
39358f840ab09a5596537a4e76854e805fd908ff42703b89df60a5951df6b4e8100581de99202e8e13e3e481a7a1987ea607c288bd02896e02cedada7935e21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
6KB

MD5
847eb3d3a6046539cb803d008c9e0613

SHA1
c3b1ae0c82e9036c85ef4e8310fdda6a996e6e1e

SHA256
158da89a339e12052215ded1853efd12720a427d221a514fd8eb371e61e5ea4c

SHA512
717fce5ccd1d0cf9a5a67356fb887ef6f9ba162e5960caabf3df3efd7d8fc01546257265ad3dc1766bdf61abfbbf2262d0911676f82e8977b86a5100f70d4809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PULJ7CSW\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6HSK4M31.txt

Filesize
601B

MD5
861ebdac02eef1478089248ced3ea0e0

SHA1
b936981b7b2b4bc1ec93a66d9b20fa88e2c9659e

SHA256
e8d8e3809fea42680bbe97058d9b9ba44d3aa6c55f65af764a5f376227726b2b

SHA512
3517f88e8d8e0008ad35ed198cf6e4e9dc42ed1dcf7d143ba13b29f9953551f5d9e7bc06009dc44a75ccb4ebfc4cdd94cd69ead441fc5f419fef9f7599c03d41

Download Submit

Analysis

Sharing