hxxp://www[.]mcukk[.]com/law/wp-content/uploads/dhL/NewDHL/NewDHL/view/mydhl/?email=user@mae[.]ro

General

Target

http://www.mcukk.com/law/wp-content/uploads/dhL/NewDHL/NewDHL/view/mydhl/[email protected]

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000e5e0e003296f6724e419e6bf8c2b2895d8af17d7aeb724d1380cf38dd7c9f536000000000e800000000200002000000014b56c23d5324e04d474a2b43fb0cc1758142707e469c09c4f268f2f8e01aa5f9000000086eb7a4865332dd193ae48a8fee2cb07b33c151c484b754a225f73b98266f3f7d06dd73b2a3860acdfd2359a79cb27b379413a03ccbe79fd5dbbd7f762cf4335d131038a6fedcda82a1bd7903f3606576c319f91a5be3b03c9ea1501008323cdeb6ca8f6b8dceb8bf70cc0b511fad92c3f32a9c4caccbd0c0e3c6d904af4293558af471bbe29cb9ba102051e93a5946d400000004a74d77ad9094bfbe51486dc1d8ca428fa131f235ea058d665bd7155ee57643b772b8419e2a929e2e83399346a63e58791fb3092c5b7486c7e45303aed6b9b34	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375863606"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{295559E1-6A2F-11ED-AE24-CE372EDB0509} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805646f63bfed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000150091486ef10c351b89c2f2d2f81a40e8d5bcfa4cd1582bd7b02f9e0c9bc3b6000000000e80000000020000200000007429a3f6e8c9976840efffc6fe29c7cd0a141b440f828829587900e2f52fe72b200000006c4d38bd3e015457e1b6ba711c340080a3d247a5c543d9113c4b324815d529b74000000065675fdeb270182ced9978c6f6bd85d7adc32ed0292f47dc87cd0594586e26b80580ad5b1dd19753dd4b943558dcdb4390df84b21e0490f27daf2b777c5656b7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1184 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1184 iexplore.exe
1184 iexplore.exe
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE

pid	process
1184	iexplore.exe

pid	process
1184	iexplore.exe
1184	iexplore.exe
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1184 wrote to memory of 1040	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1040	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1040	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1040	1184	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.mcukk.com/law/wp-content/uploads/dhL/NewDHL/NewDHL/view/mydhl/[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
072d3ded273a006d15b706e25e927763

SHA1
68f2840e8d6011ed7fb5fd1753a100a709e82608

SHA256
72ff21c3619cfe2b7bbe00ea67f59604b5e247044c732ac229cc58a0e804e1bf

SHA512
cc837b784b2e4926bdce6eda631a456d9b470207de606684d014133c4f0c2a2a6489b4a0d6f4490af2a693a98e1740aadd943f652139695940d867995ee3d156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
5KB

MD5
24780a5904a5be04fd48b9a58eda968b

SHA1
1af0154d75b405e5528b7573252865f58f29d3c3

SHA256
9b5407ae63d8cb306d30fc7b3f344be1c4e131975f07c2193c2ba48bc7219575

SHA512
a4fe084874d1103416c0868c00321767a328440cbe80e0a594a83a54ebdb6cc8c0e752c64281e04e776d4ccf72a9d2e99b8dbfd3013b36923755df89ba8eed11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\favicon[2].ico
Filesize
1KB

MD5
c5bc9af1fd459e12dd11ab5086c62705

SHA1
cc4c675a38a3cc9cfd0324666443150ef1aa57e9

SHA256
b154b0ebf089ae4a9f6a2fcaf76e9e7a1f68fe3d49e27c02823d896b9dad195b

SHA512
9b6d3fb55077a548d648b170436b0428d98bc39c1c0d0c70295fece9cda6adaa1d79a83bc51121336944903a9f0b1353e9195d37ddc0fd66f44a0298005d05ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\92B0SD3D.txt
Filesize
603B

MD5
e9ddb12d881e2f3f5e6a30d9f555f55a

SHA1
9b578ce5a100ec5534b8baae4bd3488ff19fda35

SHA256
5f59c4c229ff33fb798b92bdb70c243a1fa2b8a82a617031a3b4c01119ff287d

SHA512
f5001fedb7c6d0e0ba8f61b04c74bf2c36c048349e226b266a9246662adf8fa9dea8745a5bf7cb1ed3c34a06ba60dfe7a326f082b6cc5082f40a4f6bf20703b5

Download Submit

Analysis

Sharing