hxxps://track[.]deliveries[.]cyou/continue[.]php?mode=savio[.]greg@yandex[.]com

General

Target

https://track.deliveries.cyou/[email protected]

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1600 2744 WerFault.exe

pid	pid_target	process	target process
1600	2744	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CDB55648-6A4A-11ED-919F-DAD30C974647} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b79cb057fed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d090b057fed801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000027e94a5b12801dd916de6b7ddd155c2204e18bd3d5b3f4ed9fe89f30df65eeff000000000e80000000020000200000006eaca2ea804f57bb859c526127b8bcdc3f80d2b3f7d160a4482bdba7df1cfbc7200000008dde455f87dc4e15dc3f1729c8c980f53064868fec4c34eceeaa0da366e1d6a14000000074002ac5523f49ab76d09e6dd84e975d95bcd2a66b937f5153693b951e6dd7c71ac2e7b63bb3f62a85fe5f74fe0697abc898ed7dfcc3dd34fdfee2fb503a9654	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000007475c7b5acebe36052eb1fc66b026d6947c95eeec6f07d7fc108abd9ea0c42d000000000e80000000020000200000007ac33dc864a44b577d091d7e0ff3b065376da9e9071763c2c0bc22c17160d870200000007ef1c527067f1184f3f20d9389f3a33345e2de6d7dd46deee01e2c2b7385cf5a40000000bd0aecd1b03accd464f8fe8dfba4bfabf2d15edb96c24fb85648a11ece8bd65675ac84b3a9f57ceaced02902cffcfd69f0c5e1f0eaf1a703fd3de1328bae4361	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375272383"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sdiagnhost.exe

pid process

1520 sdiagnhost.exe
1520 sdiagnhost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sdiagnhost.exe

description pid process

Token: SeDebugPrivilege 1520 sdiagnhost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exemsdt.exe

pid process

4272 iexplore.exe
2552 msdt.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4272 iexplore.exe
4272 iexplore.exe
2140 IEXPLORE.EXE
2140 IEXPLORE.EXE
2140 IEXPLORE.EXE
2140 IEXPLORE.EXE

pid	process
1520	sdiagnhost.exe
1520	sdiagnhost.exe

description	pid	process
Token: SeDebugPrivilege	1520	sdiagnhost.exe

pid	process
4272	iexplore.exe
2552	msdt.exe

pid	process
4272	iexplore.exe
4272	iexplore.exe
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsdiagnhost.exe

description	pid	process	target process
PID 4272 wrote to memory of 2140	4272	iexplore.exe	IEXPLORE.EXE
PID 4272 wrote to memory of 2140	4272	iexplore.exe	IEXPLORE.EXE
PID 4272 wrote to memory of 2140	4272	iexplore.exe	IEXPLORE.EXE
PID 2140 wrote to memory of 2552	2140	IEXPLORE.EXE	msdt.exe
PID 2140 wrote to memory of 2552	2140	IEXPLORE.EXE	msdt.exe
PID 2140 wrote to memory of 2552	2140	IEXPLORE.EXE	msdt.exe
PID 1520 wrote to memory of 1260	1520	sdiagnhost.exe	netsh.exe
PID 1520 wrote to memory of 1260	1520	sdiagnhost.exe	netsh.exe
PID 1520 wrote to memory of 1260	1520	sdiagnhost.exe	netsh.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://track.deliveries.cyou/[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4272 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\msdt.exe
-modal "589918" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF1A4E.tmp" -ep "NetworkDiagnosticsWeb"
3⤵
- Suspicious use of FindShellTrayWindow
PID:2552

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
PID:1260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2744 -ip 2744
1⤵
PID:4864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 1752
1⤵
- Program crash
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NDF1A4E.tmp
Filesize
3KB

MD5
0ce16e3fd33c89c75b839bb5950cfa0e

SHA1
4c99e1d0b0ee690390a505230568c11faffe3b5e

SHA256
375314b687522565c4deb381079fabe1669b25662f9ed41fc196756c35d10dc4

SHA512
0618bbfb192fb658d752d5a977e0415f22b3797ebe1004758e775819b1014a7c611051c0e32950a32b809b3deea5d6c8ea3d75630fd3f0c74f53d909677f76f6

Download Submit
C:\Windows\TEMP\SDIAG_8d6c2482-8139-487a-aec5-7d715b36ab66\NetworkDiagnosticsTroubleshoot.ps1
Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_8d6c2482-8139-487a-aec5-7d715b36ab66\UtilityFunctions.ps1
Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_8d6c2482-8139-487a-aec5-7d715b36ab66\UtilitySetConstants.ps1
Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_8d6c2482-8139-487a-aec5-7d715b36ab66\en-US\LocalizationData.psd1
Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
memory/1260-150-0x0000000000000000-mapping.dmp

Download
memory/1520-140-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/1520-139-0x0000000005B90000-0x0000000005BB2000-memory.dmp

Filesize
136KB

Download
memory/1520-141-0x0000000007110000-0x00000000076B4000-memory.dmp

Filesize
5.6MB

Download
memory/1520-142-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/1520-143-0x0000000006410000-0x000000000645A000-memory.dmp

Filesize
296KB

Download
memory/1520-144-0x00000000077D0000-0x0000000007836000-memory.dmp

Filesize
408KB

Download
memory/1520-145-0x0000000007A90000-0x0000000007AB2000-memory.dmp

Filesize
136KB

Download
memory/1520-138-0x0000000005C00000-0x0000000005C96000-memory.dmp

Filesize
600KB

Download
memory/1520-137-0x0000000006A90000-0x000000000710A000-memory.dmp

Filesize
6.5MB

Download
memory/1520-136-0x0000000005B20000-0x0000000005B56000-memory.dmp

Filesize
216KB

Download
memory/1520-135-0x0000000005AC0000-0x0000000005ADA000-memory.dmp

Filesize
104KB

Download
memory/1520-134-0x0000000005DE0000-0x0000000006408000-memory.dmp

Filesize
6.2MB

Download
memory/2552-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing