ec91ad5feaa2629e61a5dd658a6ad0b4432c71b69ac69413ec0ca4f903c60df5

General

Target

ec91ad5feaa2629e61a5dd658a6ad0b4432c71b69ac69413ec0ca4f903c60df5.html
Size

7KB
MD5

fbc66341415ee5755c3473045611cece
SHA1

e7bf6f5d50ac61d9ada79d0b34c92b3cca94c2d6
SHA256

ec91ad5feaa2629e61a5dd658a6ad0b4432c71b69ac69413ec0ca4f903c60df5
SHA512

8b7b91e7e920ed5a3c9a2b82b741d7e4fe412fd41a56b7285f0c312907b02ba5fa7eb4cb2787564274a618205dcfcca3da3816ce527bb678b02d75287e3716c7
SSDEEP

192:UJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLk:+SGabMPvLddLXuSwSTLdlLXugfo2Kak

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cd841524ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0fe111024ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375360184"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3A28B4AD-6B17-11ED-B696-5ECC372795C7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000545d55d2e0e6314cb4b3e440374dc31400000000020000000000106600000001000020000000dae0b7613bfc155eb0db39a77d00be9cdcc97202c89805c315ae4e95d2f4e1cd000000000e80000000020000200000008f7a0f83e97d5a03d7b75113267c4b5749cc02d6ae20573a11379a99b91f18bc200000006066eebb16687631a2b4cdd1fa567090bfaad68414167b712354f4f6227fc35940000000a3d0db1e0813337c6c362372ec97c1a6ee285e932d5098df3be21c8bb5cb9436594c46595b5302193103ebb8df5cd09bb1fac0bd4fcc7f22d268b132c1800f9f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000545d55d2e0e6314cb4b3e440374dc31400000000020000000000106600000001000020000000e744d9a18efa91ce577f8164d23e2bd1a24f96815968aa68d91f1ad6c96e40f8000000000e80000000020000200000009b5797a126297a87200675ef0227c7c795fd5234d70a5c92fa56e50be4fd65b72000000074363c75e4b38cfd74725914ba928f8cbbf83938fb54f878b8cff5b06b73966f400000001240a464cbd458a280d1c516487d1ae780f68737df73c900910c03b786c65b3167cb72df140ee01a921efcef7b7df575a092756eb61ae6ae2a6c8ad932cf12e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3376	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3376	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3376	iexplore.exe
3376	iexplore.exe
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2152	3376	iexplore.exe	78
PID 3376 wrote to memory of 2152	3376	iexplore.exe	78
PID 3376 wrote to memory of 2152	3376	iexplore.exe	78

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ec91ad5feaa2629e61a5dd658a6ad0b4432c71b69ac69413ec0ca4f903c60df5.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3376 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads