fe07061b93a53905bc380776f5b6e3d2be6ca62d368b6f31c13563a50187cbb3

General

Target

fe07061b93a53905bc380776f5b6e3d2be6ca62d368b6f31c13563a50187cbb3.html
Size

7KB
MD5

69f77c70d2b975b9afb78d1e28d56782
SHA1

9b70b52cdc7bc5d49c0bec11e083989ef32c5098
SHA256

fe07061b93a53905bc380776f5b6e3d2be6ca62d368b6f31c13563a50187cbb3
SHA512

a54c97ad59cbb5cddef6e08d023a7a64d1399d4ec1dd6f24d1c829176ac8c86ce0c589e70a10ed756ad7867763f22d150f3a351cbe7547bf864a0375d71c0c82
SSDEEP

192:bJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLO:tSGabMPvLddLXuSwSTLdlLXugfo2KaO

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8054a7c723ffd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a2b8e90573d5024eb39d2385e30626f100000000020000000000106600000001000020000000bacdf3381204e1f312411d2b1625cc5219d763ffb7a24f51346725cd01652e65000000000e800000000200002000000027b5968cb8eb9bff3d91e509cfa33ebf58b357e3b408a8e222a9a3af27d566a72000000069523aa82d9ff357432c7418468f7a1afc75bbe4975ba6a23d4e1235edfc8ef84000000085d333430304c8edfe858acb6d5b15a62551bcc92b8fc46e34251def2841bfbbb12481c130ace85cf3cc212b3738317ef33f00ce566fbfd1660a28133a7c036b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a2b8e90573d5024eb39d2385e30626f1000000000200000000001066000000010000200000007dcaf4722917a3bf7a236c5ed93acf36eb310312bf3e3f9d6821d0df0f1cdb51000000000e80000000020000200000008cdd98f7533990c600f745c1c22ec6fd2cfce70ca04268a190fae1da68c1ed38900000008dedd714331c2ee4fb496f46f8aab95e0da8f772de417e1f68cb7e3acc4d00e67f81a0d8592aeb056fd9142f74c8092a957a0b6133bc2d6f1314d237df38e714ccc65bee8f248ed04ed21eb3de19438ecd7b398329c2073c10d1fbbc0989cd96f19ea8abfb8b1ebd1a9a3bc79855f251d4ecaf263ef650a7f30fa47373c72444a2ef1f4609efb9b2abcac137831cba2040000000ad0237a5e25e3a97fe8d27a404f6d41eb38cc6941a3b29351b6221ff7111f1ac7b41f306b86e6ac2e45c089b3c9e8cb307a6fda1e17fbd14ec90e7856a707642	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375963156"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F1A2E331-6B16-11ED-B25A-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

880 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

880 iexplore.exe
880 iexplore.exe
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE

pid	process
880	iexplore.exe

pid	process
880	iexplore.exe
880	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 880 wrote to memory of 1532	880	iexplore.exe	IEXPLORE.EXE
PID 880 wrote to memory of 1532	880	iexplore.exe	IEXPLORE.EXE
PID 880 wrote to memory of 1532	880	iexplore.exe	IEXPLORE.EXE
PID 880 wrote to memory of 1532	880	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fe07061b93a53905bc380776f5b6e3d2be6ca62d368b6f31c13563a50187cbb3.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:880 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4ZV6I6QU.txt

Filesize
603B

MD5
c24be5905beeef2c305dfda768b03dbb

SHA1
76aa71f9295d9b1f4d9f070a16805baafa5c7831

SHA256
ce48bf24a94c8b32c7ce59fcfc1988af923a4f8e11a9561a6ac8f7f808efd8fe

SHA512
5cd24e84df5f7c6a47938debe4e45194d8a53f4bc22f57da37b3c83983c0bd5130acce8aa30c46c0a366adcd8bf3f13ffa996ffaea2e00a6304d19d4b3c87340

Download Submit

Analysis

Sharing