d191656684d570d49132b1c5bf0b5c392591e1739f68d92733173a62398963d0

General

Target

d191656684d570d49132b1c5bf0b5c392591e1739f68d92733173a62398963d0.html
Size

7KB
MD5

996b9a945f1512f57436431023590b38
SHA1

87682359dc1576a92c965494eed2b6c0bb8629c5
SHA256

d191656684d570d49132b1c5bf0b5c392591e1739f68d92733173a62398963d0
SHA512

3a9a5d38a94dca84c2385e3381aa8580f65cc786aed0293a4e117895f93230221adb45f2bca44c47885b1232fdfeac1c76367dfc3185969e667506476b64f0f2
SSDEEP

192:IJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLj:SSGabMPvLddLXuSwSTLdlLXugfo2Kaj

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED266651-6B17-11ED-B1F2-72F0FB4431DC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000009c9833961fc926f4d927221ff22ac5acbf560c952e2f6a413c106bdd035e80a2000000000e8000000002000020000000ed21962d6380c4c26c37debe52c9f3c11523e1c59c4945cc5fab814681e54e90200000003dfe2d90462466541b8f80d6cc5c0026c41e0a8712209402493f6d3390cf880340000000d790d7aba282fd518a191186cd35f8a4e23f4d97878aee7e2aea65d0872b3cbc52e5f1b38c974c63a6d015f20dd9e4be1598fc01a1bdf19c1a652127db6741a4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601898c324ffd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000752db59cf34c4f225f281b0810031ccd1df6f2ab032aa436d7098d27f346975d000000000e8000000002000020000000f1d506bb573684b236afaf1b11ea2a5383e0f025b7bce866ebafe161eb6b80f790000000b78e4f742ac0aa9620fdc75a057fee9db417dad55f033c6d77765324ad62e36a074faf50b30a72f6df3d471c488b7dd637b4c88782d27f829fe34ed5bc9a39a579a7f63fea4a90f037aed907c992884e694102056e015690ec69295e9064492ba7e8dd9c401a10d4d0575661286d69d0b83ebeab864a161682f4d5558969eb6f071671c1657dd7ab11f037513ed97be740000000eb692f9af48a33b850f6beb72752718f3575d962fd0ee02428025eaea9c4a15eeb827f667e6dcc86222e0f828de0e010acef561f41c2e136a5fff56ac4156c75	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375963596"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1124 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1124 iexplore.exe
1124 iexplore.exe
648 IEXPLORE.EXE
648 IEXPLORE.EXE
648 IEXPLORE.EXE
648 IEXPLORE.EXE

pid	process
1124	iexplore.exe

pid	process
1124	iexplore.exe
1124	iexplore.exe
648	IEXPLORE.EXE
648	IEXPLORE.EXE
648	IEXPLORE.EXE
648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1124 wrote to memory of 648	1124	iexplore.exe	IEXPLORE.EXE
PID 1124 wrote to memory of 648	1124	iexplore.exe	IEXPLORE.EXE
PID 1124 wrote to memory of 648	1124	iexplore.exe	IEXPLORE.EXE
PID 1124 wrote to memory of 648	1124	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\d191656684d570d49132b1c5bf0b5c392591e1739f68d92733173a62398963d0.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\435VJD2N.txt

Filesize
601B

MD5
0e3c423dae35d8303dfde90247b33393

SHA1
b2f6fbeb1dc2bf8173015dd6f96b6504664ff636

SHA256
a9d7ba204efc653c11a199e07fd2655b9322e58c13f530da4bf69708054369a2

SHA512
900a670a3fc7316e247c5f4713451c8533ca7eb0cc1627c69a836b65e707c775aa955527f7b4f5fb712907c12d1fe829e061e610e3a5c81937b420fce18c85b8

Download Submit

Analysis

Sharing