73aae338633c6243d5a34367a55c33cb6af25d92e1880f44b70593a24d39e4f9

General

Target

73aae338633c6243d5a34367a55c33cb6af25d92e1880f44b70593a24d39e4f9.html
Size

7KB
MD5

c5e3e54c99c314c003671de650f1a635
SHA1

a92050b62fa196932988d83023553b63e42b9fe2
SHA256

73aae338633c6243d5a34367a55c33cb6af25d92e1880f44b70593a24d39e4f9
SHA512

d0005fee6c5e473f78fbc6a471856150b4283f0c70c83315b0e0fb31601118139c6233f735833f9ce99eda90cbb3b646295dbebdd40277663904f6cdd808cfe7
SSDEEP

192:KJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLN:USGabMPvLddLXuSwSTLdlLXugfo2KaN

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000771e449dc1715a4da0410c7801136e8e00000000020000000000106600000001000020000000c69f2c928c931057aa57708f5aa807d6b49723cb4b632580c0d29ea080ec461f000000000e800000000200002000000084088e9c7e4e80c83de3c7f6dccb44064e8148a0c920ef19c5136266c2a08840900000007456619b2ae325bb2d8a2105500a7eb3049ce85de6f629e8847ff63ffaf01838086cd1b897037de4c1300d9f5f6da183c52b46c5a0e612d3ac9ab00efef9dc8e3f21e904da197421ad6c56aef61cae9c29b21ec9e16a60c73bf973e4a818e4ef9fcd04bdf2f576effd1727e8de564622764e4c19e6e29d1bc505bc87f59c973e851a06723b18815afafa2154f00a32b540000000eaaaf9311ff7ccd5c7b3cb9d80ea8508706f1b7eb9b6f61637510671303e437d6c8cfa880a4c26d4d9247f625919a619f64f9440e8a551648676f1951ee1852f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000771e449dc1715a4da0410c7801136e8e00000000020000000000106600000001000020000000f12422afef749b077086b1775f8841b10ca87d57f3e7d4c50c2077e0e251a156000000000e8000000002000020000000afe42f26988b5775556cc8d773d8d6e51611614d3c3467cdb2a7bb48724eb4b6200000008514efafb05d0c5fd52585aa2f55bfc5fb5eb9b960a118ebbd607f942a38f6fa40000000d6b484a82cf00a3947489f5a8d38372d7c6b831ecdaa4e5c402dec7d3b2ae03450bdfb962f297eb75461f6dd5faf129209c112a1c67408835d7c9db8de698696	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F624E951-6B19-11ED-BD9E-FAB5137186BE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f4c0cb26ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375964468"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1932 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1932 iexplore.exe
1932 iexplore.exe
2004 IEXPLORE.EXE
2004 IEXPLORE.EXE
2004 IEXPLORE.EXE
2004 IEXPLORE.EXE

pid	process
1932	iexplore.exe

pid	process
1932	iexplore.exe
1932	iexplore.exe
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1932 wrote to memory of 2004	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 2004	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 2004	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 2004	1932	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\73aae338633c6243d5a34367a55c33cb6af25d92e1880f44b70593a24d39e4f9.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X6RALT39.txt

Filesize
603B

MD5
f481b8eaab69054121d899045e4626d1

SHA1
ca983c960c59808732283c42dcdae09fee037bb4

SHA256
0e19ea3e0225beffed04bb9b2c7903edf36e48b844994f13c599a37ffa34660c

SHA512
a5dbc25d03a3a9c3cdddf215846e4df6294d4ff58a6fa95a97ced44cb36c438b832ca2f8c484c5e6d504d676757429c9a0b671d7678dfea67f761a5bb2b0ed94

Download Submit

Analysis

Sharing