58cfe05602669ff9cdaaf97e072dc81b064d7d377f803df89ba32e247d735a42

General

Target

58cfe05602669ff9cdaaf97e072dc81b064d7d377f803df89ba32e247d735a42.html
Size

7KB
MD5

aa7c87ce8642c57c7a14fa0eba61532b
SHA1

7afab9fc5e6c9eb7f88e70d10630084634bf2845
SHA256

58cfe05602669ff9cdaaf97e072dc81b064d7d377f803df89ba32e247d735a42
SHA512

190c97066b771e5fc64466c0c95b2ff71afe58978f839988590105a6d1de161cd94f517aad92c2a8de52cd42900fb5605ad3ac2f05a5f063d1ffaa4b37fc8352
SSDEEP

192:fJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLu:BSGabMPvLddLXuSwSTLdlLXugfo2Kau

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b33519102c931a4d874101e54259e8e30000000002000000000010660000000100002000000066cf38ca0fb20123bc89fd0100498e4be624d7250d06dac4ac02bc1c863a6017000000000e800000000200002000000029172525d12a93cfb3a01807a300d7d495c51ff03fbf3b0c1f97c46d5a16020f2000000040815daf4288c5bb5de02beee2d98fccfec1d68031176ef2a693badec4f4eff5400000007df85ddb0ba775bf0d1853e8217843d02e89401bc48f871b3d8ff15c62d26dcbae71f7cb086d7065612f36d51f331c70ec947e19c974a82bed9ae329e7b7bd6d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b33519102c931a4d874101e54259e8e300000000020000000000106600000001000020000000bf556bae4d22faa8712ccdbc231f04fee39f814e2769c11b0aea97b315aeb5f2000000000e80000000020000200000000a07392a50e7010c0a3292423a5369350e53e78b1f54adbe68b99ad04c44cfac9000000094bad97d86a57d6cd7ef771d42175fd2920d9561153c1240914defef484836b676a0f1411663b00f60913e8bdee876ce773886da81a83ef8c3f0dfc8bcb62d7fd98d8d94dcc54128d0a5536b8d4280284d11b9bff45304771571edcc9a632cb066b334332c968b503d65d28daa5afd9e64f45680dc07f4b63ef6853df17cb7cdf4d3feb8ee5c43de658210d793dc48b040000000784e9464cd297f5b9cec275338030577c20513c77f3de1dd6044206599d0468548e1e1e1c55ea2e2327ab9ab56382a08d0b8fb06e0abe607dc85a6686f02f8b5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09fea5b27ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{837C8151-6B1A-11ED-8C11-42FEA5F7B9B2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375964712"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1184 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1184 iexplore.exe
1184 iexplore.exe
840 IEXPLORE.EXE
840 IEXPLORE.EXE
840 IEXPLORE.EXE
840 IEXPLORE.EXE

pid	process
1184	iexplore.exe

pid	process
1184	iexplore.exe
1184	iexplore.exe
840	IEXPLORE.EXE
840	IEXPLORE.EXE
840	IEXPLORE.EXE
840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1184 wrote to memory of 840	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 840	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 840	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 840	1184	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\58cfe05602669ff9cdaaf97e072dc81b064d7d377f803df89ba32e247d735a42.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F8U62SDV.txt

Filesize
606B

MD5
b72894fbc6589aa038d94c221df87f8e

SHA1
75d1c020898a0e59f99074a96319d864af1635d2

SHA256
5fae53928b5822ede00bc233dfb328902ea5908338c5c953129bbf8af7828389

SHA512
7676c0b829ff3a0486b819211bf6f0d37d039e448e6582479c54a53ea0bf184dc82fc81948f74bca29b6c8f2e37cc3b3fdcbb46b93fed78c50cc1ac22ddf3eca

Download Submit

Analysis

Sharing