533895e9cc2aabc901cf40644a0d09aa1a24f540a39417265cc015828a992a75

General

Target

533895e9cc2aabc901cf40644a0d09aa1a24f540a39417265cc015828a992a75.html
Size

7KB
MD5

a974501f577e2da37c366fb70db47f82
SHA1

e4dd5bd363926fd9706737cf26ff1ae9fb5831e0
SHA256

533895e9cc2aabc901cf40644a0d09aa1a24f540a39417265cc015828a992a75
SHA512

d8e669d2c4620dfaa386fefa162cc452d22a4b750f9254f572c19d526745a250067a1be9486df54938c01b4617a9647406d417b2ebc877bf59688dee4d32f51c
SSDEEP

192:NJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oL1:PSGabMPvLddLXuSwSTLdlLXugfo2Ka1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004c792549abf1a04c98dbdd4a013ba3af0000000002000000000010660000000100002000000035e943c14b5a6f74d116e38c658535670f1149fe47f929048681e82dc0b7bdab000000000e80000000020000200000009cb02931a9fa028fd16f6f5ab103a2427be29ab54efec56eab315921bd635b3e2000000006b99e8fc53af21b736976067f8657c66334febba0348afa32baf9e32112393e40000000f3b8942fa45f1f99b1458f0d8590622451af40982212076ab1da6164040e2cdcca63ff731280abbbbd38b3e43fbc16269a207b8feae380d021c4fcf1e841d318	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509ba87927ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375964763"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004c792549abf1a04c98dbdd4a013ba3af000000000200000000001066000000010000200000005d7c6bf5999278654d138feefdeabbcb7526e5f011e016bde574d72612911bcd000000000e80000000020000200000009a59cb4730c3051de6f258508b6026f52d4906691e70eec2b4c1815907ee0f7d90000000c63f2ac89772f485982afb9975ef716521dc80dfa0f9ce2582ba9c61fd9db3aa27615fd6ce62c38c8628faa95cf1e9fd6cec8b506d480962e510dd624a3b9af6b77dcc5d490b861f7a3b090f8cf40f79aa2e3bcd8443e7df346ea1a040c6fc19ea824ac2e16749e4a1c0c16e28fbd4fb78db4f2a703b2625e6cc4a9397fa9454500d476f9a53b888499f71101919a1ac400000003f0ace7d250767f47394bb7fb943f00934dacc5f9b471dc8d1a6ab0df76a8e5bbe8162d791aa6c00b5eaa992c6b92453ab05b47f3e169ab247c66bff400558af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A33C4071-6B1A-11ED-8DB1-7A3897842414} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1860 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1860 iexplore.exe
1860 iexplore.exe
1212 IEXPLORE.EXE
1212 IEXPLORE.EXE
1212 IEXPLORE.EXE
1212 IEXPLORE.EXE

pid	process
1860	iexplore.exe

pid	process
1860	iexplore.exe
1860	iexplore.exe
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1860 wrote to memory of 1212	1860	iexplore.exe	IEXPLORE.EXE
PID 1860 wrote to memory of 1212	1860	iexplore.exe	IEXPLORE.EXE
PID 1860 wrote to memory of 1212	1860	iexplore.exe	IEXPLORE.EXE
PID 1860 wrote to memory of 1212	1860	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\533895e9cc2aabc901cf40644a0d09aa1a24f540a39417265cc015828a992a75.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6DR1HX9J.txt

Filesize
608B

MD5
72da33c271b0c9474bde92c434acc910

SHA1
fd5c8b3be80953b7db5a491fedb6c73afb3ac3ed

SHA256
726ce2c1d580e231d042db1fe0b101140307940535b6e3605582297a024775ab

SHA512
f6b68ff3bdbc464564bfeb3d586f8dc9a7c82993f0da263ee421944014644c9949fc31ad42dc201d76a4cbca95fcd71b19c6551692d6efaa75df9943bdeaecd9

Download Submit

Analysis

Sharing