362190aa7522e5a6438d3491a1b591b582399e26005b9d092466e1f083d68965

General

Target

362190aa7522e5a6438d3491a1b591b582399e26005b9d092466e1f083d68965.html
Size

7KB
MD5

305a91a49129487f24dae1c4fb62055a
SHA1

d2897e3f5cc26a8bc8cf46594cedacba529d75f2
SHA256

362190aa7522e5a6438d3491a1b591b582399e26005b9d092466e1f083d68965
SHA512

e63be378c3712c8efc93342b1ecafa6e1204b9ca9cde373d9b1729c301395b07ae00fd2abaf900523693f9c5794dcb000475ca6d0f4f8b1409b89934ed55afe6
SSDEEP

192:GJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLS:ASGabMPvLddLXuSwSTLdlLXugfo2KaS

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001accc879baf2b540b062c8b0b139bacc00000000020000000000106600000001000020000000a81d923e617c0b5b9e02e95a27e8938ead8b11ca04a42c7c6c53c06bd8949501000000000e8000000002000020000000712e2850d2c00fdf4bc448ecca2acd852bd1a93dfb84770584f865f5e853936f20000000a2e3296d17809d10281dd5e48d7abdc4549309c93be90ef081f3e2b93bb2dd7340000000bb77223656ead6c8a6c370082b8bf63049df001f21bd70a723653de860cf47da354a367ca3f05b284e47b18482e294077ac032122907385c1979a34032eb01a6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001accc879baf2b540b062c8b0b139bacc00000000020000000000106600000001000020000000c118568d1af711068f955d48b3a67c5c8fa7a859c9c25b99e797f20881117ceb000000000e8000000002000020000000d644f28a91b50611fc1eae27a6d32d279332940d66695cb2dd60fc173e210fce900000005de242792f3819a9802764ee5c59f6ced520b8cc7fa27e52a9aea6a32cc7ad3d313e2f08a1005d82773b0239b7d1868202957a40c04830e54fb9424476ad5c2a1da489d83b8edf0a5025321474d6891ac2c55b4e9d55380248f8b117c2b9f47bb0b5d86111a94db1d3af179294c493d5215656056918fbd13f081b5871397c37ebf696f33c3075e0e3eab419585bd88140000000bac6d7ce2a7455fc1726b064849b1d191d53ec2c38043b367307cc56d4d13142a7e9ac83ecb977f2c3c862117c276dc09608e3f3c32086a7d1e3d1979f6c5408	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26F5DED1-6B1B-11ED-84FB-6AB3F8C7EA51} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4051ecfd27ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375964978"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1896 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1896 iexplore.exe
1896 iexplore.exe
1648 IEXPLORE.EXE
1648 IEXPLORE.EXE
1648 IEXPLORE.EXE
1648 IEXPLORE.EXE

pid	process
1896	iexplore.exe

pid	process
1896	iexplore.exe
1896	iexplore.exe
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1896 wrote to memory of 1648	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 1648	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 1648	1896	iexplore.exe	IEXPLORE.EXE
PID 1896 wrote to memory of 1648	1896	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\362190aa7522e5a6438d3491a1b591b582399e26005b9d092466e1f083d68965.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I2MY069A.txt
Filesize
603B

MD5
646d593e9c5f96e872c2924e6521194e

SHA1
38a8af77add667c7c5a38bbc7d38cfad748a23e6

SHA256
02d645ea2ed5cc6202a651a5d34773607ccc1b868b5b7a6b4ec4e2318e88b3d8

SHA512
01815bc13a0a602fc8fca9201ee9ecbb333a81981293c0666586ff87e40fdf537e2b4222f2de13ecbfed0b008d75b59a3d0960378d80f49827490c0c6a95a4a1

Download Submit

Analysis

Sharing