23965a31886c7c6071a236c916e029f8c11bb8784434a17a7a080ddef02253c8

General

Target

23965a31886c7c6071a236c916e029f8c11bb8784434a17a7a080ddef02253c8.html
Size

7KB
MD5

fffcb102eb2c45ae43a21812821da1b2
SHA1

f289968017355da5760a3fda37e238b3e129b5a3
SHA256

23965a31886c7c6071a236c916e029f8c11bb8784434a17a7a080ddef02253c8
SHA512

57dbeae428856a0f37fc6bc7b2b7ddaa25488427acdd1b570609f5c21175e2a5b3cb7490956e9f6f2506ef2da2215107c11c58f1be1aa7828e6954e11aa71791
SSDEEP

192:7JSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLx:NSGabMPvLddLXuSwSTLdlLXugfo2Kax

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F06C6CC0-6B1B-11ED-A676-CED6325FB9F2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40842acd28ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375965317"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000011372e3614905277d784cc2edb3f4100aa6b6d15b4f63f2ed9dca639f8613db5000000000e8000000002000020000000c45e7fc0629c8b4bdc6ace1982603e00a4359943bf0fe45cbd182db9942369a520000000340ecbe74fa27dc74c1e0d365f9181ee842149f04612555b680a668594f725bf400000003dc7a90c624bef0d83e4568eb9fe7056be78868a56bf74fb45ab5a76a45473f84882f0336d3d5675aa98dc1c03d28445809e72773a0a8cd64bfecac5579c2f8f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000483f381f675b63327b4d8770cf7b3c7bd33c8d3422f2d8bf72eabd818db1e69f000000000e80000000020000200000006a4af1529bb81599c9f21ae5d9f302f8d590a7b2beab4b5cd7f358927d662e2d900000006605dee2160f1fdfc8f6ad8c0f0fef56b694222866d61b5249f967fccbf0cce4413b5d21e54ead5b21945168f462bc3198e629e2dd9788eb4b5ba4a54dd03683b3cd1d9c54bd410b0782047f041c1a404ab81802ec7fecebd1d0c190f70924f21a2475a63ef207125303e2f063cf5c971b0a67ae96babca075d9177e325b3cb42f916f3dc689ae5cdf215de19ba83dab40000000ecd7e5d439cd6c0e8a924fb72d273ba3f5deb2d24240c4a4a61297793f3b0651a51e8fced491a20e9a1f7ef3940a6de07734975d8182fad1585ca09e401e3112	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

668 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

668 iexplore.exe
668 iexplore.exe
1844 IEXPLORE.EXE
1844 IEXPLORE.EXE
1844 IEXPLORE.EXE
1844 IEXPLORE.EXE

pid	process
668	iexplore.exe

pid	process
668	iexplore.exe
668	iexplore.exe
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 668 wrote to memory of 1844	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 1844	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 1844	668	iexplore.exe	IEXPLORE.EXE
PID 668 wrote to memory of 1844	668	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\23965a31886c7c6071a236c916e029f8c11bb8784434a17a7a080ddef02253c8.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:668 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EZ1KNK22.txt

Filesize
601B

MD5
a27941facc6a6aae5d30eca25eef5b8c

SHA1
64d42200908780c2f976625f1b3a378e3d147e82

SHA256
97ecf70726ae73984e2f0721f384b677ce8af5bfb5090d436488a1a5ded2d7c3

SHA512
16f4b5a6b83ffb3070d3e81384e2fa0fdc72154ec241edb32247fefa9fce25e309fee8f08028f93bdcbed9ec70fd5b7f4013fb32bbe8c3f32508367ca516cfdb

Download Submit

Analysis

Sharing