01501f0bb6d27b1bcdf7c6af55575893f4b09e3b47a7fb6c7771919b8073db3a

General

Target

01501f0bb6d27b1bcdf7c6af55575893f4b09e3b47a7fb6c7771919b8073db3a.html
Size

7KB
MD5

74c9ac690305be85d931ef6bbb185597
SHA1

247248416eaa073466599c3759b41bd8308d66e0
SHA256

01501f0bb6d27b1bcdf7c6af55575893f4b09e3b47a7fb6c7771919b8073db3a
SHA512

d0805ba4bd925af4aa4184c5c50846d503675843db3b945ac983c583e90150fc227785edccdd0fda22f5ce97abab8eb92ce21ddb3b41b69f0041d18a342d0459
SSDEEP

192:BJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLw:TSGabMPvLddLXuSwSTLdlLXugfo2Kaw

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375965451"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c88b1a29ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4295A0C1-6B1C-11ED-B3C3-5263E908E3CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000004a1f39bc7409183dd6b2b641e1b42296c3c0e8309ab94dcc0caa81ebdf3dfc79000000000e800000000200002000000026bdebb70fe1fd8b6233a63241602c07447551514ef905a43c0f5e6a7369e3b220000000e491dbe26034cbe95954957b1f078db7c14bc44797bf0e4fa70e35856160a56a40000000a3354f775c0b4c511202b1fd56f1306c5ad48ce3f0c7fa20193b3299a21ae67c4566c1fe8eaae02e8310ae9f7307c12989c962cd562e6b64a8d68f565166dafc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000a95cdb996ba27774589670d045cb1061e727d80164417962309fc07eeba18fac000000000e80000000020000200000003ee23bfb208116b0039600c7008067eec4908ab08fc2ac973c4c23528ee9ac4090000000ea24265b84247c2d5f1e3a6627f76ca61cd99cb0baa9674770c932ef92a72f55d5ceac9a9378409ed2f5c1174b4a7beff169f23cc95d1e4e1b28bcd7de68e6c8d1c6f693b41b38cb1c6095c23e8a040d70e27885823404f85d044857884a4f49facc105ed547394e9e40437c6301d7d9708e0c949c830cb73da364a7c7425ef03ccd55d917e5d84819f527cb17319e5b40000000347937426bafa6dbf63f62222d56e40f3e35ca9972562fbf902ada65c4e97260197621ce8dfd9b574e369a959018a127d4902fddab06ed2d076b028354ac0a52	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2032 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2032 iexplore.exe
2032 iexplore.exe
588 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE
588 IEXPLORE.EXE

pid	process
2032	iexplore.exe

pid	process
2032	iexplore.exe
2032	iexplore.exe
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2032 wrote to memory of 588	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 588	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 588	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 588	2032	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\01501f0bb6d27b1bcdf7c6af55575893f4b09e3b47a7fb6c7771919b8073db3a.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0YT8OPRD.txt

Filesize
601B

MD5
3bd92d2ab0a44f71bc7f9c1ddb2e8668

SHA1
6d4c55d6393719557b4fe85646dfa1fadf6717d5

SHA256
f677f6bb65e81365657b6ec92e56611060893d2834a2dc30db19285c3b6841f5

SHA512
5077140ef4f726062ad217bc0fc6fb0691301c538531c93d7fffcce9fc76a7dbb4cff5e8397b87528a5593f0c24eb496c7bdbac9998a76b6b14dda70137e5cfd

Download Submit

Analysis

Sharing