hxxp://promos[.]fling[.]com/geo/txt/city[.]php

General

Target

http://promos.fling.com/geo/txt/city.php

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f04939f772c5e94abedc946b9912d913000000000200000000001066000000010000200000009f764da369d313384b9ff5fad0d53294405bf13079ac7e41b6bbb807164fb833000000000e8000000002000020000000ca4374f4998f9b672cd0bb5746e2b14ed41f4d8617b36e39a3a80c812138e7ee200000005921525e99fb31be45b2446cd41dab02c1e89c84fc4e83d2945de0fb53f55aa540000000316a6f5bfef1cb1d04a1d85cdd773858072bf15550548c008e1adad8ffb046a4e36d972cb48561b6c7f6d739acee4e3007f7ccc61c47cef3e4d22ba0ed3bde8f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d014ea6a28ffd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f04939f772c5e94abedc946b9912d91300000000020000000000106600000001000020000000b0ad96115bae7d2613c3390498cca8ccdc632b1833aa4de8634b06b939781704000000000e800000000200002000000091870eb0b469e972ecf9dc731828a4370898ba74b0ce23b5c310fb57c667ba5590000000ee4a2585989c4165f768c1b2e319d17986f629355c7485efccc3be554c8e714c29437887273d6b44d3cceb8d90570955487cf8d2e14e0e120e3b65154c08ea06bd0017489ef2cf8529f6261b1228a659006af1b9f3808eea66af18b0e9e980e6332fa646dd6ca56f095fd57f1edeeaa3f0873ef7003c25c8783186f411b7bceffdd1165e3e6a1daf33f0ca465b6e7e334000000012f1fe7b3e3dcf4a02bce805ee8aac2cf2ed169c8a6152b2b490b180953b90a9ecadda89059ee414b04f4f9c452f7722c674d4adff3fc79f5aa7d331b806918b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375965113"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CBE2AC1-6B1B-11ED-BD84-7E4CDA66D2DC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2020 iexplore.exe
2020 iexplore.exe
1080 IEXPLORE.EXE
1080 IEXPLORE.EXE
1080 IEXPLORE.EXE
1080 IEXPLORE.EXE

pid	process
2020	iexplore.exe

pid	process
2020	iexplore.exe
2020	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2020 wrote to memory of 1080	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1080	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1080	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1080	2020	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://promos.fling.com/geo/txt/city.php
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
97381f82ddf1368cb30b771d0a2db017

SHA1
94bd7abe6624379b6421f239b1cb27964ca374b6

SHA256
e7c733969965aede2226f844138efa411dfa0c3b7498fadfb9eb6c86959b0b45

SHA512
d21d0433500c9bd1dee70cb570f2a9d38af71376253545bb468ef2be31db91416d8487ed1cfcdda91bbabaf37eec7a48d7f7b4dc7d6a01f3e5cddc75c3d6f917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
Filesize
19KB

MD5
7c9b370de1f8b4c3568bd03f571fd40c

SHA1
dd1d93f1cc8b1b6f3fec040395baac0eae97eaaf

SHA256
07a677e17dfa3c8c60be60061048a12da578e81a71637c585d084999da0404a0

SHA512
19b6456590572f49a0ce7bb3ff145eff299860ab5cde7a7b1c9753b2c3b15bf3217ea29aace9bb9f540592cf38756b4427c6c432a6f595b9760539ab4f864340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DHMG3C34.txt
Filesize
608B

MD5
d65834e68cd601506c4a5918f282833a

SHA1
153bcd16628169c927037cfbf0c8461a3832a38d

SHA256
04862954a895b1296bd2f0263a2418152f37e083c9e84d67c0200b61ef857556

SHA512
a2265ee618d8a1130f62843faed4afcce76a682e4c941058002a2af1d5ce9f42f64b1fdecbbe31217d9b1548ec26bbebef402f8a7e552718b2491cede38adf9c

Download Submit

Analysis

Sharing