fefd901c6124016ee11bd98e6bf864f4413046311b2d1f339a8b876046b9ce42

General

Target

fefd901c6124016ee11bd98e6bf864f4413046311b2d1f339a8b876046b9ce42.html
Size

322KB
MD5

81e36291f9f6749e1006e3cd4b4b6f9f
SHA1

f6b313849f4893ca11966b9ab5fc9036a655e92b
SHA256

fefd901c6124016ee11bd98e6bf864f4413046311b2d1f339a8b876046b9ce42
SHA512

f80e8a3808f133350a926b745461ea2d50006d41f2f99f11ffa4e2186fb8c32bfe50d43dc4d997b93f16981b1d320a53114c85adc6b609f85aed3191343dc887
SSDEEP

6144:+AYqlQkwQPOjXZ2jYtQKoKhUKVMsKcqOPYlJ/:MJQPO7ojYtnoKXrqH

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375969803"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4002605533ffd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bfccdb3e66da644bac1cb58c1ee37650000000002000000000010660000000100002000000097bda6469cd052decf4820c6fad7c1581bdc311a855ed986d442497483245ff3000000000e800000000200002000000095d22e7a0d3526d092f4a7fce76b44c2f5a08d120ba7897e7a4bf9035108c710900000006ef82758b07d428947b936f62a1636bc941c48bcf9f3cfa25c9bda9ba8a688cb4aa38713a09e6b400fe171a93ee6ded7ed6a4b35464cdd7e58fbfd372ba8249942c7a4e56dbe1a6640f63e3023c39e2a615475d585795e49632600ae8f313fa18872bb0895842363a9a46ecd15fcad25198f32144ae24c6f52bdecf6febc22899552e91f9f7ccd1813d4dd1a41217fcd40000000d984aadfbeb8433066500a2592e769f0d490ced0d8a5dc0059088e46255b42f8e2a15dbdbc3a50335f570819588fa2109c93f79ef2739372d0f79271730690e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64135031-6B26-11ED-8803-52E8C5FCC7C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bfccdb3e66da644bac1cb58c1ee3765000000000200000000001066000000010000200000003f7787c832a932e90642df1da2c2f6eaa45d076e6ab6afbe77b76c14ed5ceecf000000000e80000000020000200000004e1c8da4ab9ab5a5f2e390c6e44c267bf04c63a379f50205ed675616585facfa20000000ab2b76be705b5e48ca95669a85776c1326a0f11b638969602af5e244f9736bc7400000008c60c83f9f9adbaaef5595406cf60cbca88b859bcfe9d72308f6506368f2b20f3e95d2302fcfa4bcb1211d0b066112367f4e0260ef56395e95089383c7768f31	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

812 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

812 iexplore.exe
812 iexplore.exe
972 IEXPLORE.EXE
972 IEXPLORE.EXE
972 IEXPLORE.EXE
972 IEXPLORE.EXE

pid	process
812	iexplore.exe

pid	process
812	iexplore.exe
812	iexplore.exe
972	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 812 wrote to memory of 972	812	iexplore.exe	IEXPLORE.EXE
PID 812 wrote to memory of 972	812	iexplore.exe	IEXPLORE.EXE
PID 812 wrote to memory of 972	812	iexplore.exe	IEXPLORE.EXE
PID 812 wrote to memory of 972	812	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fefd901c6124016ee11bd98e6bf864f4413046311b2d1f339a8b876046b9ce42.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
9f2784e83091fe0686f1e1c8bf17b570

SHA1
d22f5553aeade1b8769cf187c0cdbc8232e5ac93

SHA256
e50f9e6bb7dd65153013da832ea06e40c1e9950411182502599d7d5a1619c097

SHA512
4a43920582823febbc5f961b8968a98f2cf94cc8fb3d571e6a85b0b49eea2d3a4764f3cc17e5fac1f571b3e11fc4096a7fdb3b71fc39d18529ff302b42142a04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8R1N05BT.txt
Filesize
608B

MD5
f51e2907fc6bfd49704a489eea95e75d

SHA1
26c78c6e97d12a308911216a70b018a72ebf9e89

SHA256
e520ef52df622c6cce317ed89599526b738364e1fb2e2eb57bc9428fda1923ed

SHA512
3d8e6099595108a98e09c550a89a156fe9498c1e783cd5574c38381b5d08b605269235514466dcc31420a9171df4f049e79adaea461f18b90cd8edf250d6bdc6

Download Submit

Analysis

Sharing