07aabd0fd863a99305a8707abb29949ff48a4118dd1c4e30ce33b7f1826c2dd7

General

Target

NEW VOICEMAIL _MP3_11232022 113052 a.m..html
Size

39KB
MD5

8b2f312c45592b809d8b71b9cd8e02b9
SHA1

4868440789668204302f40a714a2a19ed27cdf71
SHA256

8cc1517d549ef382509648135c46b4289f1595749e6f57ec139c47d927aa9b3c
SHA512

8e03cc0a29c501de91841c2069362ae77f73a4051181349ac8b5383f138eed63e890021ff55183fd901cf5776667011e894a63f945dc8f242ac5b9399aaad3ec
SSDEEP

768:XEEBVC3xkND6RLuQluKYEpj/Kb5F7C4iwD3MJV1bOWyp:XxBVoxEKLr3pj/KqTiWyp

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EAB3461-6B37-11ED-904C-EEAC7132E42C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000088615820aa662387d771e15e196e55a9b1cfb72b1fc712d1a7d6dab0cfd5b153000000000e8000000002000020000000d1f65f061638f303a5fa739aa1008be8d094c2f444c3fc1c240d3e99f23b4afc20000000da7bcc0c8525d96f02ef28843d5a5cc48892e340758ad161a9ef06fd653f03c940000000c9d00325ab09b5df341080e2fddcfce813fd622ca9157345f02fb0d7d53ff9e5936d48891c503253c108c091b89046f55ee09008d7f0fe24539be5c5e3f2be83	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375977145"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406b0f8144ffd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000a274052d4267175ab5100816e751586dccd3adc848ee88c89b9248766c398855000000000e8000000002000020000000cbbf86af67e6cd9a021327cb7a18aa111afbcfe77dc98d40716b731973e334c690000000a4f5aad5473108d01ce5aba6a849bc6f013307c4e3dbbf1b764c2c3005d105b4ddee8f122fae92f3fc9833705931e73584786f2f59b0b4e065c050c742430e38912c488282d754be390a807611e15bceeb68031517986869c73645e5e8c574c3f146ba75370a05220d65f4012df1c08e7f832d7c0912e1c4b38b151aadc55c698e14f44202d25a7e65577f4897b93a864000000079bb5d429ad4aef38b3ed1dce2379196f573b4b014d3515501b2ba9e2a7aaa39cf061f151e35007b7ab56a2d0d5ae227d0007cdc534575990328816a31581157	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

748 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

748 iexplore.exe
748 iexplore.exe
1916 IEXPLORE.EXE
1916 IEXPLORE.EXE
1916 IEXPLORE.EXE
1916 IEXPLORE.EXE

pid	process
748	iexplore.exe

pid	process
748	iexplore.exe
748	iexplore.exe
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 748 wrote to memory of 1916	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 1916	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 1916	748	iexplore.exe	IEXPLORE.EXE
PID 748 wrote to memory of 1916	748	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\NEW VOICEMAIL _MP3_11232022 113052 a.m..html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
95e9bc069340c046592fe6c9f4aaa606

SHA1
82d2b37c6f7974b732eeef347335ac393b07d5e1

SHA256
c89b1e4fa260c0d5a1d1e8ce7bfa5a36c7851ca3cc49af13ece8a0cbd560cd68

SHA512
1931c6127908f950802b0abd9eb82dd3aacc86d0999a4f6eab700a1a10696acab203df149d09ff149baa6600f675a015d9f8f424c276da23cfad6e153c7e1554

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T8TT6OHP.txt
Filesize
608B

MD5
f24cfe5b5b624678974267930f575344

SHA1
2cb41bbf636d4d2deeea3fcba7306813428808e6

SHA256
31ec323bed52f668fa8065a58d832ffc25ff20d5f7e049262b26d4422c1841c1

SHA512
9a0f9b57ae237038e275bd9ea8120e9ee1b58891925c980f5f8205c7dedbe0f56544fe88af296d9b79679656228624572f4f84c291e37156f99d584a365d87ef

Download Submit

Analysis

Sharing