ca3b323e79d56522ffcdc1fae88957df32ba9707dbe9669cdb37464b2651d46c

General

Target

Legrder.html
Size

5KB
MD5

6bba883c5179deacbc7fb9bf3dc328e8
SHA1

a36bf68a2d86cf402506b40950e94aee9e9acdb1
SHA256

ca3b323e79d56522ffcdc1fae88957df32ba9707dbe9669cdb37464b2651d46c
SHA512

b5a91775696cc3e411272f7e8e3c8ad9660192f5316d130eef80b83d5bb95be4ebca7eb4e07f1b4228b30d2691aeb4a2e74aa88183e82efeb711eea07353496e
SSDEEP

96:nx+7dkYxh8qWezvrznyotifQD/RbDviKHp29J88R0RimlX1TGkKTQY2E3zEY+Ice:ykYxuqxr7yoH7RH9HA3vR4qky2EbzFos

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{153E3231-6B40-11ED-9201-42465D836E7B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375980825"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000891600dcddf09fdd26f57b799d0fcc7917853fb573df9c36b02ffe77d21ab9c5000000000e8000000002000020000000b6b1c090566639c8d5d7bb76135601367098da772b299eec63046b83d8f0987490000000b76a395a5fad66fae34cb0b3fe92eb56044bb252b633095690496d5a1642b5f99e5c177b36b7d34bb8d4600e7ee1cff7089c0418fe9277c927014b2ca5aa1c7e5fc23d8dac284462eb5b49a4c114d1af8d2b07750fd4b99b2db09fdbe369ac4ed71335f1da68fbd127c7d1037e6cf3a2b3db64ef85297df3b4b8d13ece29f80c2aaa5026a75ded33bcf6d0cb60cc127b400000007a35ca544c970ddb8d516bad3d411a14018b5999e233e4ede9a631d20be1d7eb029a0276dc6d0386a63d0724a3d52ea334548c696aa33ea12e227d4fec8b49e8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000f8e9726be108a8a8cf40e5707966a444779373508a3e366d7d648b38e6dc82a9000000000e800000000200002000000034f1179f8981ae078634c1ce3ec7e64f9980de4a3db46585280f8d59a832520120000000e14d3f11cf4b35859c9dc6182afbb4f8aebd0f3fab0f756f632b5d43a7aec82a40000000d0580ec761f3ff3d892fcc60f5751d02a5f079c9bf7a398ae5ff29a53d13f7d2c66e7792d4f5c4e833a9834cf1148a230c9d59282f72323de41d64b96a54db60	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a30df14cffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1284 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1284 iexplore.exe
1284 iexplore.exe
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE

pid	process
1284	iexplore.exe

pid	process
1284	iexplore.exe
1284	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1284 wrote to memory of 1532	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 1532	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 1532	1284	iexplore.exe	IEXPLORE.EXE
PID 1284 wrote to memory of 1532	1284	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Legrder.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
afb4315b330df82b420175054f2e6d0a

SHA1
fea317e59523001ff1baf7ad9d03b6e15f82f3d2

SHA256
d1f0725f4d132072fbf6c09e1a260954b89aa6cda9e33877568e13f86c0b8c0a

SHA512
0f9ef7fea055a4ed00fa373afc24ee3474f03393a4bbfb29f7686ef62d2d45b68a445fd73f3d9fceba9e7c3d054b002c33cbebded0da79ba5ca62ba48bff9c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AC2EEWLT.txt
Filesize
608B

MD5
519ab825060c5bd62eef68cd49c16cf5

SHA1
e5d0431bff83150a8151639a1a4ef25494b1ab69

SHA256
f7b2565ed61f19d8c07356f1d8ea56af1bdcfcfc7fc2847c2a0c793c55ba7593

SHA512
db87452b53b13934ae4b79fa3bc7f9d309866203d5542bb14a4e03aa49bbae43e2d80c849363610e21965e1d7a119c4ce3c7904a40bb86433a80c8f68b943702

Download Submit

Analysis

Sharing