1d397914e3f27f195e6d15211451087706ed0be1b7c539bb2bba2a363596f2b4

General

Target

1d397914e3f27f195e6d15211451087706ed0be1b7c539bb2bba2a363596f2b4.html
Size

7KB
MD5

25b832f1bc1aec70831d3763436d133f
SHA1

156ec2dd61cb0a7a056c1fb1fdaea649a961a9de
SHA256

1d397914e3f27f195e6d15211451087706ed0be1b7c539bb2bba2a363596f2b4
SHA512

d5718cf9866dda8eed55ea0de639eb381e361006c09ec57e75440f3cbcfda0b718ef4970175e5ff3405f14161cbc8329fa16cbda5a6ef1b19f86602f58a1fae1
SSDEEP

192:KrJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLQ/7E:KdSGabMPvLddLXuSwSTLdlLXugfo2KaH

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30241004e5ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c4c022ecd88e444b7ea8dcd387f1ea2000000000200000000001066000000010000200000001a17e365fe9bfe77569a1b6ade49e8f67ca2b27ed2c81a5fecdbba6522640dd8000000000e8000000002000020000000dfd9c0626fa63657750386cdd2370c3195af6ec24b0d5a5c0bfd342252b0115f2000000099525c5a860a78b0ae2c9b4649771db81e031fe17ad4b4d10387ea7941ec010c400000003dd3a1a9d3cc45cd01a98fea8e00cddea8c72a4c0d8048d11ea4be0d89fc4bc1f002064e265eebe27b74bdb6a06d30d70d2573140671a4895980238f1603a70a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c4c022ecd88e444b7ea8dcd387f1ea200000000020000000000106600000001000020000000db42e944c1022451adb9f61b2ceaec4bc7cd0a156df446334f4de1fefb6cbc68000000000e8000000002000020000000af2fc73d367f8a3c9be23e7e2d180d76445574df99582c94423441a94a626fc290000000c36b32d463a100737c7fea9c8bab53ea50f5ebaa1d5483a70d98557de36e2539d965248e90093eef2dcd7869ad50cb1c084b0e5d818caca2928409442c899fdc1ce42b3fa9c8b13de32547ee60497d8d0ff7cb0037f2cc80f280bcff872dff9689b7a499ecc243c27e73a319dbed1e9fa6eb95967c0d806f39dceb904216b597446d4e21e51d4afa52306521b813e262400000000f6c65d1080c3f277be6e54a1f361381316d6053eb01109e9ddaa7e557cdaa45d1567f4e45c8c4184c619bf52c3fcfb6d50160f83d14c3586a02d6d808391f15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376046161"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2E17C0D1-6BD8-11ED-B390-DA7E66F9F45D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1500 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1500 iexplore.exe
1500 iexplore.exe
628 IEXPLORE.EXE
628 IEXPLORE.EXE
628 IEXPLORE.EXE
628 IEXPLORE.EXE

pid	process
1500	iexplore.exe

pid	process
1500	iexplore.exe
1500	iexplore.exe
628	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1500 wrote to memory of 628	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 628	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 628	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 628	1500	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1d397914e3f27f195e6d15211451087706ed0be1b7c539bb2bba2a363596f2b4.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0W6NXR2S.txt

Filesize
603B

MD5
ac3c71eb3ef968aec5d1a9ec06b20bfe

SHA1
f9661679894d4c41322d27a32f9922f8395eeb99

SHA256
a7fd3f56cfe4f1a3188c4632b79acf7307a2dd2bbc13c6bf7944239c54d37ccd

SHA512
4bba3c5409431933e30f3bdbd639d79b0ae432a9b5c9e525f34a3fc542c0c532c54a9a14bd2c7e3365171001b4dd7bcba850e55635522550d46bb9e0d329c645

Download Submit

Analysis

Sharing