hxxp://alufap[.]pt

General

Target

http://alufap.pt

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000a05f154aa289b7a7e31495ea216cbd59ee63fabdb9c64e2bc0188ebc18e61ed6000000000e80000000020000200000003b591ff1203e89920c21a15ea8d82d8741714dde9600a3e81320b1e728e19f7f200000000fb66eaee07003b3a6c12d4528372f76eea22d633e46cdc22e727129537874ff400000005abeeac06bd123f91fd8b9a8ebcfd59c9c003a2b76010be62e4cea7390a357be913c69b0374361d80252654f4ccfa3565670cd39559fcaf69f5e3cf2af219137	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376060453"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000005f35844ee1c35ccae32a39ab9cb35030027534ff9a3fe8d292b6f577c641b2c7000000000e80000000020000200000009151e656f06d802c3c44f3b7cf56c4d490adda13bd231bb27a818557f5ee99c9900000005a22ec2816d76b63bffaceb300cc631aa43ec31481b83ffeda434a1c379cffde0c982ccb952dff928696ba3d9f7723f2e55ec86e8509f4363074a1b915992fff24775b6044b508f0141e4d343d8efadd04f13a75298c8761a3c169e08a5d61747d0ca4fce250923a0a8ffca336e3325e8ccf1d5c4553479bf74b58b373d2575f7f5a6605e662db927a4c232910d8f5b1400000008d277f9daf61f13a27596eaa4c715257dbb997133eab3511055d70cacf22d7bfd63199ef3a7d1f84189bc1cef4b67ca3b493dbb9dc46774d2fda4e5d23ad103c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0eb32650600d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74FE5881-6BF9-11ED-9BCE-5E5304B417C2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000cbeeb9afe925e4b22cb9837c9706c5872683c317063de27fe292d2057b9055c8000000000e80000000020000200000003597b807b838f9c241f73a7736bfa897b03de5aaf0b5c74d7b44b35eeaab66941001000097be06597a90471d41fb19a688055491c7a4119c50685f78f713d351949b1c7bd57c768f9ed75fee28d6db3b2d180823b35874b781f7775f07aeffcb94db488f6ba4d1ef45f136de5ee0b9a2babde7246158c1e96b6da79963a16319044cb2f87e1e4191f766b21cc925698965d0b9a957f21dbc8dbbba1ff8bea4f053968b3089b501a96785769fc05f4878b11a296add70fcd8b0f47170ac3a0635e907e2526f9c5081000fb0524527cda7d6239c9c3ca9565954f7e936c67dd91dfc303e46316c49e2c91c983956442ea9cf663887c9c82921400fa6690febb4d19a2c1b2088b6b3c8b55a8924936049399f84bb6024d0e96d5753db60f89c1c43260d06db387758ef34fd30aa59de7c8e84c306f740000000421e2d61318e31df63ce2078a21b7b8fc22b9a46cfdb7801ac6b59adc35cc8e9d7c06c4615e416fa38ad27f4dcf952c88310d38194f6bdd07bce98b9ad0eb559	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1680 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1680 iexplore.exe
1680 iexplore.exe
268 IEXPLORE.EXE
268 IEXPLORE.EXE
268 IEXPLORE.EXE
268 IEXPLORE.EXE

pid	process
1680	iexplore.exe

pid	process
1680	iexplore.exe
1680	iexplore.exe
268	IEXPLORE.EXE
268	IEXPLORE.EXE
268	IEXPLORE.EXE
268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1680 wrote to memory of 268	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 268	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 268	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 268	1680	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://alufap.pt
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c1e32f4979f8ce930a0f081405d9ed5

SHA1
ffce9566c8e698ac204f434279ebc6e5ea4d9d62

SHA256
857e64dc24b5d9acfdb65d83158bcd4e31478ff961358164086bd2f254c9710a

SHA512
d01252793cfbb7d85f792d53268241385ff986b17312e3ca326badb7013357da1ca962b8580b10984fa5fae440f3b32c44bd6381d799346c61bec9f7f76d1deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1wzfztv\imagestore.dat
Filesize
3KB

MD5
09e12bb7dd7e8d07ef1175c5d28f5445

SHA1
599ce7cf4e0082e8cff3e11d4b8916f222f99732

SHA256
b3167a8a17852ebd9fea6a57157f856f8dba1ea1772b547283d8a70563f6497b

SHA512
83fc38fdb781dd1b7880b366feda27cafad7dd2446809269449347e75c72c066a3a3697bda5553e25d3ce06dad2caee152e0cffd3913cdecaea957468fd3615b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BG0SH7IA.txt
Filesize
608B

MD5
a4e854cf5c08bcdc1b8468c3cb5fbc41

SHA1
aefd5e9b154e7cf669c3b40337929200e4a161fc

SHA256
97d442d5b82956b939110fcf12677b8b00e79fe08570a65f11ec3d5f5f359e95

SHA512
50751eb8186053195061ac3a45be0937b2a06c12077818cec2c2dadea51f2689facb6f2f4a7255a393096b61cf08587e040876229833a051b4c39144c59f3008

Download Submit

Analysis

Sharing