bb72d127a48c8c18a220c6e383b7084f66300cabed47ead3540647e6a1969ec8

General

Target

bb72d127a48c8c18a220c6e383b7084f66300cabed47ead3540647e6a1969ec8.html
Size

7KB
MD5

ccc5ded54297da92ea0374802a5c509b
SHA1

53aabf8d7386f43ac21080fd187fc309ecda6905
SHA256

bb72d127a48c8c18a220c6e383b7084f66300cabed47ead3540647e6a1969ec8
SHA512

f2936e6c60931933061c4dee1a2515a4eb90603ea3533edf3a663f43ed17c23f8af3e547193279a7792c6400633431132009a3646459cbd85a6b0892f883bb01
SSDEEP

192:WJSG+9PzqN/PR1A8nddLXuSwSTLdlLXugfo2Ku+oLi:wSGabMPvLddLXuSwSTLdlLXugfo2Kai

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000450fb2aeafac6d4c8ed05e50dedcd24500000000020000000000106600000001000020000000633f0b3d7bf7b9ce9be2ed1127d75a39a3699826cef5e0fc16c4898f4578964d000000000e8000000002000020000000e4d77e4b48b695207b5b301d3228c01d32e6c12478ea98c55d01b9f5c51c87a420000000ea0831130a30455eb9b11e483bd07540d133c6d260dcc04bb01b45206145da94400000000d5f96f487cfe7e35409350b4388a3ab9c4b2770e75248250a9196ed28683dd68e3c83c2f74e9aaa45b0b5f7d452142653c573cbe1767410e89508e94c55b6d0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376250233"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9083ff3bc001d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4860E2A1-6DB3-11ED-AE30-7E4CDA66D2DC} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000450fb2aeafac6d4c8ed05e50dedcd245000000000200000000001066000000010000200000005b770ea0489b5d6179f7604cffd77060cd9ef90b2ecfff80b5571c0fe838cf9d000000000e8000000002000020000000dfc2f5ed2d529298058b96d4c4d7c029d57f84ad2e4278ac4e441c1a0591c80b9000000055f2814f2ed4ec6995072b7cad75092ef4e04bb4fd7ab38b0e86468fbb947a7ab579990615a17ab1c8abe5e9329ac5f8c2cc0ffe0d0c837683c5769f944e43264ff719c3633c00c7c7a78881fd99d9ce36daec93219914e551f0536fca455950aea9e5ebff9d500e7953313f31203eb3e6ab0718dbf7fa621db6f3884e09b22098de2d17e64dcc0d316e1682e2fb614740000000512927b6734db89da389032bd341d87ac78792f93ad84fd96b2af095753365972af487b22ba4e812e6b070f892da6685e8d9d3be818be9cff8f9c31cbab9a965	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1072 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1072 iexplore.exe
1072 iexplore.exe
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE
1208 IEXPLORE.EXE

pid	process
1072	iexplore.exe

pid	process
1072	iexplore.exe
1072	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1072 wrote to memory of 1208	1072	iexplore.exe	IEXPLORE.EXE
PID 1072 wrote to memory of 1208	1072	iexplore.exe	IEXPLORE.EXE
PID 1072 wrote to memory of 1208	1072	iexplore.exe	IEXPLORE.EXE
PID 1072 wrote to memory of 1208	1072	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\bb72d127a48c8c18a220c6e383b7084f66300cabed47ead3540647e6a1969ec8.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L5WRP8O3.txt
Filesize
608B

MD5
8e57f35cad31bb54f709b30befa73ac1

SHA1
695e0141f0174527cfd20f9c652ef62c2f229854

SHA256
558a0b0dc34aae6e32d222d8ad1c9b11f0c7b28317e065bd9137c0575fe2112b

SHA512
7069d27fc7af51f8d6d496f2f031984f6b7fe96d86353ad5774acad9867fb86506e17ed30ed91e24b300eedfa9e60e882fc5f11d1296dc994b4746c1b1462991

Download Submit

Analysis

Sharing