hxxps://bafybeih6vtgmjz67sm64mteg7r2xblhbb27ej6xuwmbe7mdhqnplfsm36m[.]ipfs[.]w3s[.]link/ipfs/bafybeih6vtgmjz67sm64mteg7r2xblhbb27ej6xuwmbe7mdhqnplfsm36m/memzgeneral[.]html#user@domain[.]org

General

Target

https://bafybeih6vtgmjz67sm64mteg7r2xblhbb27ej6xuwmbe7mdhqnplfsm36m.ipfs.w3s.link/ipfs/bafybeih6vtgmjz67sm64mteg7r2xblhbb27ej6xuwmbe7mdhqnplfsm36m/memzgeneral.html#user@domain.org

Score

5^/10

docusign phishing

Malware Config

Signatures

Detected potential entity reuse from brand docusign.
phishing docusign

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B93E2CD1-6FCA-11ED-AE30-7E4CDA66D2DC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a40b7c8a9c7fd342b7ed48811651941e00000000020000000000106600000001000020000000f9a2171198057ab7f0dc4e26028a147d35e68465f02ae8fb26069fca86be171c000000000e800000000200002000000084c89b8c002e5f4fed576fb195b7e6dc7846ef3d528e8eead463d35aaf6db0b290000000321acd2ea5777719223eb2ab165ec73cfd8b449c573ca20922bc0159195f8a3f736ca479a997e4de11781d28a11d383acf7814ed3d76bbfd51bfd902772ea062489977e2c731702cef655364bfe0eaa56d3d78123bdd5502dc2855ce93db322f0ddc9d56fbcb47d269680d6c5005fa8d78406a1190ff01b81f2553e061436a64df96c11ed869f86aa0d5dd9e8cb0c6e4400000001cc382d38b4924f684cd9894aa6c600345c173499e0b25de3c067451c1239d195edea560674ef3e7e71926f453e245683b59070afcfd05780d0a70ec96c15353	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a40b7c8a9c7fd342b7ed48811651941e0000000002000000000010660000000100002000000049d99fc6d41288b651a3f0b0b83be403d00b3b8abd19c636fe815160250a082e000000000e8000000002000020000000d5b0b2288d10208deaa6decada56766037ccd6621ccaf8362920516c067bba4b2000000087002ffab906bffd77a58f485da53aabdde16178d9e2b02c8eb2f8b3106a4a32400000008b17c42f39d9110f59feb175f618ed29503a3be04ffad645607797581e57e78e45b4443a2618e55b7bdfe6be3a064554a196d79030f24536f1935a25d7bbcd90	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376480183"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e8b7a7d703d901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1092 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1092 iexplore.exe
1092 iexplore.exe
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE

pid	process
1092	iexplore.exe

pid	process
1092	iexplore.exe
1092	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1092 wrote to memory of 1944	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1944	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1944	1092	iexplore.exe	IEXPLORE.EXE
PID 1092 wrote to memory of 1944	1092	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bafybeih6vtgmjz67sm64mteg7r2xblhbb27ej6xuwmbe7mdhqnplfsm36m.ipfs.w3s.link/ipfs/bafybeih6vtgmjz67sm64mteg7r2xblhbb27ej6xuwmbe7mdhqnplfsm36m/memzgeneral.html#user@domain.org
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e727a943e0815d5bf16a53bff53c0454

SHA1
f39eb90e5a8cf712bf182468109ecf0b92503e63

SHA256
27bc944b9b164457cfe740242bf5fe86dc04f554b524fe39e699ed82f56f29ba

SHA512
2afcbca7629ccb6fbb4dd4fd05240230f4ed5bb6c566663e1418deb351419f63f34e4810e2688bbb3f5d492a0d0ad3c9614665398a1deb2f770b6b3b6d6faf15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
317ef9f9a7e1c6a8eadbabf4a6e98678

SHA1
98d3cef5e7d6c48c1c6d49f182047976b95ab1d5

SHA256
261b7a194138b242b0ae3ded292482c5dde9cad412495da560f49754c97558b3

SHA512
96c5ef795fd9a3e42a4dc7152172a24100e66957a089a8379b01bcd46c178bb2ec284039ad9f0bc3cc5baaf0b3ccbd39b770300c52b4bfe30336f4d9a5673549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
12KB

MD5
c3fe06b96d45e446ca297266494f6daa

SHA1
ad6717071f1c73d2efd6a627030178cc073d1a55

SHA256
2781a4ba7dc5204cb73d956d5b6fb9b52b325cf9722f1c6e89ca68ab48fa3956

SHA512
952987586fe6b8a10da5f093e2effcead81c670ff832d323c35ffd175d963d3d81856d42f9f96122192cf9daec2a4dab283d35106830b23774754643a73de441

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4SNSKYDM.txt
Filesize
608B

MD5
505b014e5b73f526504bb1e7a1996972

SHA1
68bc9bb4d384399bccbe5a9a5a0b448798e88235

SHA256
4031ef25c469a271dbf7d0893b50c15905b5f5cba489493437b4d4077e7020c2

SHA512
a573c1b2b597a425d4260d23ebc5d732bf70eb6000b0bf4136748a10127280dc999768443e729ade32b021d40947ac6b6f90698639a27d2e93ce1aa8a6537778

Download Submit

Resubmissions

Analysis

Sharing