hxxp://www[.]golemcoin[.]net/signin

General

Target

http://www.golemcoin.net/signin

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e1c80ae104d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376594212"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32EDB411-70D4-11ED-8413-C22E595EE768} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a955a1b3b64640a3b9a41bf0721b8100000000020000000000106600000001000020000000056b05f505b5b1b8be186fcb9c1376863be8a1cab2b2336b47e560e69235bd0b000000000e80000000020000200000001e2d850d6e67b4999a326876db838f6185b04d3b9c30be6d589e1682726e0cbf2000000000c3674e7e2680a31b2d2ab3321890ddc4e5b8db93cd1f75289e009cfde53f764000000075dc98d5d289ceea0f9325abf31144a9dc2985b9c2636492966a44ef9f815400c07fe7c1c15d86dc7c495044448e71382bf292a9696ef6f71c3086e83329c945	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a955a1b3b64640a3b9a41bf0721b8100000000020000000000106600000001000020000000f6186d68feff6dd875b74edfef1ce126c687fd2e77600820672d73fc6f691a38000000000e800000000200002000000028df3a2379fd6371b4624e88ddf86c974c8a30e9dc7488f8e17b4a1ee45ef17890000000080ddcf17d00807da5f873c8c1b418a81d6b737ea6f4fe0b05470e7224e9139d05f08f323767233d832602ec89f5c4faf1cbcf90859d762e899cbab31a64fd3819941aebf095756a45b4a3699a7fdff73d170377d9976bc9924102b4628cedaf0eb2cacea0ba9ba1dda41acc44e47cfd055dfc797b83e3d010882c3db764d8cba72de92b07ee25204040e0cb98a9b7dd4000000003f705df6808d1895e813cbd3bf6299761ff3edf56761c285c70cd7cbd4b5bd87e474721f5f24f44405b851f5067b4d850901338a4b5bdd5d2c40bdfddc946a7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1912 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1912 iexplore.exe
1912 iexplore.exe
1684 IEXPLORE.EXE
1684 IEXPLORE.EXE
1684 IEXPLORE.EXE
1684 IEXPLORE.EXE

pid	process
1912	iexplore.exe

pid	process
1912	iexplore.exe
1912	iexplore.exe
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1912 wrote to memory of 1684	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1684	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1684	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1684	1912	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.golemcoin.net/signin
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
d94988a091fb9f4c1d3ac7d59001deb5

SHA1
36b23f068a5502d09b296034b43c13ac49b4911d

SHA256
1c60c0f5735994530e6910fe543e9c5cae1e7c9b06a59ac1f956f878d9b6616e

SHA512
b4498c1f86c7b0039a52352dcba3878afa935c1167fdde4a535177e747e2ae3367c5d43ef7ddd44a2b78695abde6a8fc774e36d74298d64b8e00889d09fd8dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
Filesize
6KB

MD5
87bf65c46cc3818e78177044049c013c

SHA1
938c229e35852ae704ef8bcbdec9ff02dad59c7e

SHA256
416e67870f21f787c7ef28a85c3fac6e15374c07b279aa611cbac9401669c46c

SHA512
873c3ec4caf8c48f8e397f3bfab37baae0d56da9e6e7228d72fb28f9df005c051fd412432b19e78503e93426c71f15c098b34a8a003eef45f77a27fe11726f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S8E3COZ0.txt
Filesize
603B

MD5
4d9e7e636698c208b634aa9e7b3b81f8

SHA1
f1f7bc82ae3413d67da94e7c850da876bcabd8b5

SHA256
4179d2f69329d61c58999a5477682652ee08540341abe7a3af66887c1be26cc6

SHA512
272c9490971038d699d207c214100f7c270796708a3bfab47fb41e0819643c3fe2e361442b973c6d7719d3f7bc40ce2c900d9dc4b280584951d00103d6965523

Download Submit

Resubmissions

Analysis

Sharing