bfbf81e27e11025e5b090f813f6c28ea9f03ec247bd3fdf5acb82d97336ef683

General

Target

e4963436-be97-4aff-b3ea-b3735869c783.html
Size

312KB
MD5

75a1afe9efce8d010eb4015b4fecc15b
SHA1

1f20fd519fd1aba34c709cf6f71109b4ca4a75f3
SHA256

bfbf81e27e11025e5b090f813f6c28ea9f03ec247bd3fdf5acb82d97336ef683
SHA512

a448e304f80205f801c5b29ec5befa3c3e13c27603b3dc4e3347b0758c3e57780413a442ce6da6b64bc394aba87fcaadd3c6e840283a91ed5deb2c1ff5d306f5
SSDEEP

6144:vEvF6rfeQQDZT0ybB2oOY3wHbb5BGaSg2rsisHOSem3N/DkSf3Yx1VJSxt+ooYu/:Ms2QQDZYQhOwwHbb5RSprsisHOoAK3YX

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77EB3091-7F40-11ED-B7B1-7ADD0904B6AC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "378180021"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0bbb44d4d13d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004788ed5ff02aab4db9a0d3cfe53b405e00000000020000000000106600000001000020000000803a7a0381be9552301603e15c390c52ec0dfdd92cffaa052b8eb85de4858f06000000000e8000000002000020000000b88e836652cd1f11c94009f18a58292dd886584c41e6049e8ed13a2ab550e88490000000c824044ab227abd40911d314852c3b7142f22f6f1e101a9e56d162c72dd9a194848dd259ab704ea4f4a43d194809271ce0ec102224e3c3e9d97b586384b126efecc5694798bb2a4a67a6f3041533603d547d4965af700871c1a5be5f1a41b6abd6223ec349e10569fe6ea0306db1877475d8359a34738c155a4280750bcab44656ec1e83d60078f940f7b0e5dbac4b0c40000000b51dc383047bc34eb878c68f8f5ef2ae21b394ab5d479ed8b7fb960fad1729ebca2b93c1fe1ebe16105ab35629173ece9990354bbd85eedf0c42b33ae6dac143	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004788ed5ff02aab4db9a0d3cfe53b405e000000000200000000001066000000010000200000001d184656c0131dd1a1ab9b30e2dc79d64bd11b7bc287e886f1dfa59a9cb5aed3000000000e800000000200002000000023b2c4d7ebfb9a420650a61256b56cd071cbae27b3b61a19f6de6f91e0a0f3992000000045775fb8227f22b006aa74e7f0c734e684eebe51be3d98c719091e412a0b905e40000000e4ac634e6319925387c85abf5ffb056df22f8b45d4f854c2fdf0a16ed5bd26d75b668e7c8a3a7cc634875ff46dc8aca76834e3dbc4192e3d1b9cae38b7e39f23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1480 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1480 iexplore.exe
1480 iexplore.exe
1072 IEXPLORE.EXE
1072 IEXPLORE.EXE
1072 IEXPLORE.EXE
1072 IEXPLORE.EXE

pid	process
1480	iexplore.exe

pid	process
1480	iexplore.exe
1480	iexplore.exe
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1480 wrote to memory of 1072	1480	iexplore.exe	IEXPLORE.EXE
PID 1480 wrote to memory of 1072	1480	iexplore.exe	IEXPLORE.EXE
PID 1480 wrote to memory of 1072	1480	iexplore.exe	IEXPLORE.EXE
PID 1480 wrote to memory of 1072	1480	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\e4963436-be97-4aff-b3ea-b3735869c783.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HM9UFSH3.txt
Filesize
608B

MD5
6d281f0abe14a37c4fcea5398478a865

SHA1
4803291f5fa9a107ce78eece6cc974c01cae2216

SHA256
19e533d23a9a6454bb5eb2545a5f798ed77e3b4eeb818225fc35098ebd604a6b

SHA512
e6bd4675877bfb3c5ce23f6eb465a164884698eadd65a8735107316468c1960d868aa95d7ee90239de1c02a14f6022ce0f72e4505cc4bf76a2a1983caf02a464

Download Submit

Resubmissions

Analysis

Sharing