hxxp://k12[.]somerville[.]ma[.]us

Analysis

max time kernel
98s
max time network
138s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/01/2023, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://k12.somerville.ma.us

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0518bd1bd71da4388907fb50f246c380000000002000000000010660000000100002000000064e51ce317c6a5b73514b7ef80dd994e23dc1d0402402b20213f4b65ee6a3a62000000000e8000000002000020000000d7ab736ea345f0b2469cb11194b88723946fd92d0a0df3936032d42a217d048bb0010000a66b34c86a5735b2d3e65adbb933bea59d6ccc47ba1299decc0fde0f9c31a2bd53c6089fad9a3d0d511823840582664b6cc5b7ffdfa90892da3fb75f32be2790ad20c0cef68d87bb41f4a1f876ebaf945708e06b143fab34ab872f178038114cb887fedee3cd31e269e67eef02471d9b143187216917dc8688d0890fa3064fd3c10fe256a5652d019b853f29f1525e720989efd745cb88a575e06cf9a239b53d45c0162f20d007619e915a66293fc62556cec999077d832203147cec1362b0eaef36e82dbf575e31b55ac205f7cf44af0a54b8fd76b4ad254a9d1786bda982ea44003c84a9a277bf891c52b27e44375b34778828c5ca1e5aa4943eaa972697a9f2c697c19ae8ae7c62481c158a3b1bcc7ab35bd4b98e231d83e9ff60e53c99d12732a81209dc995fba41c11d2793254456847e1ab950c1ea0550d5257e5db844d2a5b4a33ca0e7c93469dcbb16e751b08b310adb0aaa65c8a538dcd71b81665b54c2e148861248b1df7c9dc942d45341fde565c181cace0a771a9a3e654ed39caccf843818915c36b17d84a54ce792c8a6e02ead555d5b48dbb14495f974fe90b5b97f46fe7d092e34a8d3f4c6e8bbe14000000007dcfc7704f50da288727a4500762ee3a644764e9d075bfce55052311a3f88e887079b9db1d6e3ea405f2c46b7850988104dfdd80d994d442e2dd05735f4cafc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{021AFB51-8E1A-11ED-BAA3-DE6E3020A1A7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d183cd2622d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0518bd1bd71da4388907fb50f246c3800000000020000000000106600000001000020000000ae38e661ebf0bcba8d1f5418311d7ee744984909bfe9526cfb19c453fd2806e2000000000e80000000020000200000002522872ccc97901d2774224779a72a22468c8c4d578904d0250b855bb65296c7900000005e12dfff1c02b9af88c3711648bbacc73717a952b9636439b51afa38207a6d38cd5fed10d2d4c25e7e61d52d413bfe4836adc710978c165d41eca30f427accc6731177a1da98d5a48e1317323143b03f223730b6dc9f4e22a57b3b0cdf5a86634938d78bbc04d42d3a61138ea81468da8fbfe210f5ef63c02ddc443fcbf426563c234224f3fdee4c4294d5dc199039a04000000043d3eafe46b9f0225488b688a1d4428fa57a5065326ae7fdfdab81dee0bd3deff948c4696a9837248495a82e58ff37d6d069eafe01c991f27dfbb176a647fe5d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379812763"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0518bd1bd71da4388907fb50f246c3800000000020000000000106600000001000020000000714b22262c99b6b87e5cb01ca8bb79e63519e687f596cb830b997f32f42e2ca8000000000e80000000020000200000002b22fe11092395bb0ca7b226f996b2dded9c13423d1c48a712ca465115af6d32200000004df9b820f611f3a02ebaef76ffcc7c02c7310b8b39ff5d3d06a3b2f8bace89714000000024d9f603eb2dda56a95dda12f84aae8a1503e6846dc663e6dacaf4a8a65f7a5415223184ea834335d65912e7e8db906f79f36b70857f6d61670eb52e797b7811	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\CF6407607C2C00ADAF417D39432992549FB536D647 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0518bd1bd71da4388907fb50f246c3800000000020000000000106600000001000020000000cdfe4183a3e6eca4dec44035b5c44787902778589f6d36b2864572f899a7eeb8000000000e800000000200002000000076b414b160e2992a329b22dab681e568c3412b894fcab9ab303dd83bc3fdb5ea6000000060007b275ccdb09d9469b1cdc72285c73f57b95f7337fec79a66b27551f31568a385838de0694a4b077d145107b7cc1694d2823dfe9fd28d5d97051aa1e6cedfa649d25cb21e50983138e6ee729a8b4a3b5b9bc226e8f42f4b85b99758e644a84000000020bcf3a046772e671007d3ae1bfdb05ea739e2ac5f7139e211646d49a543185d21946134a2819cc086261b9b1a2f86618c944e911e14836636a8535e90c079ef	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe
432	IEXPLORE.EXE
432	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
872	IEXPLORE.EXE
872	IEXPLORE.EXE
872	IEXPLORE.EXE
872	IEXPLORE.EXE
872	IEXPLORE.EXE
872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 432	1996	iexplore.exe	28
PID 1996 wrote to memory of 432	1996	iexplore.exe	28
PID 1996 wrote to memory of 432	1996	iexplore.exe	28
PID 1996 wrote to memory of 432	1996	iexplore.exe	28
PID 1996 wrote to memory of 872	1996	iexplore.exe	30
PID 1996 wrote to memory of 872	1996	iexplore.exe	30
PID 1996 wrote to memory of 872	1996	iexplore.exe	30
PID 1996 wrote to memory of 872	1996	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://k12.somerville.ma.us
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:432
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275467 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361daf564b8895be317481b560334904

SHA1
3a06d40d4a7021e84d5b35ab07b67d18b76799dd

SHA256
5ca722a9badfdae2156bdb64d887c7e841117a24483f65b95373e520a5c8f70a

SHA512
4e118dade41d7c59056c6f00b6e498774277645925da2bcd9cde57125252b7087943f951d8fa303e7041e5a6f1a57f32cc562b8481dffa27f5eec30824a8cce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
12KB

MD5
d1b54d7f484a5a5ad4e35ecdde33da15

SHA1
a6f9937c93ea19d2844aad431d6d2a86941aec64

SHA256
633c2b0b640dced988bb56523ec7686206f3a743df63493fcf8ee57fd93196a5

SHA512
56adc699ab4860f214f49b1de00cdeee2eb1e189fe280d07e341cc189f2e89680736e05f4a59b28473b935331b59b6e7188e31445f0309a9f2e07f7cfa6f2c99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\05FCDO2R.txt

Filesize
108B

MD5
7db7d4b0ae047637adb7efe5e2cee560

SHA1
4e3af09367117440943cce6ff3a1d5753ecda5f6

SHA256
ec1cdb6716cdf60c1ce0fa0d868c30381ec9ff363e9c8e6407b8cee69b253534

SHA512
99a2e21aff1984ac593133dd8113a760e3314acc33d070b563675d5c434915a345be7ab7e7958aa1587694161cc419bfedbb4f36d573dcf7c4a53e1f02ab286b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6X6NER4S.txt

Filesize
93B

MD5
2f3775aaa68535dad70c8ac60f4e1dba

SHA1
262bb5a52feed76520d43c908886a895f4fc13c0

SHA256
08ae87f7028d75b2bf9c370918cf7aa0595d34c699aac46fa6cc6eab836a9f55

SHA512
7aada95dd53b587c48d1c1b36a0150b2a7d42fa07714ea7ce2a863f444d182bab4f619cc1384bbebbde6188e34171cfe7aa44835ff0cc4f9515bc61f454301b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BH4BKTH6.txt

Filesize
108B

MD5
34be609db71f57a2980676d05dff235e

SHA1
abfbc9c3447b006be18b79380db31a46e461262e

SHA256
7af9cacec2cadc831a369826068f149c429977ce0f89cc67a0bdfa59c501f710

SHA512
dbd3582c2fb322620dc73491ebfa725dd82529f978b7d61a2ca59accab43bd02320cb9de0ec032903394ae99b5ade58ac9e3fbe0d1acf4c566e7e2c35e2255f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EUA0WICR.txt

Filesize
608B

MD5
7a4f8bc1390468a8b9b30add39126889

SHA1
875b1c51774990a79878f31edbe3898812169567

SHA256
0f51b0b3acaed447d80b1e354337d0f67bae2fa8c750a2162ba64a803d348f48

SHA512
dd6938e1b63e6fe1b29228ac4930cc71bd67a3b42aadff514f226a1900e69946e30d5f874b4c194e65224b118763e905293f5214fe06d8e5ad4250dfd0955598

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M76EOZK9.txt

Filesize
93B

MD5
40907db32169d218916430fe4fbfc9fc

SHA1
7c5a99f623104548666b9992e5f5cb4ea14767b5

SHA256
a0b6ad75b6129f2f6bb6e1bfb0c13675df2843f802a13ff7c36139240d3e0820

SHA512
da50e72b89d9fe62ff92841b2f792417af9a9e22a89d0f7e4df70c430a5653f3af8f324ba85e4f51c603458eb3de0da407271432189bb8531114b12af9900682

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NY6J3TK7.txt

Filesize
108B

MD5
984d5ee0ba687afb0ade65dec29da6e2

SHA1
1e40408cb933f5936871e815378575f6ec3202cc

SHA256
f494b8894a472d55986b72059720a98a4cf701595da5aca38d77492ebf6a5c91

SHA512
c5dcd3e20278e2ac4a1795c93c55ba090202901720351c6d28dc837da4dd7d43c7b34c9be46e9269af44f97d9ba214c4b02d63a6db502e4d5c31d0bc7ea0c629

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UYUFLH24.txt

Filesize
93B

MD5
efc71116a3012a0d056b57f119197439

SHA1
ee3c7469b337ec397d17d115b5d451a704d46071

SHA256
c8a7093be380662167eb3eec85d0a74efaf23a7e9dab74367bd260cf25d35201

SHA512
52c006ee999f8f53c709dcbd585a78fdb2330a0293f34b7925549cb012204e75d265ec9c7d39e78edfeb7bf003ff72c845b8dff132972f51740c3b6504a2b76f

Download Submit