Analysis
-
max time kernel
86s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
13/01/2023, 18:00 UTC
General
-
Target
Payroll Services.htm
-
Size
327KB
-
MD5
b68d5a976eb8cc1375172e3e6b53d3c2
-
SHA1
cb68ff6d3ef4ce7eba7a4f0abf14344eb085c253
-
SHA256
66c02b0538caffacc125c87d0eb0d5f6a41e85dfb74d7fcb9ba495abfe83c897
-
SHA512
99a2c4c5c7390b718f72691af5c35d0f57ea172e25a3e8c04ed3274d00822d0958fab6b63fdd39288695c2dcff8d98815e0e791c91e2b3ce46949d5240b4516a
-
SSDEEP
6144:fwy3QJhNJSWwlit7jNthG3haJymB4ve8DHsRm:fwyARUDlit7jNthG3haJymB4ve8DMRm
Score
1/10
Malware Config
Signatures
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Payroll Services.htm"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1248 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
-
DNScdnjs.cloudflare.comRemote address:8.8.8.8:53Requestcdnjs.cloudflare.comIN AResponsecdnjs.cloudflare.comIN A104.17.25.14cdnjs.cloudflare.comIN A104.17.24.14 -
DNScode.jquery.comRemote address:8.8.8.8:53Requestcode.jquery.comIN AResponsecode.jquery.comIN CNAMEcds.s5x3j6q5.hwcdn.netcds.s5x3j6q5.hwcdn.netIN A69.16.175.42cds.s5x3j6q5.hwcdn.netIN A69.16.175.10
-
DNSajax.googleapis.comRemote address:8.8.8.8:53Requestajax.googleapis.comIN AResponseajax.googleapis.comIN A172.217.168.202
-
DNSi.ibb.coRemote address:8.8.8.8:53Requesti.ibb.coIN AResponsei.ibb.coIN A172.96.160.127i.ibb.coIN A172.96.160.222i.ibb.coIN A172.96.160.210i.ibb.coIN A104.194.8.120i.ibb.coIN A172.96.161.50i.ibb.coIN A172.96.160.210i.ibb.coIN A172.96.161.50i.ibb.coIN A172.96.160.222i.ibb.coIN A104.194.8.120
-
GEThttps://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.jsRemote address:104.17.25.14:443RequestGET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: cdnjs.cloudflare.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Jan 2023 18:00:55 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 6908
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: public, max-age=30672000
Content-Encoding: gzip
ETag: "5eb03fa9-4af4"
Last-Modified: Mon, 04 May 2020 16:15:37 GMT
cf-cdnjs-via: cfworker/kv
Cross-Origin-Resource-Policy: cross-origin
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
CF-Cache-Status: HIT
Age: 695236
Expires: Wed, 03 Jan 2024 18:00:55 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BrdGvU1RgWiPgnPDXzipYVL8FhQdfPkaAywA%2BIJZ87NCtet7Igdl1wY5XrtcGy4XywEiv%2BuREpnliglIhhxLuJaVSQfer%2BzidlyuMizJ8Edfv4d3knX0hLA6tsCuqA99%2B7T20OEI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=15780000
Server: cloudflare
CF-RAY: 789008c4fa430a61-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
GEThttps://code.jquery.com/jquery-3.3.1.jsRemote address:69.16.175.42:443RequestGET /jquery-3.3.1.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: code.jquery.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Jan 2023 18:00:55 GMT
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 80268
Content-Type: application/javascript; charset=utf-8
Last-Modified: Fri, 20 Aug 2021 17:47:53 GMT
Accept-Ranges: bytes
Server: nginx
ETag: W/"611feac9-42587"
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
X-HW: 1673632854.dop008.am5.t,1673632855.cds209.am5.shn,1673632855.dop008.am5.t,1673632855.cds146.am5.c
-
GEThttps://code.jquery.com/jquery-3.1.1.min.jsRemote address:69.16.175.42:443RequestGET /jquery-3.1.1.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: code.jquery.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Fri, 13 Jan 2023 18:00:55 GMT
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 30070
Content-Type: application/javascript; charset=utf-8
Last-Modified: Wed, 16 Feb 2022 10:50:39 GMT
Accept-Ranges: bytes
Server: nginx
ETag: W/"620cd6ff-152b5"
Cache-Control: max-age=315360000
Cache-Control: public
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
X-HW: 1673632854.dop124.am5.t,1673632855.cds109.am5.shn,1673632855.cds109.am5.c
-
GEThttps://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.jsRemote address:172.217.168.202:443RequestGET /ajax/libs/jquery/2.2.4/jquery.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ajax.googleapis.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/hosted-libraries-pushers
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="hosted-libraries-pushers"
Report-To: {"group":"hosted-libraries-pushers","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers"}]}
Timing-Allow-Origin: *
Content-Length: 30028
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 12 Jan 2023 18:12:05 GMT
Expires: Fri, 12 Jan 2024 18:12:05 GMT
Cache-Control: public, max-age=31536000, stale-while-revalidate=2592000
Last-Modified: Tue, 03 Mar 2020 19:15:00 GMT
Content-Type: text/javascript; charset=UTF-8
Age: 85730
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A173.223.113.131
-
104.17.25.14:443https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.jstls, http
HTTP Request
GET https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.jsHTTP Response
200 -
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
104.17.25.14:443cdnjs.cloudflare.comtls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
69.16.175.42:443https://code.jquery.com/jquery-3.3.1.jstls, http
HTTP Request
GET https://code.jquery.com/jquery-3.3.1.jsHTTP Response
200 -
69.16.175.42:443https://code.jquery.com/jquery-3.1.1.min.jstls, http
HTTP Request
GET https://code.jquery.com/jquery-3.1.1.min.jsHTTP Response
200 -
172.96.160.127:443i.ibb.cotls
-
172.217.168.202:443https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.jstls, http
HTTP Request
GET https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.jsHTTP Response
200 -
172.217.168.202:443ajax.googleapis.comtls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.co
-
172.96.160.127:443i.ibb.cotls
-
172.96.160.127:443i.ibb.co
-
204.79.197.200:443ieonline.microsoft.comtls
-
8.8.8.8:53cdnjs.cloudflare.comdns
DNS Request
cdnjs.cloudflare.com
DNS Response
104.17.25.14104.17.24.14
-
8.8.8.8:53code.jquery.comdns
DNS Request
code.jquery.com
DNS Response
69.16.175.4269.16.175.10
-
8.8.8.8:53ajax.googleapis.comdns
DNS Request
ajax.googleapis.com
DNS Response
172.217.168.202
-
8.8.8.8:53i.ibb.codns
DNS Request
i.ibb.co
DNS Response
172.96.160.127172.96.160.222172.96.160.210104.194.8.120172.96.161.50172.96.160.210172.96.161.50172.96.160.222104.194.8.120
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
173.223.113.131
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
342B
MD5998ba6de0e2beb18e84e548e7b4fd326
SHA1067fb916adee338bcbf1042222e9372a8b41469e
SHA256ed121a9ce66078f15cd919ec8add95bbdba927814a74fba681d6e46abcd47844
SHA512534ffb7f22fd76043855e184d19773e5b10536964e8d60761b3472975831624b96cf384077be45dafcde605e572f879ca5aa5f6d0c7f488fc44106ddbfa55af2
-
Filesize
608B
MD5256e4652eb350e9b5dcc60cad4f54590
SHA1d8955cb2e088bad2c741a8bc100c5fca329ce3fd
SHA256c61a268c765f14fd01859274856feda3ef6509aa021e6a396543e8d84aee0c3e
SHA51294a147502937962a2304bd1f1d94f2ca10e14848c5aa2e658f0e3ef844a853c8842cb59b39705bd3f0e2655ea5d9b3457349a287426798d606959b1dbafaf833