hxxps://eastusr-notifyp[.]svc[.]ms/api/v2/tracking/method/Click?mi=YUOa93X6GkWT495LYbMkDg&tc=PrivacyStatement&cs1=e904d62807d7d8a08355e9a7a50afb8d836b2e5907b97e0fba743b3318254399&cs2=5bdf4fe521e4d0302e10dee4b668265dd585c394cc2a679eabf178a2bc8735d0&ru=https%3a%2f%2fprivacy[.]microsoft[.]com%2fprivacystatement%5c

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2023, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eastusr-notifyp.svc.ms/api/v2/tracking/method/Click?mi=YUOa93X6GkWT495LYbMkDg&tc=PrivacyStatement&cs1=e904d62807d7d8a08355e9a7a50afb8d836b2e5907b97e0fba743b3318254399&cs2=5bdf4fe521e4d0302e10dee4b668265dd585c394cc2a679eabf178a2bc8735d0&ru=https%3a%2f%2fprivacy.microsoft.com%2fprivacystatement%5c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2311902047"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008670"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c033d65c067458442b6fbaab4ebce00000000020000000000106600000001000020000000868d9a90d02778cc03b8fe7c2f7260d017e55deebed977c92e5cc5f83b09fc0f000000000e8000000002000020000000c2d41e5ee867cc3ecda887457000bf68850504e35a4f3e5ce325f3b8eb2b059f200000008d659f4255ed9d80ddf7033db9755ff2707df2d78e066301365f1d4057759f4740000000e32347cb025b52fb37a3691c6172acf55c0c214ed8e2a6e1f404aa096fb2394e529ee5d3b29fb1200894fef29d2a868b7e2d6c0b7fb594621a9691c0cd7c51aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c033d65c067458442b6fbaab4ebce00000000020000000000106600000001000020000000fe2ab3e10444b1514d292420474e55497f23d68d096dd21e779fb30977562fb3000000000e8000000002000020000000f1e96ea98020e0703a38bd4a1cd36008b4ad8b7ac8f6efb3074686b1c3503c6020000000324ed4d1bf0b0445ba40bd033925388a3c2ba9fccd1280d2ad64e877a3e6bc2e400000001244297e21e0118e5fe08aada970479a6115ea29605147391349a2f43c049bb72ab71f34293c77e56fecf4fd72e79ee1c751239c8aeec16e88c2956969061baa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31008670"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0aa628d9e27d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B533D508-9391-11ED-89AC-E64E24383C5C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2311902047"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bd758d9e27d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380413929"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1420	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1420	iexplore.exe
1420	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1620	1420	iexplore.exe	80
PID 1420 wrote to memory of 1620	1420	iexplore.exe	80
PID 1420 wrote to memory of 1620	1420	iexplore.exe	80

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://eastusr-notifyp.svc.ms/api/v2/tracking/method/Click?mi=YUOa93X6GkWT495LYbMkDg&tc=PrivacyStatement&cs1=e904d62807d7d8a08355e9a7a50afb8d836b2e5907b97e0fba743b3318254399&cs2=5bdf4fe521e4d0302e10dee4b668265dd585c394cc2a679eabf178a2bc8735d0&ru=https%3a%2f%2fprivacy.microsoft.com%2fprivacystatement%5c
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0a1ab72b82133a0c87c0a6149022e628

SHA1
60b207fac3528eb29800e3a5f63e20055c2be891

SHA256
4ec097e2cf4fdc41acefa791e3bcdcfd55ae9973d28c375572c357a654b43264

SHA512
a02f106bc7430b319d58015c11a616d760361e7a34d35afb8b6df215900a84feccdf63801d3c6f06d4ecc42021138580232581218a49cf47fe1835e82af52caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ad856218c9c8fb8cf2ce31e3c2700881

SHA1
cfb3dfa6bc852430f6524e924a5f16b3bb08f63a

SHA256
163e420784bd23234fc8ae0e8bcb2916780d4fc3900591cc8a9c4fcebcdf5596

SHA512
ee0577bb26349cc4ed10655fb27caf9b8a66136136dcdcc2b4039a7c7621bc227cf274cdd6139b0a5bd513e2ffbdbb90eba515c15c79e4c1963feea9c02ceb90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat

Filesize
17KB

MD5
2411f1165ccb2311b589dc247c8b3570

SHA1
8f6bc3a736274d75285508723cea564f5ebff041

SHA256
5eefa981227c31edca313307c17860e34f136c157baa58809223080aa34c5eaf

SHA512
8ada5a930567afb67222466b8f151aaf3df29d690789632ae9305efa1b3ace812ec330396e5424f94c473e89002a22ad667b2cc1f1a6ac9c7d6f83aaa0e4a9fc

Download Submit