hxxps://woffu[.]my[.]salesforce[.]com/servlet/servlet[.]ImageServer?oid=00D1r000000drJu&esid=0189N000000hGCQ&from=ext

General

Target

https://woffu.my.salesforce.com/servlet/servlet.ImageServer?oid=00D1r000000drJu&esid=0189N000000hGCQ&from=ext

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000031d320a7e8f8f84ba4a888086cf5fbc1000000000200000000001066000000010000200000000df064a439cfc621ce7b4d5857796c40e3468bd49fd7ec192a92d7a69827c4ce000000000e800000000200002000000022fbc44158219d35b770516784ac3b20470a6af3be7b32d3613951c5c3b474c9200000001f1934a29b014c6e45a84201f83d023ef094a216ba34094f472ea6234a5e25ec40000000848bc8be24f4e50ea1cf69b6a0c5139fae95ffa1875bb7bb65c97da778b288f05acf9d0e118ae02ec4b3a5061c0f5f622c8503ac293ab5a50f193e727410ace6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381409543"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD274771-9C9F-11ED-A645-626C2AE6DC56} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01f3aa8ac30d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000031d320a7e8f8f84ba4a888086cf5fbc1000000000200000000001066000000010000200000005a91b3a79beaf762a977b6fc620ed2ba83f1b842a15c4949e59b304bf6ad1437000000000e80000000020000200000009f9701fb1c6a16a785c06de7b0d4f037b4aa1c165dfcd5ba602e13a07504e9af900000002bb5c33beb60d55c2b082d83ce9721f9340a4d93a04a5ce3adf11bc2a3c848cfa08c031a729043b42a9e93cf34075bb711ac00eac33c5c9b499ee43507c6618a6c110462dfa0daf5d61246c7f1d16fbe79785941b3eecd5ea3cf233317e3acc77f46fe5910728c80f7f12de1fe7d1bf1b66d8c040607337da72d04a8afa20b5c8b28584b04cd60b9b41f8e2dc32b17ad40000000e9a5d7d6c6d6eb05b4bd04e6acc986349682cceac2363dc11d9bc9e91d096306a720c3bf4537a48c024ab77834f5bb69c38e5561bec635c46c82bbaa594571cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1400 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1400 iexplore.exe
1400 iexplore.exe
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE

pid	process
1400	iexplore.exe

pid	process
1400	iexplore.exe
1400	iexplore.exe
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1400 wrote to memory of 1960	1400	iexplore.exe	IEXPLORE.EXE
PID 1400 wrote to memory of 1960	1400	iexplore.exe	IEXPLORE.EXE
PID 1400 wrote to memory of 1960	1400	iexplore.exe	IEXPLORE.EXE
PID 1400 wrote to memory of 1960	1400	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://woffu.my.salesforce.com/servlet/servlet.ImageServer?oid=00D1r000000drJu&esid=0189N000000hGCQ&from=ext
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
63df8329fc803ddc7e789e557dee8a98

SHA1
becf2f294e832ebc05d70a3152e74f5a8111105c

SHA256
bbddcae12a2b0c57dbde9d9287d98b193e791e5b3bdcdf8aae7fc6a819195829

SHA512
f8c6be266152d04ecd2d604e3c26231b90feb01d55697ad3df7f57556ff26c0e80fa04cf628a9c73245b36035913552ba724fe05abe1054f242a5c175e8928e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
9KB

MD5
4c96fe8f55cf73411b6c9a36d3781606

SHA1
8683c20f926c9909cc5eca5ce70e5a88ff345378

SHA256
e6eb83a6524f29d880d2bd20765c9e29156606183fcd43a050de140827add1cb

SHA512
825277846cbf94b87a3dd10b380e81740642df02e6af9c13c3dc1cf27e2e726e7b74c26cc3df17b0998931a17e6171bd9b59ade5852499defa94dba6e642476f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RWAOC5DK.txt
Filesize
608B

MD5
00b328dc64927914f5c64da4cbbd6b41

SHA1
491920f20c21e4615ae2635b582a6cc3b5eaea85

SHA256
6de729f349dd9841b4ca5384bd037f9500d06a287763fbfb6158a72745c37e94

SHA512
ad570f537dc705be852deceb5bd9fd204bcd04389fbc9b177e437e42307ef533642f31851ce0b39e8749696a537a43cc8eda671c856d8b58890bba1717095a5e

Download Submit

Analysis

Sharing