hxxp://www[.]dosefraction[.]shop/lcnlag/qkxbxw2962aasraxdr/p6qqrcvwxks-wtx2pr3tq6t9aqfhswt5yvc3rfuzfdq/ahbvmzmufbwkflaqauhdulxm9fh5otjrbwtvtzgloro826gfgnlcll5gxt4uxfomwnw0fzfetp6sv5haqqnooqiovcc%5f%5fbt%5f5v6k8ndrwepraf8v9egvtvrvzvdwbxlfby9c%5fjs0mvhd32bdc-r6ha

General

Target

http://www.dosefraction.shop/lcnlag/qkxbxw2962aasraxdr/p6qqrcvwxks-wtx2pr3tq6t9aqfhswt5yvc3rfuzfdq/ahbvmzmufbwkflaqauhdulxm9fh5otjrbwtvtzgloro826gfgnlcll5gxt4uxfomwnw0fzfetp6sv5haqqnooqiovcc%5f%5fbt%5f5v6k8ndrwepraf8v9egvtvrvzvdwbxlfby9c%5fjs0mvhd32bdc-r6ha

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31010992"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a21ddbb030d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0210DC1C-9CA4-11ED-AECB-F22D08015D11} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31010992"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381411352"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3601939187"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31010992"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3635848149"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3601939187"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d2c5dd5e1c090458e60c3de9c1dacd8000000000200000000001066000000010000200000007848ca78a1a122691bf6f7564ff4d77180fc83f22312c495d640b28a3cf69e48000000000e800000000200002000000056e5daf484e54b7626443c8508077901019da5ec75e8152de4cfaeb600712d882000000068b02a0666738ca9d301f833015f526a05fdf54a7ca3666218b9726b0be07f134000000029e48c0c2aa9951835daeef7a212da12dee2a933938e489b6b046ea1226bf9d3a2ff4c305f07bd8fb247eddcfb3b77e1a091eeb64e771d6d6f0fc28a6eeb4ace	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 706303dbb030d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006d2c5dd5e1c090458e60c3de9c1dacd800000000020000000000106600000001000020000000578288853517ccaa295af4bbf4a07f60c1f2ffcf708d802623b88fde22756a92000000000e80000000020000200000000e145fc5932f615b52fb6d764bb985c77c94d604eaffe460d47bde3ab995ba21200000005e2e6ec3591c2752fdf12ca7cada8211deaedb2d1f4c5f129e1881441bb3d48b4000000089667603b346c872e5c0d4ea1cd38aaab125d568079c6500635166ee379e2f0ad8f21a2ea8d7bb00c20a6c3184b5ef94dbbc971400215034402dafb88b94ea6e	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1400 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1400 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1400 iexplore.exe
1400 iexplore.exe
1360 IEXPLORE.EXE
1360 IEXPLORE.EXE
1360 IEXPLORE.EXE
1360 IEXPLORE.EXE

pid	process
1400	iexplore.exe

pid	process
1400	iexplore.exe

pid	process
1400	iexplore.exe
1400	iexplore.exe
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1400 wrote to memory of 1360	1400	iexplore.exe	IEXPLORE.EXE
PID 1400 wrote to memory of 1360	1400	iexplore.exe	IEXPLORE.EXE
PID 1400 wrote to memory of 1360	1400	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dosefraction.shop/lcnlag/qkxbxw2962aasraxdr/p6qqrcvwxks-wtx2pr3tq6t9aqfhswt5yvc3rfuzfdq/ahbvmzmufbwkflaqauhdulxm9fh5otjrbwtvtzgloro826gfgnlcll5gxt4uxfomwnw0fzfetp6sv5haqqnooqiovcc%5f%5fbt%5f5v6k8ndrwepraf8v9egvtvrvzvdwbxlfby9c%5fjs0mvhd32bdc-r6ha
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
b011d2725e33c0bae4cc6110f1228caa

SHA1
98595cb1500ab32b457063d29a60a8ae5496b49b

SHA256
cfb146a5a70caac0842df76ab5cffbb524b9964c4a4250473189d053f24ea9ae

SHA512
60e98f54414f8e14185dd66570b6f4e1cee6471648b700391e59042249e9546d9baa19a6dd0c0b6b8ea17e1eb4059303b7a584507624d0634a50d957af21bfc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
e91cbbfdceec7a5ae667ae7fe3ce4c42

SHA1
1641c9c3e95183ac5b83c5e61a5731057bdc92d4

SHA256
ea5510644593c63e6f3e9f95795dc79c9cfcba4bd5705bbad3d4fe57a8be533c

SHA512
1a69adf0a816866578bc9c2531bbea380198bf366c34c2b9fdc178eb3df2483e49a8bec7d3ae3122012990e971f32be947c03fdd44bf78ca383ee9ef76634ecd

Download Submit

Analysis

Sharing