82f8ec67c617b5042a043ec65e1c1e012f257b31c5cb2d78f118b9522f0f0f23

General

Target

manager3689.html
Size

10KB
MD5

a91b98ab5d77719c32f68b2c5318bf5e
SHA1

183efa07da2dcc33bac05abe29bf45815b11e049
SHA256

82f8ec67c617b5042a043ec65e1c1e012f257b31c5cb2d78f118b9522f0f0f23
SHA512

daee74c7d180534076833bb4eb368cdae77642e2b6cd242f3b253fddf107def58b316089db5ba9c9e9b52599f925e295d8cafdf39c2853eef02f06e626edb5a8
SSDEEP

192:TozOEO5S+i6FSqugxu6Rnigni6U3qV0OKPGdCOuCbO:TyOEO5SOtVHPOqVbesCOJO

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381414362"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05829CE1-9CAB-11ED-BF27-66397CAA4A34} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001040e719def1e5468523700ce17dbd4f00000000020000000000106600000001000020000000e38aa5c94c020b0f3a91ddd1033430d0dbfeb5863054af6c903e7b941e6fb071000000000e8000000002000020000000558024578a0e5f29362eadab84efca18d1fb81352db498df8b18b800e6940f542000000053d063307d4806a6addb1d4b04361993eeaaa4d9df80741b51514fe504118da740000000c9cc3cc43135f473e9b6f32a8b5ce08f59fe87ba6460d97b50292d7862e0459e8d5b7e9d7928f71fd408d91bba24023183d3657da95dc24607f25b0cd01e29d2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001040e719def1e5468523700ce17dbd4f00000000020000000000106600000001000020000000a4c3a0b1094fbb4787d2c555ce7d11e5e7af16677b71b5841f1762838410648c000000000e8000000002000020000000372632a121d8a5de9734dc75441e249ac4a568fdf7513906d942a1a65d1feaed9000000044fb209ce8ed0132472bec4e7ba99a9ba666bcf61ee63062f2223eba12831dcdfeed4e2a22b41b63f6b5044fe9576e1feb8131f20c969930c80c6b7d52b4d3ce61288dee9dea01c1fb429000bd5393c4dd25db927b3b5242291bf4c665b2f69f92c85715d4130ce9fff62d9acf7c0b58bfc095c371eb2df7bce04a126b43ec147fafd58fe1eb3463f7ffccfd6a3927eb400000007df3e7a0667aae80d37c51573005274b23078c8dcd8646bcc1f1fd070f9cd5ec053d99a717cac7b83e81e0104ef685334596b594d81b5aef2410d35ba023d86c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7027eddfb730d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1404 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1404 iexplore.exe
1404 iexplore.exe
1508 IEXPLORE.EXE
1508 IEXPLORE.EXE
1508 IEXPLORE.EXE
1508 IEXPLORE.EXE

pid	process
1404	iexplore.exe

pid	process
1404	iexplore.exe
1404	iexplore.exe
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1404 wrote to memory of 1508	1404	iexplore.exe	IEXPLORE.EXE
PID 1404 wrote to memory of 1508	1404	iexplore.exe	IEXPLORE.EXE
PID 1404 wrote to memory of 1508	1404	iexplore.exe	IEXPLORE.EXE
PID 1404 wrote to memory of 1508	1404	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\manager3689.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
cec9fa67ced1f3c93b3f63ba1c38dd32

SHA1
e22a5844d6aebec583eaca51c5dc3b86d627cbce

SHA256
8fa8013203d8911c8dac90c4b2d901fba2c9b24cae8264b55ef46c4a292875ca

SHA512
d1de1b15cb74ed5f64f6f39dbd7257ff9029d5f4ea14068cad1013a8bba459347823dc62660cdcda831ed78cf39eded38752b58c900eb11a5ed8f865db87855e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UQWE9T49.txt
Filesize
607B

MD5
50fb4b94a18059b55fa7e620bb4fbb47

SHA1
94e6e00e1786708ca5207c9b929323bb2646b86d

SHA256
3205fecddddbb35f792c211df26655d71914a7d4a8441069041fd2aad684e68d

SHA512
d3cf76b0b35579318a57a5cdbc837b7083dd45e6217095e0d226c7836458fa6a43e6027c3db6b517cf8c674f8f2b0d146b8eeff3f99e0fe4e7ce59e53cad946a

Download Submit

Analysis

Sharing