hxxps://doubleclick[.]net/aclk?sa=l&ai=CiX22MRm0Y9DdM-SKtOUPv7yaEPzWzaNu9d-tquAQsdH93wUQASDYzIslYMnG5ozkpMAToAGhwJjxKMgBCagDAcgDmwSqBNkBT9Dp5t8dWcQBlDe4d5dh20Ul04HCVoWXJs61oFFltikQj1oSykzI_2FRdQ-aNO1l72ro2jsCE2yw-H9VNL6ejR2MTzCVYRzlkT4m-lH-lKLYJc-40_k09zJygDo9cg6ttq9d6p9Rl1y3YRMzN_X1Y5r2iwXtqVDqraIv-Dm9G5cwiKW8-2-AykaZyrhRUx1pQzQOjAAHVnlLGbeg2XtJtyFKBQW-OTBhMXoGAUVgm-kv4n-qPNZoctr8Vg2iBj8VkFG1HErFttzbK-GzH2tmRD3GvmMMD8HMRMAEjMrq-JoE-gUGCCUQARgAoAYugAeX1eLRA6gHjs4bqAeT2BuoB-6WsQKoB_6esQKoB6SjsQKoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcAwAgB0ggPCIBhEAEYADICigI6AoBA8ggNYmlkZGVyLTIzNDM0OIAKBJALA5gLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&pr=2[:]0[.]44428&cid=CAQSGwDq26N9g7lUMdFJS8QkE1M0Zob561A2eQ3rfhgBIAo&sig=AOD64_3tAF0qW-0ZWDDg68iZ2Tziw4fTGA&client=ca-pub-2399441271239169&nb=9&adurl=https%3a%2f%2fdsedocx[.]firebaseapp[.]com%2FslF4zF4za51h0h3vi0h3nF4zd07r9s0h3nW1

General

Target

https://doubleclick.net/aclk?sa=l&ai=CiX22MRm0Y9DdM-SKtOUPv7yaEPzWzaNu9d-tquAQsdH93wUQASDYzIslYMnG5ozkpMAToAGhwJjxKMgBCagDAcgDmwSqBNkBT9Dp5t8dWcQBlDe4d5dh20Ul04HCVoWXJs61oFFltikQj1oSykzI_2FRdQ-aNO1l72ro2jsCE2yw-H9VNL6ejR2MTzCVYRzlkT4m-lH-lKLYJc-40_k09zJygDo9cg6ttq9d6p9Rl1y3YRMzN_X1Y5r2iwXtqVDqraIv-Dm9G5cwiKW8-2-AykaZyrhRUx1pQzQOjAAHVnlLGbeg2XtJtyFKBQW-OTBhMXoGAUVgm-kv4n-qPNZoctr8Vg2iBj8VkFG1HErFttzbK-GzH2tmRD3GvmMMD8HMRMAEjMrq-JoE-gUGCCUQARgAoAYugAeX1eLRA6gHjs4bqAeT2BuoB-6WsQKoB_6esQKoB6SjsQKoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcAwAgB0ggPCIBhEAEYADICigI6AoBA8ggNYmlkZGVyLTIzNDM0OIAKBJALA5gLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&pr=2:0.44428&cid=CAQSGwDq26N9g7lUMdFJS8QkE1M0Zob561A2eQ3rfhgBIAo&sig=AOD64_3tAF0qW-0ZWDDg68iZ2Tziw4fTGA&client=ca-pub-2399441271239169&nb=9&adurl=https%3a%2f%2fdsedocx.firebaseapp.com%2FslF4zF4za51h0h3vi0h3nF4zd07r9s0h3nW1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000063f82482b9d2cecce61c1b3de99539bc78a8f5601c029e272c3aae114bd258e5000000000e8000000002000020000000df376ffb4f827e064bc50032ce5c06dab4fbb0d13711314f2a7c342257eab9ad90000000f036d2bf526c059ca1700a917facf44a955d52ae465d080d662186d9f4f5e7502eabf7db3ea77b9e7990fc252ea345f487c577efeb6b1d0d8d0d27a73d6604c2f53f29c34799368686ca38f212feb8e144d8b7ada41b6a14e12235862ac4143d3ebdec0e1f116821159ae31d2a97fa5e0196c33204081db4f79d07badd3fcac775c48fc90a7de89fa58b1f33d23ced5440000000a503dfea6277939dff18e72850104c264aa9697e5c8a87d3bc69333a8183c2142e7867c6e97ddd65ee836b6ae4ba5ef0db2826d8ecb3dc07659b9756fffc7ae9	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5C3AF41-A0A2-11ED-A4E1-5E5304B417C2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e18690af34d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000015486df1f6e27a720db9a3abfec3ab2ca46220513aa1df27e440824823c4b5bc000000000e8000000002000020000000fa1ee95cd4d367f5a14fb9035fbc5897220425d9c4a386fa1e15ec2b035a099b20000000d3b3af02c9df1a60de2aec4cf07bc3f699e4f01d24a377d5e91826ef58d7c2c9400000000a3d240543dc4f2fbf993de2a4edb210b25cd42b59a90f262270135c3bbd5ae3dc273b1cfc600e8586b8b81e3adb812ba28dde1953759793ae58bd2a52763a23	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381850597"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1244 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1244 iexplore.exe
1244 iexplore.exe
668 IEXPLORE.EXE
668 IEXPLORE.EXE
668 IEXPLORE.EXE
668 IEXPLORE.EXE

pid	process
1244	iexplore.exe

pid	process
1244	iexplore.exe
1244	iexplore.exe
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1244 wrote to memory of 668	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 668	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 668	1244	iexplore.exe	IEXPLORE.EXE
PID 1244 wrote to memory of 668	1244	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://doubleclick.net/aclk?sa=l&ai=CiX22MRm0Y9DdM-SKtOUPv7yaEPzWzaNu9d-tquAQsdH93wUQASDYzIslYMnG5ozkpMAToAGhwJjxKMgBCagDAcgDmwSqBNkBT9Dp5t8dWcQBlDe4d5dh20Ul04HCVoWXJs61oFFltikQj1oSykzI_2FRdQ-aNO1l72ro2jsCE2yw-H9VNL6ejR2MTzCVYRzlkT4m-lH-lKLYJc-40_k09zJygDo9cg6ttq9d6p9Rl1y3YRMzN_X1Y5r2iwXtqVDqraIv-Dm9G5cwiKW8-2-AykaZyrhRUx1pQzQOjAAHVnlLGbeg2XtJtyFKBQW-OTBhMXoGAUVgm-kv4n-qPNZoctr8Vg2iBj8VkFG1HErFttzbK-GzH2tmRD3GvmMMD8HMRMAEjMrq-JoE-gUGCCUQARgAoAYugAeX1eLRA6gHjs4bqAeT2BuoB-6WsQKoB_6esQKoB6SjsQKoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcAwAgB0ggPCIBhEAEYADICigI6AoBA8ggNYmlkZGVyLTIzNDM0OIAKBJALA5gLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&pr=2:0.44428&cid=CAQSGwDq26N9g7lUMdFJS8QkE1M0Zob561A2eQ3rfhgBIAo&sig=AOD64_3tAF0qW-0ZWDDg68iZ2Tziw4fTGA&client=ca-pub-2399441271239169&nb=9&adurl=https%3a%2f%2fdsedocx.firebaseapp.com%2FslF4zF4za51h0h3vi0h3nF4zd07r9s0h3nW1
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
93358b8254e542affb91f1929314c884

SHA1
e8e8e85dc98374ff60324819669d70f355958457

SHA256
ccc068585f2139073e435c742c843503232df8c7b57c4f8ecdfd1d6d302fe038

SHA512
404e5b7580f32eb326cd504ffb9ce59b5a25c1c29d47bcb6545ed62a7159234c4ef739d86e4c114cbbf3157714ef81e7554a1fc299f9fb8bc1305db4968366d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BK0Y6MVD.txt
Filesize
608B

MD5
5ab0a61e72781bf08eb46bbf50220eee

SHA1
9972ddc53f137b8a151ebe6a0ebb83fb4ad38931

SHA256
709f18a4de1250fd9afa570d31efe4adb4c5509d3b22145b910c90a0d149a13e

SHA512
c298bd628cd3c1930cbd495b9305faeb342fe530d4cde761647473aa939d8168655c7cce389898bb84bfa121204cd87123abdff9e2a4481b1ea8c16697970e5c

Download Submit

Analysis

Sharing