hxxp://us[.]content[.]exclaimer[.]net/?url=hxxps://boglebuilders[.]com[//]opp/oppp/Impact-handling/matthew[.]hawkins@impact-handling[.]com

General

Target

http://us.content.exclaimer.net/?url=https://boglebuilders.com//opp/oppp/Impact-handling/matthew.hawkins@impact-handling.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000037b83d240c2f43a345a7b4b0c9ca9600000000020000000000106600000001000020000000a74a643ccedb072b9322d3d76743f037344b9c364557fc4a35452c4d81b79dda000000000e80000000020000200000007ee52e2f47699f5b9d887b35407caa6b1fa4272f8cb7fa4a753e65e457e7f8b92000000032bbb6af7efb7bce0f88306228e7c5d2a913c3a685b87341a39bcb92b8a23aa740000000586aa0be659f5ceec6db124c32a57ce5c262b18e02396d8c9659677497b9abf40bac0c23982e8d8f52d0ff9ff0869f7c35b87b84187024814d6bff6d683a72e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000037b83d240c2f43a345a7b4b0c9ca96000000000200000000001066000000010000200000008cf4cf24ca3e8b52514d36a314a098e099d33b08412becb9f46c24b8f86d8399000000000e8000000002000020000000a540e797831c36768e5f51b77b414754cc3f9997e32451ed62e96df457d691a590000000e934c71d9daa0d57f807eacd3a4e5ae7df6482cfef534bc768517c846040b7e47742b8230a6cc785135da666b29bc4c35df6a4fc5b98562f2e8e92451356db72f339177a3fae5c4c1a0235db39dba2364cf2a0fba7d5fb23abde9b386b6c3e48f3aa66fda3fe98080a24ea22e42d493e75241d02229ce8fd28a860f4ecdcce46f3a36769231a511ead60893a9189ae70400000008a88ad0515e474c12f397cc65cf2873083b20d7e1dcec93357df0154c6b5b4aa06c0e89dd5bd12fcb1455af7cc05f9f5c560d7585a496b746ffc65dc1f557c65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70feff956a3dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E424DA1-A95D-11ED-84FB-6AB3F8C7EA51} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382810468"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1532 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1532 iexplore.exe
1532 iexplore.exe
944 IEXPLORE.EXE
944 IEXPLORE.EXE
944 IEXPLORE.EXE
944 IEXPLORE.EXE

pid	process
1532	iexplore.exe

pid	process
1532	iexplore.exe
1532	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1532 wrote to memory of 944	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 944	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 944	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 944	1532	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://us.content.exclaimer.net/?url=https://boglebuilders.com//opp/oppp/Impact-handling/matthew.hawkins@impact-handling.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
Filesize
7KB

MD5
60b9eee18f0318ba56e33c41a80e4620

SHA1
94f75712bf7ea18e42d6eb3edd188bd5107bffa5

SHA256
b3897abdc308eb2f09af2f1146576875f8592116abe59b487eca11be14a147a3

SHA512
be4786c122ea9fb34cc641ac46150a3e2474a2110a94d3eda46efd4a3948350a10bf60faf5f9395c880efda418a399bc892d07289e2d0013155738225095aa35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
Filesize
232B

MD5
b9b9fde9c804d0a3cf2f4dce8a54bcff

SHA1
39985e1bcbd6c69763e8eb4f594850bdc63da61f

SHA256
a1ec5ab0569f4bffee4fb74c31f1027e6e02f7e3e88dbbed4dc5dba8a7201c88

SHA512
5f7db9d60ee60649297e5fe6a85bbddcaced587ed1bf11cdabdba67ac2e6e1d16fd68cd409485027e9088a967ab0c4437e92b518548b5190fc498da12af77a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
22693e51af633b27fd4fe61cedb6ed23

SHA1
d945b85fe0da2094606893646896c25b1b08bc36

SHA256
f674dc3be08ec740a12edb12743a4e25b5a7c2b05ece63961c86873e1c84ecaa

SHA512
a0e9dfc55f735a4adf1442377861e2fb8fa60a0cf9a80ef4da34bdabf3897d5c912c14c02dbb03522e77e66cfac0aae7ad76d28f58724f2546629920485966fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HKKN99IY.txt
Filesize
608B

MD5
d90e6c2bdbb1c1027bd8435af58d103b

SHA1
247f54730ec0903c5c54c5739d8cf05d6b6c3ee2

SHA256
eb5e706b222f056c6b5e9b179c0c0f71e0cc2f4ec0960a3792be6d9275bbe1aa

SHA512
2286d1553a931f858e0f77905767ee1a5147d068411acc2974cc21d1a71156386429692b08a4b0960375c868e5cd6338d88a3e6c83e31a36b0474024005b2f5a

Download Submit

Analysis

Sharing