hxxps://fdghdif[.]r[.]bh[.]d[.]sendibt3[.]com/tr/cl/BVq4o588XfZILnBvJFk7khBCUiMwsvsHI8WBIRj2IRvf75Mjy6MVkyGG_aZkWybeqWzFv0bClFoex_DZ_nTqf6HBgYp1pnJ6XvIGFspS_k46t1a0wEjh_EU1fVFvv799IE_FLUGbRNcCUXNxv181ataDCBf-HwABEMcg43-QZnNWQkB8AIyLGsFCT1R6rYTq0nlF3sJ9KzjR1YuP3XKf4bmOQ2pdn6DQZvlSDX0jp_ASrkBnLqLjnlxESqzwSUmnrdk

Analysis

max time kernel
73s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 16:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://fdghdif.r.bh.d.sendibt3.com/tr/cl/BVq4o588XfZILnBvJFk7khBCUiMwsvsHI8WBIRj2IRvf75Mjy6MVkyGG_aZkWybeqWzFv0bClFoex_DZ_nTqf6HBgYp1pnJ6XvIGFspS_k46t1a0wEjh_EU1fVFvv799IE_FLUGbRNcCUXNxv181ataDCBf-HwABEMcg43-QZnNWQkB8AIyLGsFCT1R6rYTq0nlF3sJ9KzjR1YuP3XKf4bmOQ2pdn6DQZvlSDX0jp_ASrkBnLqLjnlxESqzwSUmnrdk

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015271"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 609aa27f6741d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2107615175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2116052263"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31015271"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383249016"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015271"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038d6e013bfdc304987793d321eb9933600000000020000000000106600000001000020000000e0e541dc128fd1b907c7a03a78177b40b7f5947e123b7bcba90943d42cebf48f000000000e800000000200002000000043045a751017f1c562f8427edda56d19dbb5d18895eaea4b6d22a61daefae24e20000000f1d22c8c43608e8c92e0fbddaa415945fbaed54d9ec0b4612280d15b01c775c1400000003f908e1d77ec764eae9361cc81b17703f182835477ad56139d28012c6ca04983d659417c9d4107f352e8672156455a44cf30ad081fa1a3c04900cf06994b78e5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30adb57f6741d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038d6e013bfdc304987793d321eb993360000000002000000000010660000000100002000000004c15a94e638a58e63b1e9b659aa4d47cc6a0093541cd977eb9bf87b581665e1000000000e8000000002000020000000e79d765710c936aa6190b4a17fd898003c1ecfbab44180a00570f222b2a38b5f2000000079e950dad85ac248f1eae6194eb4ee7453ab9f969a5320ed08b9f08077c295e240000000058c400de71349ffc7feee38f02f617c5c2eb879af24ef94bf964c970325eeec50691aa2e531ae737ed054519286d965eb8c5bb301bdb1f2ae69e29a85c8f398	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A8A3553B-AD5A-11ED-919F-628A2E7D3C83} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31015271"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2107615175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2116052263"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1712	iexplore.exe
1712	iexplore.exe
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3556	1712	iexplore.exe	82
PID 1712 wrote to memory of 3556	1712	iexplore.exe	82
PID 1712 wrote to memory of 3556	1712	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://fdghdif.r.bh.d.sendibt3.com/tr/cl/BVq4o588XfZILnBvJFk7khBCUiMwsvsHI8WBIRj2IRvf75Mjy6MVkyGG_aZkWybeqWzFv0bClFoex_DZ_nTqf6HBgYp1pnJ6XvIGFspS_k46t1a0wEjh_EU1fVFvv799IE_FLUGbRNcCUXNxv181ataDCBf-HwABEMcg43-QZnNWQkB8AIyLGsFCT1R6rYTq0nlF3sJ9KzjR1YuP3XKf4bmOQ2pdn6DQZvlSDX0jp_ASrkBnLqLjnlxESqzwSUmnrdk
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3e41dd9366864e66b96c7435d56506ff

SHA1
7514d785e9fad54ffd07bde3f86d90bc4ac52bf8

SHA256
5902822e5633fd62796953f564224537bb472a22c1b4d0810f705f8e1e81603f

SHA512
ba64698f66e406a64667af24aca8f6187b9c8a477551970d8ba0a73c089b9577bf7c2c1bb95c764f84dc98fdb76d126bbdb1ae96b0657291507af46a2a922d9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
761c7a09cec9c3a7dcd7ad33b32caa7f

SHA1
03ba738d2cf3f0462017d9a5eb8bd6b95a36c839

SHA256
ec01738ecd5e31a740c833ac7da36b8b72075b40e237694c4e5c4f321bdc5dc4

SHA512
d809fc584f2ba00f0af95c4f0391c77e566eea0d7c58e11320e01cad675bb0f35e520a23f42f30b39afa705b26867e13a6c685a2cd52ef33525edaee9dbfc4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xyoggsx\imagestore.dat

Filesize
5KB

MD5
81cbfdcf1aba2304d371ed562c5d5f97

SHA1
e1ee6eb0b3a8d40dc420c0d6b6a6b36e13fa1299

SHA256
2768ba8a44824e7d61ad7940d2b9f87e283abdc03f57c158cf13113b9d1eb64b

SHA512
09da567d922f7e85704b8ee67e3f3f9c9aa41613baa92a5958711aaa499fe4f2286a6f3d523e9652cead66f75f4838beaeefcbb803d2877c04f3617beb87c3f8

Download Submit