hxxps://www[.]pokojeutosi[.]com[.]pl/ufMuu8yp/?922lXhb413WZ08ZG36LApx7fkInaGeFRZOptYSbnytXOimSDh0Rio517QnEOsaUTaGeFRZOp1EbsnhaGeFRZOpWLGwxkUF3OJj13NEBkUv2scwbShXYWcGzxHW8WLGwxkUtXeNrOJuqwRoFZ6TCiHh9f7XkkWLGwxkUSB1N2EKMpsJfEOY8SFhiPhhUx2pL4wED9ctXiBkG4kvXzZhv12qP6PiaGeFRZOpVgDcEVF1HA5Z

Analysis

max time kernel
30s
max time network
34s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16-02-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.pokojeutosi.com.pl/ufMuu8yp/?922lXhb413WZ08ZG36LApx7fkInaGeFRZOptYSbnytXOimSDh0Rio517QnEOsaUTaGeFRZOp1EbsnhaGeFRZOpWLGwxkUF3OJj13NEBkUv2scwbShXYWcGzxHW8WLGwxkUtXeNrOJuqwRoFZ6TCiHh9f7XkkWLGwxkUSB1N2EKMpsJfEOY8SFhiPhhUx2pL4wED9ctXiBkG4kvXzZhv12qP6PiaGeFRZOpVgDcEVF1HA5Z

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\pokojeutosi.com.pl\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pokojeutosi.com.pl\ = "18"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e092b27b1442d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\pokojeutosi.com.pl	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pokojeutosi.com.pl	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d884b4d36e8e7a4fa099bbe82594e30a00000000020000000000106600000001000020000000b10b1ae383cdeb6c61d21fb6a747ee4cdee627a766035058062759652e981276000000000e8000000002000020000000f4952ac203a241ce3f13e3fc8afc6c1f7f13f3ba9047d128870354f3b6e18c10d00000003d0a2d8643c957258327039599daf6ec1ffeca0a46867c26ece9f9c76ede88f26b46f5ad7915c39268400e111a4f5b223b81fb95be6f17ad2f8c1524637c9a9f149d06c35e3e881b2dfa06871bcf9402b9f8d1ead3d32e992a424b4cc5a81482a6b9b601029afe3719e257d0128bad9f9c076fe0475ddd0f3a4be308243e7c85336dd4a7acda69f6abc55c42fc4bd3990bbea54bc9d4aeb5556fc78001531807697fb8da7ff8e8d173555dc8efa22f7dc1be023eb9faafbc0e1108944b92b0b1032e0814f60fc16b2b5127965c5aa645400000005f15ac7398c737814bc51ff0a0106d757b56e655b5c05c8b83129df7137162e43416f2b712729e15cfa138f092cf8286b611e079fefbfc7d976c952dfa67072d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\pokojeutosi.com.pl\Total = "18"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.pokojeutosi.com.pl\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d884b4d36e8e7a4fa099bbe82594e30a000000000200000000001066000000010000200000000af895ecf81206a7a1df621911a6862e9750058318831f686a74d3533533510b000000000e800000000200002000000048880ef1f7f4c5b67a980afebd83f059001458c4a143e0a11cb17783d2455ecbd0000000458449411d0b3e565aade3f6e7fb63a2e9b79c8895c4e8bf5bdce4d9fc6d036fc20006de58933966fd4168bff1a0dca574f6892842b6cb32c801002c1c85d5de4ed9f6a272c6808abf458645e4a5e402b53e13a5ac8325efa71dbe3748aa5fd1b518c0e25155034d6704a85ec48fe9ff1be46d2229069b726834444e6fa60323cb5901f6a03040722ca5159609e6ca464d8c0f796be8091c237667372ccca96057e180339054e2df95bec8ed5cfacee732b4f728a419b5a317aa0f5f4757ebf01671ca2040e188213440e71dfa7f1532400000004e2233991b4fc3b03c4fc89a7baac6a04c5956308ae2e63d1e95d984d097fa459e5562334615601aa7fb67019bc630c1ba00716368c3d10be18135dd0b22a5a2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d884b4d36e8e7a4fa099bbe82594e30a00000000020000000000106600000001000020000000d3f7ae10019d947466674e8fc727ca5aeb0d430f28d23e3518b340d6e3949ad5000000000e80000000020000200000004113dc428b23ee559b4880bc95e339838b52f6b6bd7efedf480ac26799b11184d00000007b47b09c84ce857931436bcb40052efbba7114d5cb962f0a7689842ac3193b0ee3edc69be8fcaa5cad9a2fb3d4ca58d4222120c9d7d8555da8788e7f68b96e5d129c4c386e9cebfbcc2f11b1197cdcd9b1cef83a863c539c17492f82d1717162be8c77acc4af07a385c7e51ae9d754125d2824bbd2fedd542e4a4a8697de3488a7ed16b7770f0819345e1b6a788bf236f08d1e9530cffad66b9b5536b8433e84128ff9ae52b48fb5b2691396cc09e9ae3bb0e1a4b8671b44d10d056b8ffb6696bfff8169fd7975ae40b0c1dfcaf6f7d9400000000ef8e165628376aeed6544bb8fc8ab10a702646630b701aa6c2b5f52271f4efd2fcb5a40dceaea7e40092a7c5465a9221dd25340370308a78881505716ae3eed	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B11FB89E-AE07-11ED-9424-DEC334A64072} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d884b4d36e8e7a4fa099bbe82594e30a00000000020000000000106600000001000020000000fe52261ef745de1445f6723c0783395633d525e14f02ff4d770e18093bb3cece000000000e8000000002000020000000538d875529cc243d17faa414ec964b6c26cb16b94628ed9353a587f3957b740a20000000413386490802c5fabbd9a9fd67820b8ec5e6e2a0edcc03b8847a6049501f27fc400000003b813af2ce9943a657ff812d25e1f49815be709348f38e84bd9d561ae1d7a23a68f615e8b9383a9cadab9edd60314cc9b5b0f714c1ba56300d553b55600f926b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\pokojeutosi.com.pl\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	iexplore.exe
2172	iexplore.exe
364	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 364	2172	iexplore.exe	66
PID 2172 wrote to memory of 364	2172	iexplore.exe	66
PID 2172 wrote to memory of 364	2172	iexplore.exe	66

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.pokojeutosi.com.pl/ufMuu8yp/?922lXhb413WZ08ZG36LApx7fkInaGeFRZOptYSbnytXOimSDh0Rio517QnEOsaUTaGeFRZOp1EbsnhaGeFRZOpWLGwxkUF3OJj13NEBkUv2scwbShXYWcGzxHW8WLGwxkUtXeNrOJuqwRoFZ6TCiHh9f7XkkWLGwxkUSB1N2EKMpsJfEOY8SFhiPhhUx2pL4wED9ctXiBkG4kvXzZhv12qP6PiaGeFRZOpVgDcEVF1HA5Z
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2C63781326D3B6A15AC164239CC09C42

Filesize
503B

MD5
4abba1fc8ef4b1967ec8c3565a612509

SHA1
fce4f7ea9c9254fd2a1c2d17c5a1496245d3b7eb

SHA256
c904ac77831a4ad0dce438e975a98675987805d52e7e5233188165155de7c3b3

SHA512
ea4d522a4b3aae9406e68334388745edbb9beaa8760fbfdb24ad2f53274dad4a1c0e58e6c1a538bddbdfe8da957e73383ae3575985fccd3badcdacc769a74724

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
aab2617c2c82459c2a97ad3c3696f920

SHA1
bd6f356086f509b137d15a0652dc5e2c71f23ebd

SHA256
6cbf322fe4b0ee42b6667fa1aface798ed6e3d9649b81ce2a625847bcbe8d4e2

SHA512
4d02185d7f547ff0225f5f619cccea5b242b4b0fd932c7d112e9cd7880b3de80301db91f4ff0bc52ace9f2e35d29989eb9152b2c5ff86ac3d30d8ca4287a6ee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2C63781326D3B6A15AC164239CC09C42

Filesize
556B

MD5
b890a042b340fc8533ac54ce6bb9647b

SHA1
9b1317b917a88133aa5f8019424d99514c2d5b6d

SHA256
9d1f2a54701cc93b1c25be9c1fccbc26f7976b00f2451c8900cb4563e3619e2e

SHA512
268f41250d8a9290fd734402e6d27ba8f7491df2915a8db2997def3eaae58a1fefad591b01856c217f5926a6656ca85d9cf382509a3115252c5705d8340f170b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\X029L5PR.cookie

Filesize
670B

MD5
23eee2e17c9b0c23ce17ce6add64f29b

SHA1
a25b6a1d3001f86a07f53291a0412b87841185eb

SHA256
5bbb1ce3fb1a3dbbf5f197e19dbe45100c7aac52a5995fc65476fa739b6ec837

SHA512
2c328d87e1ded4f80a7cbb222489bd843102af639536f5474da7937580b97f840d7b62df6d3f47662b36726d61e0e5a1b8d455eb5483b44e02b8bf77184691e0

Download Submit