hxxp://Otip[.]azzurrofit[.]com[.]br/hh/c3dhdHNvbkBvdGlwLmNvbQ==

General

Target

http://Otip.azzurrofit.com.br/hh/c3dhdHNvbkBvdGlwLmNvbQ==

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000c8ed0554e24d5973cdd42fb27c4d6ea57c335ba50c70cf594e59b0bc8a33ea75000000000e8000000002000020000000f1e5294a691517089cb93e3f83b67bca97217db2a4467d1914be850f2237c7c5200000008779e9a3a1a2b7107bf78c2062bde7e373e18b7ddb9c9688cf44be707fce4f48400000006e8eb31b2e5a503f63190c2c50c92f3de643f33db28e340b0edb6928637f6bbff756ef487e07fd87b28aa5c06c0e8a8291a6a2c02e28b3b0ac183f94b186f774	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3108BE6D-C742-11ED-8FFF-6E21A4042E2D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e9d4f84e5bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\codesandbox.io	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b28bf54e5bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000006c811045a44dd96f6ad4439dd8c1035e10e36376a0d1a3daadb851e903f1c648000000000e80000000020000200000003cbcd176ab3b2fb573b26dc7f244f186d6260d69e7d02cd402fe787900a389402000000012523e5d796de75391df120581f9b1d623cdac6f88ddfb808615a2a0dd7f5063400000008d14b8f81954db3316a4f83f001868b084fea801eb29a8999fe3af94f01ec58c86036bcabe50a217377ede6699c7cfd40ac3940c92a6ae3c770023b1dfedb143	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000005fbc27312a745dd83bbd027cdbfa335c469b735ab8361bbbe61b8d014ff775cf000000000e800000000200002000000086c0bbdfa9a858208b17f9637f2984dc3f93b89dfe7298083e4e64bab20f501b200000003caa9ea4dd71efb56347f2736f2e9c00098c4dd5c8d9649d1e2960ce037da4f940000000e237cec6165a21f20512e778d6bba1a728004e62c5015b8c1c2b88e371056ecba142527735dfaf712af2885e446c9580e461993ba4f1fa5f0b977aec5af807c5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f062edfd4e5bd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\codesandbox.io	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000210812ad528f368c9a7dcbe739be307c859bbba802d7b3a3dad34c5904d325db000000000e800000000200002000000060749687f9c0f327c8c94a1e303be9bacd9642309de2b86dc00bcc980bed979220000000abbd2df2b8a57b2e5ab7a4a7c8b08cf53ba38b0241fdd7c472b42530d66779cc400000000281a8dad815fca9720d7afee45fb8b05bbb7d41eb7bd1395cdc95a202f6532851c1f45cc0b172e6ded24a2e7548b985c5d1018bcbddf0d1f6c5437a379b3514	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3037cdfa4e5bd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1532 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1532 iexplore.exe
1532 iexplore.exe
4844 IEXPLORE.EXE
4844 IEXPLORE.EXE
4844 IEXPLORE.EXE
4844 IEXPLORE.EXE

pid	process
1532	iexplore.exe

pid	process
1532	iexplore.exe
1532	iexplore.exe
4844	IEXPLORE.EXE
4844	IEXPLORE.EXE
4844	IEXPLORE.EXE
4844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1532 wrote to memory of 4844	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 4844	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 4844	1532	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://Otip.azzurrofit.com.br/hh/c3dhdHNvbkBvdGlwLmNvbQ==
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat
Filesize
3KB

MD5
8ad8b6a83e6764bf39ede1f5230d5254

SHA1
50d8baa24b02e28c4139b85026396a26fef1d13a

SHA256
f19022f7b2949f79e7a6c97771df94245a6eccdb7448e5db3e954ac6be0cfceb

SHA512
c904db7132c47f65e21d5321b1680346d313ef1974e4059a4197f242c54e4fc02f1844baf61735fe05826473eb55b1e3c09b3d69d8b0583ff219661e8391defd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\challenges[1].css
Filesize
6KB

MD5
b55fbbca0f0ac20a41d9aba8533ed1c5

SHA1
3e317d4905c20267f3dd2cb894db16a2145f195e

SHA256
efdb5bcc25efa09532fbbf93e67a4bd0f74016ad3cfe118a2fbc94296adf875b

SHA512
e07114acbc41fc25dffecdc93c2629808b8fb7cd31c898d75be23b04f6da633064aaa4de0cb9d340b990e8127ee37c4bbb2c1504ed180b482e0e18191465906f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\favicon[1].ico
Filesize
2KB

MD5
fd8d37896781cee6e67781d13f32e69b

SHA1
afd5fb05ea0942bf9a9ae0f01d9edeef967b1cd5

SHA256
0d73291f77484d427869f38962b399ea359c9df97ec190f143ee113f321f4943

SHA512
367476aa2092fc75337b8ce8c0a1cad0d0d5b1add77b2570370a5acece9efe62358ce4c54b10094917363728dcc8e31ebe82c28901ad2285345faf38eaeca9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\api[1].js
Filesize
13KB

MD5
ab6f5dad37138714b2b042e5135da1fa

SHA1
51c1790132750cce2efc080ec9f9ba0ecd8d4b40

SHA256
d395cc53363e6e22c75f73de0d4de7355ed844b65b8f0d149664ec06facd2d8e

SHA512
b5c63bca704d802e1b05a914fa23507a2e17020fab39bb5e9c061a9d6dcb611c7c587a6bc1e9fc67ddf9e54a76a93f4e666ca499747d40787b7f8c1eda117cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\transparent[2].gif
Filesize
42B

MD5
d89746888da2d9510b64a9f031eaecd5

SHA1
d5fceb6532643d0d84ffe09c40c481ecdf59e15a

SHA256
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

SHA512
d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

Download Submit

Resubmissions

Analysis

Sharing