hxxps://trk-mkt[.]tason[.]com/CheckNew[.]html?A8PI9b7HGs1iTtAv24GgKOcbPF6qT1ciHFyceyuPwSkG==&j7jUKLzsw7wjhVcTX8mH1AQSNwJp7TMCR2=&j7jUKLzsw7wjhVcTX8mH1AQSNwJp7TMCR2==&UE9TVF9JRD0yMDE4MTIxNDEwMDAxMTY1MzMwOQ==&VEM9MjAxODEyMjg=&S0lORD1D&Q0lEPTAwMg==&URL=hxxps://drlindawong[.]com/xzd/#YXJvYmxlc0B0ZGVjdWluc3VyYW5jZS5vcmc=

Analysis

max time kernel
32s
max time network
35s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23-03-2023 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://trk-mkt.tason.com/CheckNew.html?A8PI9b7HGs1iTtAv24GgKOcbPF6qT1ciHFyceyuPwSkG==&j7jUKLzsw7wjhVcTX8mH1AQSNwJp7TMCR2=&j7jUKLzsw7wjhVcTX8mH1AQSNwJp7TMCR2==&UE9TVF9JRD0yMDE4MTIxNDEwMDAxMTY1MzMwOQ==&VEM9MjAxODEyMjg=&S0lORD1D&Q0lEPTAwMg==&URL=https://drlindawong.com/xzd/#YXJvYmxlc0B0ZGVjdWluc3VyYW5jZS5vcmc=

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b030f3b8cb5dd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3360905921"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31022539"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022539"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502a2cbecb5dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc0000000002000000000010660000000100002000000014016cc76e48a4ff258dbf082253dda29f6ec712962ef487b2120de30053fba7000000000e8000000002000020000000fd4f9b9b142ee2eb450b5843794c3b1a3ef8b0809796002cf7ad1aeb1d49cc8420000000c172cfc8fd6c4ac31756608c618b73553626de8a7e1fdd49fdc13ef229f8a10e4000000047cdbe7c74b222a340880b2fa766c9bb646058fce38d72f54bf3cc04d01fa51ea1b4a9c6fdde4ef46bc3fb99fa1c05dee5f6d378cdc6d27c75bbaecec6f4f8b4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06246c1cb5dd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3360905921"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F375E6CE-C9BE-11ED-9346-CAF2A1F578CC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc0000000002000000000010660000000100002000000095c5c31c429b6a79a47818420e79b901c6d2947bb934be84fba1b6c69d33cc23000000000e80000000020000200000001d19e33b4012aeff6e7e7805c695622b0f5388b0458c6fc1b761e2925bb13fce200000003a70ecea1044b2370df098edcb91d8825c2c8c6cf391b8a3200845d34c2bb1a8400000002eb69ba13e92f3f3bf1751ff20fa7d53bfa2a02bab836af77149b128192f2a043d396560c70780a5f3b361de805c69caf22d151c832c4073de47ae83c238be75	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc000000000200000000001066000000010000200000003486747e976af031ea90788af05160217044e4223d740470fdd8a9e6470378b4000000000e8000000002000020000000aa197ee7bbd80ae7f2505a2da6a8da0a1331743d866e006ecb49aa5358fecc1220000000d0a134ccfd7493ad7126e1c4685dd17c2b009abb1e9839aa5ea5b04b8e957d174000000009583531c3bcb7b07d34d260fe6f7da446d302e8511f9940ef71b02553c9151962f5ab9016503c0102a7e3501edaea6e8de60be95816a179d0f2fa34e75595a0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70911fbccb5dd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000af653a432a26840a7b5ec4575ca9dcc0000000002000000000010660000000100002000000035434793210a8bb4e2f1330af0a1e6d568ea4a40a38c19b13c86c7f86308de08000000000e80000000020000200000004a11c63eedfa8de45b521df37ea97ded00ef5afd7c97931485523058f5eabc8020000000eb1d39ee2379638de80b1ce945c70c8b4cb7ebce4b876095b3e4d2e79820c3cd40000000dc4b113beed6a9ec99474e012c5775690b3844dd6e9c534bd4ea6cbc93af185587d89450636018b857aada7fd236d5d1dea26e0a96ce409fd0f2d9b241480c04	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

400 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

400 iexplore.exe
400 iexplore.exe
2324 IEXPLORE.EXE
2324 IEXPLORE.EXE
2324 IEXPLORE.EXE
2324 IEXPLORE.EXE

pid	process
400	iexplore.exe

pid	process
400	iexplore.exe
400	iexplore.exe
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 400 wrote to memory of 2324	400	iexplore.exe	IEXPLORE.EXE
PID 400 wrote to memory of 2324	400	iexplore.exe	IEXPLORE.EXE
PID 400 wrote to memory of 2324	400	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://trk-mkt.tason.com/CheckNew.html?A8PI9b7HGs1iTtAv24GgKOcbPF6qT1ciHFyceyuPwSkG==&j7jUKLzsw7wjhVcTX8mH1AQSNwJp7TMCR2=&j7jUKLzsw7wjhVcTX8mH1AQSNwJp7TMCR2==&UE9TVF9JRD0yMDE4MTIxNDEwMDAxMTY1MzMwOQ==&VEM9MjAxODEyMjg=&S0lORD1D&Q0lEPTAwMg==&URL=https://drlindawong.com/xzd/#YXJvYmxlc0B0ZGVjdWluc3VyYW5jZS5vcmc=
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45253D621EA9F2E0253B4AF8D44565CD_6AB890107DB45004A69A7D3A40697869

Filesize
1KB

MD5
00426fab0b122f8042f883da8ffc68d5

SHA1
95ca34ee487510d2457a7183c9623d928f291229

SHA256
cf69164c1b8f61641912b09c5b7fd4e3e7e26d10d192ebefe06699b251a9d1cc

SHA512
e1e838b6132366899934b7dd4c3721c7a1e5190f4ef03fa3636edf4efdc91e5756ddca3b33d48d47b3e8c4e07e4f76477923952c195124d5406990c65056e544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7e6edac4c08deaf3549189bfc3fb721d

SHA1
1bc71fc3691ec8fff202ef503f30c83673709055

SHA256
99600b86d6c324e84351dd8f09183150203c83df6188ff21104f3808e57adff9

SHA512
e5fe4d62400e6dd9d835111384b965a1ee33e72cf2f64724c22a535e133eb71196bce1566f9f2ed15c5965709e9e29c27bcf6744efc671bf406c9acd416946a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001

Filesize
1KB

MD5
b482a462e6b12f82982a862dea100049

SHA1
32bafa4376ae3d674f64b8e23117f1dcac0643dd

SHA256
44433b25ffafb7c703e2f6c05c64281787bc7b97986f81bfb4034967c7d869df

SHA512
4e9bd96e2ca6b10b8284d9943bdcf2c5d145e7ea9998542ccdf83f13a5808416c210bf792838c993f823dcf07ac07e6ccbe5c5baf92308890aaf3d1b610ceea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d4d72890b14abb57ec0a90fc75f2a82c

SHA1
6ccd0273981d2da1d4fc5a35598a1c27bc784226

SHA256
268e4079c41982b4e9384eeaadbd45027a34c8923a0a00c07d9148bc25ded51d

SHA512
5019151886ac562f347f14498146e7c1fc7dba6a65e9412b6be177b8ab70123a3ccfdd562d2ec2f7743aec5a047527eb3bb78704dd2297fa04c4a08d15592837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\45253D621EA9F2E0253B4AF8D44565CD_6AB890107DB45004A69A7D3A40697869

Filesize
516B

MD5
c37652605c29ef34c9d8106690213a6f

SHA1
10602eae021fea4b6154707901698df5bc1cc851

SHA256
1c0d4f4250dcee0ee6b15f20777bc52fd9c86301fbc69c82a9b86d8b88f16fcd

SHA512
0d1c9fe4d83790468ace2d51d2f25efff9eaab87e611e9caaebd0e3c14da5ca785f6e83fb5ccec188c5c934da8f2c8b262dabb6b47f5591fce7493bbec375c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e3be78dffae6086eef3112daa8eb81d9

SHA1
ed211a214421a34b38c225ac49518c892e0cae1d

SHA256
c5b19a18484f0950e5e3332b115a88ebb2ed7c94fb1533891b36c7836eef53ad

SHA512
0059f517dea8fd3860ec039a2dc4223feb5dcc68c1f2f53965355b71d8320e343f39577278c52fbe66bcccaaa5dcfdd1f372e25f319c482261ad2151b59cb8f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001

Filesize
492B

MD5
fee29e7fa0848907d3cf998d547af2cd

SHA1
89a98114da22668402041c03c14f99b50750445a

SHA256
44a86e70cb976e4c93ed995651e445edc1853148d29b5e520dc2b3ea16303bf9

SHA512
51e99486cf4a96429cfdd8eb31ca6a87b567b8c1f5863f19fcbae4242ec12b16e1cbc82e0fd101af2b2f0a1224f00cea5e3c3660eed59883f980ee759cbb7fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1434.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTLFUYWG\api[1].js

Filesize
13KB

MD5
ab6f5dad37138714b2b042e5135da1fa

SHA1
51c1790132750cce2efc080ec9f9ba0ecd8d4b40

SHA256
d395cc53363e6e22c75f73de0d4de7355ed844b65b8f0d149664ec06facd2d8e

SHA512
b5c63bca704d802e1b05a914fa23507a2e17020fab39bb5e9c061a9d6dcb611c7c587a6bc1e9fc67ddf9e54a76a93f4e666ca499747d40787b7f8c1eda117cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTLFUYWG\challenges[1].css

Filesize
6KB

MD5
2c78b7f8fa496092bf41d5edd51611e7

SHA1
8b0b1b276e8194b0a5497db478ec2ea9b4f83c42

SHA256
2b0bd09c1cc7119d27e45353a59bf6c2721563e1689853ff704057a7439508d2

SHA512
53a7750ea46082968c2ec557857ad3975cddb0b45595259f0f3e9fc16360b87c5f257e058489ecaf80e61a97f92f1c5e34fa2f6fcfe922f4ae22392ffd75b4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTLFUYWG\transparent[1].gif

Filesize
42B

MD5
d89746888da2d9510b64a9f031eaecd5

SHA1
d5fceb6532643d0d84ffe09c40c481ecdf59e15a

SHA256
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

SHA512
d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WJK12OD5.cookie

Filesize
447B

MD5
cc0cb3d8df9074f5bb4a5d55f03c8996

SHA1
0f6535f30847efd628cc43c253adfc58e24db2d7

SHA256
d5f1d5b162d755158dfd282cc1650384424820d3374f2eebf9677b9fae9db4a1

SHA512
921ff4471229c3c3872a26f70d9be4f99a3fffd7ca0d271aedc655dedc3fc3c930cf698a717fb6f61aa9d48eb31349f50613615c111ff529cb4883a655a1f738

Download Submit