hxxps://farmetos[.]com/ffs/die-konto/7wa-taboun/upp/

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-de
resource tags

arch:x64arch:x86image:win10v2004-20230221-delocale:de-deos:windows10-2004-x64systemwindows
submitted
27-03-2023 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://farmetos.com/ffs/die-konto/7wa-taboun/upp/

Score

10^/10

phishing

Malware Config

Signatures

Detected phishing page
phishing

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CEED7B28-CCA4-11ED-8228-EEE8C52F8F4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2748492470"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023281"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603a4ea7b160d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d757a7b160d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000041e7e96a9309728307b5e828d9c9cea44130575415f911fe0824e0d5adf3f4d000000000e800000000200002000000081aa3683a02766fe7b913a3df138babeaf0cb3637b2e4688f0c9e2846f89808d20000000d20bb5ed47e9cb1fd4598e21b2c5185a7db1f754ec5fa8e00bf0b06ba0c585bb4000000020774b54cf90c8b32b98636ca8c161f7cbe66f3b1c1823ac28fe47596d0e588421361282daf947926fef0010ec48a91138f983d609c1d826350e688281b49495	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2748492470"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023281"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31023281"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000b310db33e55be3c6985588555e9fcb703015eb70f09afdafbd899e97ecca7c16000000000e800000000200002000000090d470a240354e2eaa2751f4f7dbe3546b18f540d24d54606e401ebae8a5834a2000000004008e41b995528ca6c1e8080e720538d880242e9f99d912ee99ecc4be9cd4504000000041de0442919dc3a2a91129035875e6052f6c479408ef8c5929c2d9ddd5b1d466d12a73659f2c9f0fc7f7a487e8b9ea7a073b6a9115daaa74cbcb26590f6b57fc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386689350"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2767085636"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3744	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3744	iexplore.exe
3744	iexplore.exe
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2832	3744	iexplore.exe	86
PID 3744 wrote to memory of 2832	3744	iexplore.exe	86
PID 3744 wrote to memory of 2832	3744	iexplore.exe	86

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://farmetos.com/ffs/die-konto/7wa-taboun/upp/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
bb4cd9db319e8007cd72aa17af4b76a0

SHA1
8951973b028c09c71a792feff54e3096454a8c42

SHA256
aca8049efb96040e2124d06db9c9b2f3c5ce4166c831dabaa421e14cb5da1295

SHA512
6187a2b310a672f9080b9865115f44ea827a4f013f791105efc1f7641f11f9759877d61f5c50140fcf892b95318f1276eace9f78161dbcaf6e011f31e34f0729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
7579dae52b0069fd55437d12a7aace81

SHA1
a704a7e53e63c8c041b712f9771fb70f8af3ed12

SHA256
a5891f40d120cfdba7c0bbc392b56aeb1e5df0f4cb5d3199dec811f34303ed16

SHA512
cabcf65cb2064869fdc57a0dd11b355edc61aad0b43caea8822e8d70b4a255b1b8ab063d63ef8e76035ee57e164e4ec64179516c7458a96293137ef91414f422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

Filesize
1KB

MD5
aeec6e39c2df813c39104a0e7a3e6fb4

SHA1
bed4c2b0949f076fd1b94104b0e905d82ab0fc90

SHA256
d17cbb31aa8f43790dd9a9ab916cf31afead5ed512fb2c1f765a163144344609

SHA512
0f212f88fc602fb2e8d575e62bb181b14de911572ac5b9993e256d1335548c30a388f359ff1b74edb5d25e76b5231043880afac33dac0877d9f4685a40190421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\favicon[1].ico

Filesize
1KB

MD5
6d866d9c4568bf7fc03e597e74ce7e28

SHA1
e1b3d9f0e9cdcb785a94b6c1e1fe651a4ff98dcb

SHA256
7c1925da382279a72f94990d0a1456f78918619f35780ea0905e4ae0db684677

SHA512
7dc58e58fc991e2c9310e22a6761aaa398586082c13fd7863fcadd48e15cef8ed7337dc33d0acc0d0b9b698d4d26abbbe6995fa48d2c9ce1161b2f39fea2a381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\suggestions[1].de-DE

Filesize
18KB

MD5
cc5361b5fdccfc6830217e2eb9972dd8

SHA1
e4a1206d9190eccea3e6a116c954d11da0aeba66

SHA256
afd57b0b6d8166e25bbef7cbc97522677c11c9a930fd4d4a204d1b7ae6258492

SHA512
ef63961bd7f0d3357d352a8f9c8ea57d0271e0fb664b1be179c38cd2d559bbaa4864f64f3521f26f868cc074f97994e2658c6d652021a39dc5207d45411691bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\tccl.min[1].js

Filesize
44KB

MD5
5c3e20ad749ddb088afc84b1b7ff009e

SHA1
c10abbdda3109549150f58c07f304c1d7f8a8d47

SHA256
d10c120206d25caa3deafc45a0ed90f2a6ce5290402c4502a68d95bcaeaa898b

SHA512
963781aa84e6cd39f0a7821cedd022f4591658467e4b68010c5e404fb6d849c4ee44b8024a70024c7844c0afa8902b857d2ed0e2494e3a4550bf5c73122e8bc6

Download Submit