hxxps://app[.]responses[.]att-mail[.]com/e/er?s=1981585949&lid=10478&elqTrackId=1b39a269511f4f90b65d9e9375404d90&eloqua_cid=CATEL000105164443&elq=9b20b5ee4aaa4e848bd22babcdeb7500&elqaid=22188&elqat=1

Analysis

max time kernel
100s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 00:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://app.responses.att-mail.com/e/er?s=1981585949&lid=10478&elqTrackId=1b39a269511f4f90b65d9e9375404d90&eloqua_cid=CATEL000105164443&elq=9b20b5ee4aaa4e848bd22babcdeb7500&elqaid=22188&elqat=1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023389"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3070ec281d61d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000b8aef0dd32e8dfc7bad06619f649dbd5d85de143c25338ee34d506ce43fc21ac000000000e80000000020000200000001c70e65f0488300eafb0777dbfbcec1cee854ef9713688cc3d3f868fdb70529320000000d280cfbb9b4e4f0f19ea69208683470d7d1fc7467d8e9569e26918accd82342c40000000daf04b32f88ea9706a061105e64c020783f17279b39c2742198304d0c73613fff27bfc4eae97f406d334502ef595290d637f936847ee791afc9cc22d861f521c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8005cb281d61d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\att.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.business.att.com\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "592640259"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\att.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\att.com\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\att.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "602642367"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31023389"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386735519"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.business.att.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.business.att.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023389"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\att.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "592640259"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c000000000200000000001066000000010000200000007ae0d2e513e71034c8dc42339c5fc6a7f1f2276b6752f95d6ce0c3d238284775000000000e8000000002000020000000fa8a6afb22cc764f6ac8543f255e34c6c2dfa919d8cb19ecb19b71e45e31dcb92000000027e4600f2e45321f6fad406d54b3103486c8454d641f9c51f6048f307ca1027640000000e640550c86bc0c1e23d3fbff9248feafc9abd82ce6b70a5ef2e52afe78755bc9a5bcc28d8109172f59f25b8ddf5f879f9a1227cf577d8c3011393064a0e041b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E58D3D3-CD10-11ED-9F77-6E21A4042E2D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2880	iexplore.exe
2880	iexplore.exe
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2188	2880	iexplore.exe	85
PID 2880 wrote to memory of 2188	2880	iexplore.exe	85
PID 2880 wrote to memory of 2188	2880	iexplore.exe	85

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://app.responses.att-mail.com/e/er?s=1981585949&lid=10478&elqTrackId=1b39a269511f4f90b65d9e9375404d90&eloqua_cid=CATEL000105164443&elq=9b20b5ee4aaa4e848bd22babcdeb7500&elqaid=22188&elqat=1
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
f7e71e3c8dd5f9990106cbb678ec5ded

SHA1
be6a3f448af2771efd9e07cac43e1526ee326685

SHA256
7202aaad46e60f6a82ee32fcecc4cfb1474ad6f26317e0d6a0a7675360bfecb8

SHA512
ff36e0d555949a4d84a503e264b59d72ce17e277aa9f34517e5a89d165d6af5f49d556f6b57736a1ea2488fb447cf7da4f35848bbfb1adee0e14e501bf503c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
bb4cd9db319e8007cd72aa17af4b76a0

SHA1
8951973b028c09c71a792feff54e3096454a8c42

SHA256
aca8049efb96040e2124d06db9c9b2f3c5ce4166c831dabaa421e14cb5da1295

SHA512
6187a2b310a672f9080b9865115f44ea827a4f013f791105efc1f7641f11f9759877d61f5c50140fcf892b95318f1276eace9f78161dbcaf6e011f31e34f0729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
1aed916cfdbf6db419477d2585bde398

SHA1
9a61c9f94ed1e35b9ce41f491cf664f1d841dd0f

SHA256
b68eafa319dccb9db372eeaebae6e237bb616436cc6a2771d8d2459cd88c11ac

SHA512
d01088e45646f3de03ea3277534eb46a29e2dc3fe418916ec9339f6326f85774198685289731c8d8b4a2ce72b745a7df91fc4c293dd400b1cc8b38234591bebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
3895ccea27706e4cfd494962db4e3102

SHA1
acb591d942c7b152956754bd906d37f426c64cfb

SHA256
10e1993b2351466bab7789a866b569bb9a809ccdc87fe761b7564d7be7c36594

SHA512
78821b227c395b1eccbe0eaf3d0ea1c444e450b772925008747ab5b457ad82c66320bbf025f844f9845accf1cd8b978a565991b15a1233885819e1dee9a2b7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0P0CURNY\www.business.att[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
100KB

MD5
4e936a9ee1f0725ed7caaeb503a61934

SHA1
3b8ca950f3e9c857ee4b9ba21b6a4174351c74f2

SHA256
4b8068d4f94c4e454fe98ed3c2133e8f6ca380ade6d577e25f4bab135ba525a8

SHA512
6bac40e9169f2ead3eda6750f3469aad119f24a88ea5c978bd64bad47aeed0e0e604c0cda546ca76c1f6b39380161ae52576c87481de5781122cefe2fabc1204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
100KB

MD5
4e936a9ee1f0725ed7caaeb503a61934

SHA1
3b8ca950f3e9c857ee4b9ba21b6a4174351c74f2

SHA256
4b8068d4f94c4e454fe98ed3c2133e8f6ca380ade6d577e25f4bab135ba525a8

SHA512
6bac40e9169f2ead3eda6750f3469aad119f24a88ea5c978bd64bad47aeed0e0e604c0cda546ca76c1f6b39380161ae52576c87481de5781122cefe2fabc1204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\favicon[1].ico

Filesize
99KB

MD5
f69c61bc513d088d5d0557042aaa783f

SHA1
0d8e59563c7709ff7af408a2efb9145d50c14f51

SHA256
eccbdebfcaa8a16e73252adde8a643b7b1627547ea5043bbf8eb8234d750a9d3

SHA512
d347133fb7576007a9fe2defcb98a36590bba9224b47271c18dd490261fd9f4ca5f088e51f92cc09df5f98986afa7a30b87ca5453e14a4f681d657981e533d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit