hxxp://www[.]paypal[.]com/invoicing

Resubmissions

29/03/2023, 18:55

230329-xkwmlabb5w 5

29/03/2023, 18:44

230329-xdgvvsbb2w 1

Analysis

max time kernel
16s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://www.paypal.com/invoicing

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\paypal.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\recaptcha.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "268"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "187"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "258"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\paypal.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "75"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "212"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.paypal.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "233"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78C4B10E-CE72-11ED-B7D7-6201C35E5273} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\paypal.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "75"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.recaptcha.net	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "139"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "203"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "343"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "268"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "203"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.paypal.com\ = "75"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\recaptcha.net\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\paypal.com\Total = "187"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1028	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1028	iexplore.exe
1028	iexplore.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2144	1028	iexplore.exe	82
PID 1028 wrote to memory of 2144	1028	iexplore.exe	82
PID 1028 wrote to memory of 2144	1028	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.paypal.com/invoicing
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\QISCT2Z1\www.recaptcha[1].xml

Filesize
99B

MD5
080fcb4d6f58081ec5a8c3c3ffb2b386

SHA1
478b623c40b6ee977cb29e4f0a2f452234aadd64

SHA256
9b919451748b9172ad583b97f2da4e54fd71abb52b0dcf2918f90b3684e9524b

SHA512
f2547b598909d65394478ba314d3fe4daaa82f9e560687659658ea5e9283384f7d9857f025058004eb231608a7f462754c621893b71dda060b7e97bf3da48d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\QISCT2Z1\www.recaptcha[1].xml

Filesize
464B

MD5
7bfb88b97448649ed669c715907860fe

SHA1
a5067cbd1949b60b2d1065a16f26ad9eacee6498

SHA256
218108aecfe7430f6823091a947a597c123a830927bbb03e25da01a2be928001

SHA512
79ce1afa1f5d41b35c0a78d77e32c3b108a7a5ec97b0c7b0346d4c24da74c6528d65580f2c4f29ac2148aafc308e05d454f3e183e7d5b84826efe1b043af5fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\SXC9S6VX\www.paypal[1].xml

Filesize
322B

MD5
4b1ba41eae1cb194095789e794580038

SHA1
f0235aae565f5e12f9d372bc17c4b033e526bd56

SHA256
9b1be4b6fb22fbb82d509e2a94455e6b4ddd6ad0488f37b6fca0541c7a8b1dd2

SHA512
5702e9d7b6d691a86dd55b7b6444388d32ec402a3de6ca46f4c6d7492aa16e4fc76dc94a59f38f8271fd5a9e1f4ec9d2bbd3c88fa114b7862e2037c8bdf688e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\SXC9S6VX\www.paypal[1].xml

Filesize
426B

MD5
8138c0071fb49fc2d2f95786b9710a17

SHA1
d00d6aa497d5a88cd4b4f3232a9447e5d680aeac

SHA256
ec59b638c479517d4d718f68d05a9ade8bee270925e4fbee78c90039dca6ab85

SHA512
85b28d78fffac80d6bed93503d4196c8b657a137a9df06412f259cb113c0bcb00cdc1f611801b37985e9c635d7cc684c0bad179932320f85b765f07033077a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat

Filesize
4KB

MD5
2f761035c35d6cad3d95d083b776786e

SHA1
616cdee5022f8bbaf55e31850e08387c47ee53ad

SHA256
e848e658a79c91f0125de38ad5b0c30abd27f4e4f7b8cbd4bae8dffc25e07236

SHA512
aa6cbc484afbaa54ae3c3110b1d0ac9926e5e95f9e5649db4799a91b88ef8205cea55c9347a4e4dd7d339c0ea8e53199e68de513dfe5f58daa51957ad26c3bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\recaptcha__en[1].js

Filesize
405KB

MD5
733e4a30889fa7c9947958423e21e810

SHA1
16a2cced6035295476141f8ac1cd928114cafebf

SHA256
7d2c1727a32a92776f9a3078abb845bbeb77e6603c40a318f12ea1e1b5a040d7

SHA512
b4a458c1c881be83715467db5c53826dd1a657bbfd8fc4b2b24b9350e5b80e489d6a438c88b05ba6cd139cd2bd62031ef07a40551437a1575b4b25b612baf3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\pp32[1].png

Filesize
3KB

MD5
8f4dd9ccb66a6485107e80b6e86063f9

SHA1
fc5220270099d7079a068e5fd3ac5ad248f2e15d

SHA256
9e208d404c81e5fc7170c13b8564b1368100d668b2071b16ee14600d08519ac4

SHA512
d7c9dcc96a817ff7816a8a16f3958206eb9f8c6538c522c35715357dd2526f16c643607fd79ebca31fec904ba364477d19c117bb113cf7f61ab0604a1781c4b6

Download Submit