hxxps://firebasestorage[.]googleapis[.]com/v0/b/newfresh1-e0299[.]appspot[.]com/o/index[.]html?alt=media&token=8a3b6bdb-256a-46ba-829a-d856467afbf2

Analysis

max time kernel
42s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2023, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://firebasestorage.googleapis.com/v0/b/newfresh1-e0299.appspot.com/o/index.html?alt=media&token=8a3b6bdb-256a-46ba-829a-d856467afbf2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4087200430"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308ae7f35372d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31027795"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027795"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31027795"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1EAA0FCB-DE47-11ED-9F77-62EB0CDC8974} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4087200430"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4108918680"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9034bdf55372d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000e2373062cefc66dfe608a0ab74952eac7ce35faebfab9f65c691db5d80c7bbb8000000000e80000000020000200000009eeb7b2aa1c58589a8623bb68ff9a99a445e9edddca92ec8e01618163506a9dd20000000d244ab24fc26ec1981a0f941fa5e1d7b05ebd2946bd02b963152fc3a605f21c540000000d569d679b7b2fe6df0affe98f4c316bf76f6360a76345f98f018b8571742667da31990d7cc7cec12c5b85a2417012145829e5251caef2323dd946e3d62f237f8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000b0ab293af5e3c365137f68b347eb3e5b17158cb2e89e30794ccbce475504c80a000000000e800000000200002000000012b976d5bbd377dc795d1b2d4467e7edce72bad62a4562ecd881427816ffd5022000000046b6c3ae2e3db3f9d51b1a7b1f6e048ad2fa380e64d1ebd700bcea3f942bb94a40000000b4f40913b4101b7c82ee15f4f943470c4ed35b6198420f1d87007d12fb17f3cfad2c8a884fad7227afa16353d48ba803113d45a74e770f12cdf777231d4a8073	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3260	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3260	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3260	iexplore.exe
3260	iexplore.exe
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE
5060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 5060	3260	iexplore.exe	84
PID 3260 wrote to memory of 5060	3260	iexplore.exe	84
PID 3260 wrote to memory of 5060	3260	iexplore.exe	84

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/newfresh1-e0299.appspot.com/o/index.html?alt=media&token=8a3b6bdb-256a-46ba-829a-d856467afbf2
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3260 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
cd20a697debac967d6e006796d88de7e

SHA1
39950e433af6db44e65a9411e0869f93daeb03fb

SHA256
74a5f99d6a592ffe83f7871dd842c538d7f2ce307a892b134c1957de356ca323

SHA512
51b1bd6f784587c540a7d5e17d74d38afc962e233633a12f9db8b59cb9592ceb14e2e67bb57bb7e68b5b312df0afe3fe17376c1b652a41f26dd6913baa10810a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
300afe788b3479091b62397ecf6f832d

SHA1
c1398c615e79e1a1dfbe560ba025ae29c3862a5c

SHA256
7e4e4320fe164b3f75f8e080f64c3f76e2bfa41976ff088fa3945c80b82e5048

SHA512
1fd6d8828ac55c3665ff11ea591749a439fb487c000a852e593be8efce24b82690148dd5e4f35a7e2f888c61d25260de777cd3057dc454c50dcce9c63efd24a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
30KB

MD5
fc52bd18e01553f914cac2b3a08655b7

SHA1
d067a4b0eed8779eb9b3a6ec1934023b0ab4e88d

SHA256
210b8e9937de4ae07790c798a40af875ba9fd8c2efda486ee359fe14b5148b60

SHA512
05eba90f967813fcc4e34ed2004f878a9c625c17c0bf45874096fbc238d127abf9991504a1de6520ecb63072b073cc83311e8321fbe649806bba448fedbc6ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
33KB

MD5
c897476763ed9e1d57a059d3d613a633

SHA1
cfa786c72f3f85146c99c789ebd181596d9134f0

SHA256
35a8b2f731c6a0d0c88dfb0bec14f7e18a96e046a8c574193d3b9d4298f199ab

SHA512
11cd31a9f59d6f31a08d96b7afbc9a7c2e700e7b6adfad2b6440265c5f085f6a605a811b3ad1e1af27b63eb80fcca93183c7f2b48102f9ce7691f4396de08c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\wikipedia[1].ico

Filesize
2KB

MD5
904ce6bd2ef5e1eaa6de1eb02164436b

SHA1
b37ac89616b9e4c01a35991af59fe6b63e41a48e

SHA256
3638de61226857e62cf5187d7d59cf902111ad4f792b5bdff1bfed3f5ed5e608

SHA512
05044e298742b1520585ae3c029938036ebed50337608a600c4924a29e3624ce704f3b13fbe348d9e1b1e93b1e0abff9f53bbc9fd31929199f9a374f154f74c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\zmb-icn[1].png

Filesize
30KB

MD5
9429ee41bce94cccc08428b2262ad721

SHA1
c5f56bd1f65d198edf79caf13047f8c5c5ba3eb0

SHA256
878ff701dfe238314108904aa371a548ee81477dcbf515799747c3a5b191dcab

SHA512
8d5caae6b26572a6f2e203f550b357484f5c800236b48a9b781a2583a873038368648d56ce575c199738516f6fb4ea0ba11768244bda113047b002f9bece3ec1

Download Submit