hxxp://www[.]fiverr[.]com

Analysis

max time kernel
13s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.fiverr.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0EE13136-DFD9-11ED-9F77-FA48AF8140A7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "220"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "220"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "88"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "204"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "88"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "88"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "136"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "220"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "136"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "136"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "249"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "204"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\fiverr.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "20"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "185"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "204"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.fiverr.com\ = "249"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\fiverr.com\Total = "249"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{3D3761F7-054D-4BF5-BB92-06226950DBD8}	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1304	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1304	iexplore.exe
1304	iexplore.exe
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1340	1304	iexplore.exe	83
PID 1304 wrote to memory of 1340	1304	iexplore.exe	83
PID 1304 wrote to memory of 1340	1304	iexplore.exe	83

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.fiverr.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1304 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RJGZAF12\www.fiverr[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RJGZAF12\www.fiverr[1].xml

Filesize
320B

MD5
f49d3c6e8e806e8c1a4ada821480e339

SHA1
77adc8c4bd79985ec28dd7fe1cb2e23ba6dc6abe

SHA256
465400345137879d4eaf9eda34c5f2829918dc6fb689db50c0ea95001fe5b118

SHA512
87553d54f578c0327bdf4ad116cc4993f4227ee31f264f0fee655df5b743984e6b5fbb959eb9b2c2c8f8b481f242bb7d17f7e222d82ae549870acf5d76acd842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RJGZAF12\www.fiverr[1].xml

Filesize
526B

MD5
93ced4dfda70e273a87d70a88a98357b

SHA1
ccf6e8679d5634a3849eb29d0c81e5a612589677

SHA256
636c8bf35a98106f06e873adb8063383e46c983df27f3dc830b3f4975c89ffda

SHA512
b69bd06b2d995e3052637fe9e47cda40af98b75c412495e6540ca68a2636c88cfa7dd1f6fc8153e768ecff2a744ce9e2ef58a4700f89e8a62ecf1f205087a50b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat

Filesize
565B

MD5
ac2d9c64aa059693328a8cd9bc4b17fe

SHA1
efe2726901c6fff6f144ae5cbdb5c90666135599

SHA256
33ab4e3803af7e6dad46320459d4243ca193dcc36092432842c395f6ce23192f

SHA512
ef1c82bbbbdf459e7615a7c77c0ea0af428addc53a717ba10f8425dee9e1fb569ddc239a9f58824ff2596117be33bd002a49b69562da4346d410251f2eb4fd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\ecm3[1].gif

Filesize
43B

MD5
6851dbf491ae442da3314f19e8aff085

SHA1
ecfec27263608c4ae7cd4f8e0cebb1b061df2ac3

SHA256
c21e2c1246fe45a6750ae6208db2b5965ff6ed63eb80d2ecec3be9c83813428e

SHA512
89dfc38ec77cf258362e4db7c8203cae8a02c0fe4f99265b0539ec4f810c84f8451e22c9bef1ebc59b4089af7e93e378e053c542a5967ec4912d4c1fc5de22f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\favicon-16x16.74a458e[1].png

Filesize
351B

MD5
1a3e7079acaefa5b556f635cb1b4ed25

SHA1
731b072e6cd44376cfa0d29ec8ff8e910dcd4702

SHA256
4ae31fda29d0863b8d3b9a47dff1c964248d79befafd0b6837f7f5b010b4a758

SHA512
a034f4ebf4bf4501586bb1be11cbee433ffb238a3be83574fe397894f28468c1602d383407f1a3f14e31d52cb54f41ca49aa28596d06a19d63f86d95e3912246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\main.MTFlZGFkNDkwMQ[1].js

Filesize
256KB

MD5
a9135257964bfc21ccadcf47c44abdf5

SHA1
2b09d5b95a65c0a5eb0afb8e51f0763779e37135

SHA256
03904d282a158b60cca5f936ba76aa7777e1070b06de9b59a23732067a965dc2

SHA512
82abd903d7327a52ae728e35871f3438f6fc0c3de7096bdd66f3c4c18a1b033065e16056aa02837638aa028719759669f9822e0c45b715266c9c748038b99359

Download Submit