hxxps://keralty[.]transmision[.]online/en-vivo/

Analysis

max time kernel
130s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://keralty.transmision.online/en-vivo/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31030558"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1064726b1e7dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94ED6681-E911-11ED-9F77-FA48AF8140A7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1769702160"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31030558"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000e1941a30544092ea3cb28885c2089556facc29768ea54428c98adde2f335e1e8000000000e8000000002000020000000a84ea47548b6bd06e32b1de5b542dadc4616ce751dae3825d324c1b60af5c30f20000000297cd2b84755a5309590b16f173065bc6628f03a4be3e87a670a0985c389b66f40000000aa09cf4973a21cbaca69eccee5170c680891693d8be063de758e4302b5e1fe14aa62420eb6a173206c90d23ab714cbc0babfc00bb78fa85507eedec7f68245e4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50785f6b1e7dd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000a6681843531b2a929f94dab9706c864b8b044ad1220ef6d001f1f40eea893ba1000000000e800000000200002000000025dbce42511d042ac343a15febbe169251668d79318f682bb3944329831be986200000002af94891fe8cf4f66ed931a67ca1cca8758839ccaa19b98adcdc9b329dde88f8400000001085f3cec4932c96932a3579cc355d799e2d6f32ce596932012ff290e8f83a852d099331021105447dd126d37b621abb0545ca2692993ccca2492f29f899bbf0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1769702160"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
940	sdiagnhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1916	iexplore.exe
4108	msdt.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1916	iexplore.exe
1916	iexplore.exe
3968	IEXPLORE.EXE
3968	IEXPLORE.EXE
3968	IEXPLORE.EXE
3968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3968	1916	iexplore.exe	84
PID 1916 wrote to memory of 3968	1916	iexplore.exe	84
PID 1916 wrote to memory of 3968	1916	iexplore.exe	84
PID 3968 wrote to memory of 4108	3968	IEXPLORE.EXE	92
PID 3968 wrote to memory of 4108	3968	IEXPLORE.EXE	92
PID 3968 wrote to memory of 4108	3968	IEXPLORE.EXE	92

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://keralty.transmision.online/en-vivo/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\msdt.exe
    -modal "852044" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFB6F1.tmp" -ep "NetworkDiagnosticsWeb"
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4108

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2023050217.000\NetworkDiagnostics.debugreport.xml

Filesize
3KB

MD5
12cbc4c01a39093385c033329b153d1d

SHA1
9e98107c717c1c8ac30b75dcd82d14703235de19

SHA256
42db6ea081599464ce0192d8181b4d455b05f3d10d8e37803c810391e351c6e4

SHA512
5f0fe2485f30fd3b4b0de6e6eba2e20d37a733775ff74cda4e928c4b50fe3a0af68979f3bcd28ba17f53d24181f90c2bd2cf7bd1af341c65ec5e54318af93f32

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2023050217.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFB6F1.tmp

Filesize
3KB

MD5
c7c7faae3f57949f80ae6b5424d87cf6

SHA1
f5d54e4200293c4f413b19847dfc10d9d808b48a

SHA256
79e83d66f7eff8506e9d5421ba4cbe6bf00ac700a047cd0bb7760b57b19cf635

SHA512
b40eb59c9049440b4f9466d2e550eeb2f5e67c5ae290010d869ec12226017fe62416eb1dae172fc0dab18233c90e05709c0fc4c6df0baf3c59b4b1bb8a905065

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqnqzvaz.w2i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF8AED529087C8CBB5.TMP

Filesize
16KB

MD5
27bd3c45cf12aae469a87636aa86ec9a

SHA1
a8b3e2cca1b2fe044fcc34746ddf958be7bb43a9

SHA256
0fedcdffe8e664454c1c4319fba95d3ccf5183a30322ed58dd5ecf1fc6c63db3

SHA512
7e95216cb68ddc75235a39a173da49deb173d7e0845c10e49e611f1c71e0c82682b807ab4f8402a1a0a47b32c976c21a9efae5c69c3a6223f8ae7a7fb79aaaa9

Download Submit
C:\Windows\Temp\SDIAG_ee7ce232-2863-41c1-9ccb-33b861cf44d7\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_ee7ce232-2863-41c1-9ccb-33b861cf44d7\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/940-515-0x0000000005350000-0x0000000005372000-memory.dmp

Filesize
136KB

Download
memory/940-513-0x0000000006220000-0x000000000689A000-memory.dmp

Filesize
6.5MB

Download
memory/940-514-0x00000000053C0000-0x0000000005456000-memory.dmp

Filesize
600KB

Download
memory/940-512-0x00000000052E0000-0x0000000005316000-memory.dmp

Filesize
216KB

Download
memory/940-516-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/940-517-0x00000000068A0000-0x0000000006E44000-memory.dmp

Filesize
5.6MB

Download
memory/940-518-0x0000000005490000-0x00000000054AE000-memory.dmp

Filesize
120KB

Download
memory/940-519-0x0000000005BF0000-0x0000000005C3A000-memory.dmp

Filesize
296KB

Download
memory/940-520-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/940-521-0x0000000007210000-0x0000000007232000-memory.dmp

Filesize
136KB

Download
memory/940-511-0x0000000005280000-0x000000000529A000-memory.dmp

Filesize
104KB

Download
memory/940-501-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/940-500-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download