hxxps://drive[.]google[.]com/file/d/11d024qJwIGOK2Z8PSBg234z7tzit15WH/view?usp=sharing

General

Target

https://drive.google.com/file/d/11d024qJwIGOK2Z8PSBg234z7tzit15WH/view?usp=sharing

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "27954509"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DOMStorage\drive.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31033946"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3014cf045a8ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391269660"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "27954509"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31033946"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b1b24209a5b3c4ab603530fd8f378dc00000000020000000000106600000001000020000000208990c3c3098ba05c899af17c1fc1b237bb90d9ebb42fc9cfe80c12f6f0f2f1000000000e800000000200002000000092d14ff124f159f776053a3c2a63169247c9c9ecbc07c604d325c2694258ee9e2000000017182358ff483722f346d9b3268fde47f3a11f5978560d7c4388619be4b7909a4000000016c00c608e512bc6f1cdeee93f9db0f279f555db602b8a0143dab506b52c038386829a6d3e35991eda91fc33c0524eed73401ebbf53175ea91cc4fa425f10d0e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b6df045a8ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\drive.google.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31033946"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2CDCA941-F64D-11ED-9156-62A6D96D5571} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b1b24209a5b3c4ab603530fd8f378dc0000000002000000000010660000000100002000000080d3fd688aa6669d9d349dbbfd67f20f892250fb0b8b86d1a29b40e821b9cef9000000000e800000000200002000000026de63377294eed7cc247b51cd519931c5dd3fafe6b33239c027be30496cc865200000002df6bd9686506495d7dd8bdf82e4698cdb791937559afd08a21525dcf4e63790400000001f3c623ef2208fb89c8dd74360999f51811032e9da409f64ef1045e13f23934f9c579599c565546fbe1a9ebf99d5b22ea697a94853242b9f5e1249ab407884b0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "37798341"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1500 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1500 iexplore.exe
1500 iexplore.exe
368 IEXPLORE.EXE
368 IEXPLORE.EXE
368 IEXPLORE.EXE
368 IEXPLORE.EXE

pid	process
1500	iexplore.exe

pid	process
1500	iexplore.exe
1500	iexplore.exe
368	IEXPLORE.EXE
368	IEXPLORE.EXE
368	IEXPLORE.EXE
368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1500 wrote to memory of 368	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 368	1500	iexplore.exe	IEXPLORE.EXE
PID 1500 wrote to memory of 368	1500	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/11d024qJwIGOK2Z8PSBg234z7tzit15WH/view?usp=sharing
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
39a2b6d5caefca4fa6551e43248c2076

SHA1
9d79fe260d66922386720731d276d7b1027dbd33

SHA256
c91afdf51e6b6e391c701a4ae3fc73721c600cdd718f59df37065efff311a872

SHA512
0c41ca07519b5d12b20a2018ae83807f8f644446e8e8b940287532c806e9357f57d0c78187f30b07641f06d1b6b531db181e04f62bfc5cc8132c6283237588ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
8b32aed0d5886b04b24a952173a02322

SHA1
f259bc676cd188cb2d86aa44278c556cdc164fe0

SHA256
aa0c713df8c2767dc3fedd65cfdbe145b1aeebf4ca60354de6c912ba4ea7da41

SHA512
a76ee7a07851234751ea4bf30f1a78c02ebf5867b2d150e34520256adfa481262ca154e7df104c3febbfbd31d815665cf775104901e3d2e7c765657cfa5761ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\95fmw5u\imagestore.dat
Filesize
1021B

MD5
7b5754597ed71a3612f16dc82356ee57

SHA1
48f9696a1775da775ae82d38d290e0b05dc358bb

SHA256
41e6069c275703b98acb0e585fad1e9f4e2fbf0b5c149347aef155c1f6296d5c

SHA512
f2a09e9f455856294b35e19fd321ec3d1f2a0670a55e5904d116cf4f94f7784c578a12e8a671e834a34130f892be3e1531273df770b858729e68025a94ddfc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1B83N948\cleardot[2].gif
Filesize
43B

MD5
fc94fb0c3ed8a8f909dbc7630a0987ff

SHA1
56d45f8a17f5078a20af9962c992ca4678450765

SHA256
2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363

SHA512
c87bf81fd70cf6434ca3a6c05ad6e9bd3f1d96f77dddad8d45ee043b126b2cb07a5cf23b4137b9d8462cd8a9adf2b463ab6de2b38c93db72d2d511ca60e3b57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H82VOZS\cb=gapi[2].js
Filesize
70KB

MD5
b3b4a3ece9b6ffbee2d2cff79c84d92f

SHA1
44c99a1dfec402d24601032625bb71492de4539c

SHA256
03f69d8a0e73ac4eb0f9045e2f6e1a6c64a629d2472ee3b4c73dff10151d5103

SHA512
1c3ec9037fccf9e5c9b4022d95a00a63473c4ec1402a55986e84c23e6138dfff6f8b7d1e72eab34e5e533b93d23525053c936ddeddda6522c177a81ce59036fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JXO1ZP0L\drive_2020q4_32dp[1].png
Filesize
831B

MD5
916c9bcccf19525ad9d3cd1514008746

SHA1
9ccce6978d2417927b5150ffaac22f907ff27b6e

SHA256
358e814139d3ed8469b36935a071be6696ccad7dd9bdbfdb80c052b068ae2a50

SHA512
b73c1a81997abe12dba4ae1fa38f070079448c3798e7161c9262ccba6ee6a91e8a243f0e4888c8aef33ce1cf83818fc44c85ae454a522a079d08121cd8628d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P8NMKCW2\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit

Analysis

Sharing