hxxp://kohlssurvey[.]shop/BAKwr9UdSHtIvg3gdZCgZ0UplK4puNvnyCuox7b

Analysis

max time kernel
44s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2023, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://kohlssurvey.shop/BAKwr9UdSHtIvg3gdZCgZ0UplK4puNvnyCuox7b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://kohlssurvey.shop/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035464"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1E739E30-FC3C-11ED-B7D7-62A6D96D5571} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = ebc792ec4890d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000028f87f41a41f1347850facafeab0d7d0000000000200000000001066000000010000200000001cbf8da12ba9c65b43e9241cacbac5e298e4d77452fc8e3ec97d52b79381cf4e000000000e80000000020000200000001968a898c7bb027267f7761bccd9ec8b74f698ec74bb560b5a396536bd33622e20000000085b824b7c9ce9f6f46c8f1801ec0b077b9c1279a846c3bfa260f84f917f4c2d400000005c460a98eef5bc6653d6784917ff387f63cfa4d840b06520ff9fb2a5f7e7d8594b2d247fde2f58d44b257fa8b76c6423319540a717508b4bddb263f0524297c9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0025bed4890d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4093703601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4076051464"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31035464"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4076051464"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31035464"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4236	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4236	iexplore.exe
4236	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
4236	iexplore.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2024	4236	iexplore.exe	84
PID 4236 wrote to memory of 2024	4236	iexplore.exe	84
PID 4236 wrote to memory of 2024	4236	iexplore.exe	84

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://kohlssurvey.shop/BAKwr9UdSHtIvg3gdZCgZ0UplK4puNvnyCuox7b
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4236 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3b2daafe6506b789e6b8b0a9c4eb42cc

SHA1
da166c0ddf9e4065561b8849c8a841148797bd46

SHA256
65c2f718c41a8b2a8bfa7709fcd48d70ec0546c7e8ff80d83076fec0d8db1943

SHA512
2398cb5a868b7fc6638531994ffb1f149db0f231e89fcdc53e4d5a0b44c81cb12aed855675893e27e3b5b48a3e2e10076d403bb697a3319af702ddff62de4173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e9cf85a1dcaa664a0d3b14da3aa479b4

SHA1
797907acaf3b4ec061f208c4527cb83480fc630e

SHA256
ec8a745143ae3bd91ece9d8394561afd4419fbdee0a17b8f1b242261e8ad0d76

SHA512
a6d7663a53ca87bab1c28ef280e2d2d1eb23887a501fa77f4ef9138e631d31dca0275b5f8474265d7a2f912f5ee204d0fad50dfafb9ccdf8c34f1dc15cdc0093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat

Filesize
25KB

MD5
db8bf86fde95aa4ef455cf97985ca457

SHA1
bf15a649908e795147ff4b61796993998f43db87

SHA256
35449808cea5b0f14b0b79baa0307b44c04bd1a0f08190f58b66ebcaae0c413c

SHA512
2491362f30a11a7f6c9a782680f88b3cecffcc19bf3f0dd705f09905c6ad115a7d77f90169a2ab0e16707a6a2685ed80bb8de70caf39acd3143949fe5766a56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\favicon[1].ico

Filesize
25KB

MD5
d371a1d2b0da50a548a6f84e7b1af005

SHA1
519a7847b31afab3dce27c56cf09d7e97f23ad89

SHA256
eda10612fa39e84fa563bd00f8e1552163efd1f08522673758f5f5d3f0bc8f92

SHA512
8ef99dd06ae8ce44484b64d0788103cebcbe870a3d1357d3bea93e6578a035206f88f3365f02a01ab5f4cfbad93265bea974641b5f97d7ae1589fca660bf9675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\favicon[1].ico

Filesize
25KB

MD5
d371a1d2b0da50a548a6f84e7b1af005

SHA1
519a7847b31afab3dce27c56cf09d7e97f23ad89

SHA256
eda10612fa39e84fa563bd00f8e1552163efd1f08522673758f5f5d3f0bc8f92

SHA512
8ef99dd06ae8ce44484b64d0788103cebcbe870a3d1357d3bea93e6578a035206f88f3365f02a01ab5f4cfbad93265bea974641b5f97d7ae1589fca660bf9675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\qsml[1].xml

Filesize
217B

MD5
b27d057fc57b53359441dd4a2f260dbd

SHA1
174b8b8fba97d9f1afc0ac60a3bbb31ccc9d78ba

SHA256
71baecccc3f0ad39031c98eac02d70b5d7f330bd7a144b94c6b5acc54e0b1443

SHA512
77f65129b28012ec5714984db3fdd9789358d1eb965aa70c68be1b618f52074bdcbe9ac26b699df75191c529fe1bff0fbb0cbb76c574aef79f6e244f08e7d31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9YACFB9R\qsml[1].xml

Filesize
216B

MD5
88bde9ff738b5497d4ffc3f666e0db5a

SHA1
42bfa814d570818a0cba8fd69772217811b93052

SHA256
84891d715bceb21b5af7c663df4f010878693c8f2052a17dcf4aee849995f65e

SHA512
c2f42a11fa5304bee9f207720da9e5f6c4623d639b8adee0d0e520fcf91ecc4ca569e244da8aae78e7d1f6565841230d0ff4c993935d0ccc15b5fa248f532326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\OpenSans-SemiboldItalic[1].htm

Filesize
13B

MD5
6ed0a7b3d262f18276c5355ce00958b6

SHA1
d211e2ef8dd9e15443e081e455da91938085a2ff

SHA256
b2c586b993fb29ae224f95fa15a6d760f38dfbc2146b45d8564194ee04295b53

SHA512
2b3b669ad060c0343716f104a0d4602e5e24eb46ad568021516b4f33a9cc5f16dd77083f923243837de05b47a2ea745ec7f402c78ff175f6c2d5e2d33f458131

Download Submit