hxxp://l[.]billing01[.]email-allstate[.]com/rts/go2[.]aspx?h=709721&tp=i-1NHD-A2-a2U-2j2Feo-1z-7txXH-1c-GnMZ-2gv4cA-l88641NDv1-1cwJtA&x=h13hp8[.]codesandbox[.]io%2F%3Fmandate=bWVnYW4ubS5qb29zdEBlZmxlZXRzLmNvbQ==

Resubmissions

01/06/2023, 19:25

230601-x5b4pagd8w 6

01/06/2023, 19:25

230601-x4yw3aga74 1

Analysis

max time kernel
15s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://l.billing01.email-allstate.com/rts/go2.aspx?h=709721&tp=i-1NHD-A2-a2U-2j2Feo-1z-7txXH-1c-GnMZ-2gv4cA-l88641NDv1-1cwJtA&x=h13hp8.codesandbox.io%2F%3Fmandate=bWVnYW4ubS5qb29zdEBlZmxlZXRzLmNvbQ==

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CC67C5C2-00C2-11EE-B7D7-5603A1288413} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\h13hp8.codesandbox.io	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\h13hp8.codesandbox.io\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\h13hp8.codesandbox.io\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\codesandbox.io\Total = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\codesandbox.io	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\DOMStorage\codesandbox.io	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1224	iexplore.exe
1224	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2780	1224	iexplore.exe	81
PID 1224 wrote to memory of 2780	1224	iexplore.exe	81
PID 1224 wrote to memory of 2780	1224	iexplore.exe	81

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://l.billing01.email-allstate.com/rts/go2.aspx?h=709721&tp=i-1NHD-A2-a2U-2j2Feo-1z-7txXH-1c-GnMZ-2gv4cA-l88641NDv1-1cwJtA&x=h13hp8.codesandbox.io%2F%3Fmandate=bWVnYW4ubS5qb29zdEBlZmxlZXRzLmNvbQ==
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.dat

Filesize
3KB

MD5
94d8077742feb15a19857058ed002761

SHA1
7b59471e21da630675b593603ee0622221c2e548

SHA256
83113e6a6ad8a1d3351c0c17655dbb0ac125cd2f5fc30eba04e939b036ce3905

SHA512
cefedbe8d59e762c31ea79f608c2641a1c0011ebcbee74571604e2ad0ed2cf770f090fc8928671fc189a12141d0ee4103575ec4abbd1b307bcf552335df8dc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\favicon[1].ico

Filesize
2KB

MD5
fd8d37896781cee6e67781d13f32e69b

SHA1
afd5fb05ea0942bf9a9ae0f01d9edeef967b1cd5

SHA256
0d73291f77484d427869f38962b399ea359c9df97ec190f143ee113f321f4943

SHA512
367476aa2092fc75337b8ce8c0a1cad0d0d5b1add77b2570370a5acece9efe62358ce4c54b10094917363728dcc8e31ebe82c28901ad2285345faf38eaeca9bd

Download Submit