hxxp://survey-smiles[.]com/

Resubmissions

02/06/2023, 14:22

230602-rpvyzabg54 1

02/06/2023, 14:21

230602-rpc36abg48 1

Analysis

max time kernel
30s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2023, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://survey-smiles.com/

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002869be5d95d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503f44c25d95d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000982b39fff9c04047ad52c6110a84b58c0000000002000000000010660000000100002000000057669fe1ee265f89d47ac687c5c4cba293595883b51a96cbb18803e0d1906379000000000e8000000002000020000000a21a0e326c4b9e4eed09c107b2754a8cf3a47a63936c8e1d2e7d2ad46019142b2000000002faaf6fac1239c7372e351ceed4a58dcfb7c90aa83108336ee2a6380a127b91400000007a4e7961aedf5e311a3fab0bbfc91ff5db933b90b4947fafff7a94f536cfb6d0ba4c37d231cbeb63ab8c64cae128e92fa05ac6fcf404d922ae03c6b7228f11a3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 404c2ab75d95d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b51dc05d95d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F06365C4-0150-11EE-8FFF-4E89871AD1F5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000982b39fff9c04047ad52c6110a84b58c000000000200000000001066000000010000200000004a111d05b52c89498ed5de889d3083e14ae2893f8de74328c6422c5fc0ee32a4000000000e800000000200002000000048d6441e9a4dcc638047296e389077753b3dd331a133b08ad9bde0ca1fe595f620000000ba3099dbb450f7fe45ef85826a40d8b8dfe8f45cdac799fae9d2cd7ee50a1d8e40000000fabaa19f2d7ed237ae495a19ee3fefa90431289b7a8a41f04ef45e96beb11bd174ea08c9bf94c7fc9eb962e8cca12d0f179c048e59c0920fff9e05d8bac31bd9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000982b39fff9c04047ad52c6110a84b58c000000000200000000001066000000010000200000001a6b4ee4fbd634d247f83ef424d2324a76d09972e5e7c9c04329c1b6f4dc31d5000000000e8000000002000020000000ca67aea3f0aec15f4c3e29b7b68830d1e8e21be15a1226e2bf00e61142442d5120000000490b0e798b9403f618819c05fc37e809100e4266902fcab5ad36b4ee1596abce4000000078aa4235f0b9cfa99f83caf2587bb6be20e11b62b7f74148c41b02e42e1b57017acf91ed8d9aab19662010a45608f85a5a0d26b25ee8617418aab13f0ba3bf2e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000982b39fff9c04047ad52c6110a84b58c000000000200000000001066000000010000200000004bd4aa84649236ae3b8a0da68fdd0d3ba013ad92d5fae5c4afe8e0f169a552be000000000e8000000002000020000000f1eda2e3630ab919c539602ee057fa77036d3176e4dc3c0b145879a930e24ce8200000008c5ec0b1fa3080becd9b80d04757c1526a728a459fa72e73c8997f9e81306b7a40000000688ef97e180a6ce29b254f0f16e929152c05c3e94b9c4c975e772c9e087dad8497a12d743958cd7e14b6eb0f8cb8ac05db65b245e32f1ca6342896a6b90a153b	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1632	iexplore.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1632	iexplore.exe
1632	iexplore.exe
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2040	1632	iexplore.exe	88
PID 1632 wrote to memory of 2040	1632	iexplore.exe	88
PID 1632 wrote to memory of 2040	1632	iexplore.exe	88

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://survey-smiles.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\min[1].js

Filesize
8KB

MD5
c16c3a4c0fad29106f34d00e89f6886e

SHA1
6e11811ab8a98bb295b0916cdee68b302c33403d

SHA256
097786d677a859b7bc87e285377b083b76d66a2fc2832a16bcd50b0e99df77ff

SHA512
154baf532dbedba258b2ac12aa16463a66098b9f149dece93ab337072976eb2ccceaedfbfaace25606ccdb48f795803fce1bfe5eca197325743e8dd7c849f6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\montserrat-bold[1].eot

Filesize
29KB

MD5
65e03151914e450958061cbb762eebe1

SHA1
39e54ebf3eba09b2c95200138d63e4f9db3aa9ab

SHA256
64c4febd551454ba2b82e10dac1e18e5d5253f9c4d152f6c7e56186a5c823e4a

SHA512
9be544d089f53cce7792c0eb9e525192c7539e5c9dd5bf63b4c86cae691b53ac12049b1a181ebf52628c3e502a98699fd827d13dfc053676ecac43aa9306dc54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\montserrat-regular[1].eot

Filesize
28KB

MD5
f6215401e6aae823823c97578c0e132e

SHA1
9b49f51a4ea4d19f3a651a44abe2b709fcfa7c34

SHA256
0b32375761df803fd122de37b123251bb4997f14ef68e9e520289fc49b41fb00

SHA512
39600d6e91447560247baf4761c77409ada6ffbbb96abccbe1272d759502f6604a16d61e6a2ae28358ef3c03a660f1d20ebf070206492d4e2ebc1888af4ce78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\caf[1].js

Filesize
144KB

MD5
44107bfcce29fdf74ed31b52feec55c3

SHA1
cdee0fd67c2dd4ecf83b33fd26d4a82260e1e381

SHA256
a2974d2c295a2548f920c1fda42308f282986a7bf3eeb7aa54b478a19765f949

SHA512
7b7d6c7ec224bffe22c0819da01c3497a27fac47ef1a858707f155587d971a9c3c5733bb39c8a539e81c22269adcc87878162f059d184c24fc46d7a5a5073462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\px[1].js

Filesize
346B

MD5
f84f931c0dd37448e03f0dabf4e4ca9f

SHA1
9c2c50edcf576453ccc07bf65668bd23c76e8663

SHA256
5c1d5fd46a88611c31ecbb8ffc1142a7e74ec7fb7d72bd3891131c880ef3f584

SHA512
afc3089d932fb030e932bf6414ac05681771051dd51d164f09635ca09cbd8525a52879524b6aa24e972e7766ddf529484cc1ec416de8b61255435a89ba781f8c

Download Submit