hxxps://storage[.]googleapis[.]com/msgsndr/on223RmJEcl9fY1OZrM7/media/63bdad50a6fc4eca4bbd2ecf[.]jpeg

Analysis

max time kernel
45s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://storage.googleapis.com/msgsndr/on223RmJEcl9fY1OZrM7/media/63bdad50a6fc4eca4bbd2ecf.jpeg

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039375"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092da64e8329fd749b0410fa0fa011abc000000000200000000001066000000010000200000005f3a86d92061c2859ba0a16df857c475e73d6f0276bc8ea8a658d9ade8384dd6000000000e8000000002000020000000ee8ef2990b329e29751984507fe0780dff96c45288173bb1968ae03156e00f5020000000da83c4567e0f9afeaf9c6818437096724f6042d1c7c20cc61e2912fe41cb962f40000000f14718313f8d5ac5a98bb89bb1869f6a4c874efa1b7daa22785482f7c077c1a09d3723f7567b726df81b429fdaed6780649be03589e36dfb625452a0924fc416	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31039375"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ff779c8f9fd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2590738978"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092da64e8329fd749b0410fa0fa011abc00000000020000000000106600000001000020000000a43ee063752bbe21aa045c37eed040d50f5d24764cb74a9d6cb84e21da710b1a000000000e80000000020000200000008cf0785f9ee3218c46a5968ca82e7b5d4381a2da9a497eb63f6b0341bb3685e620000000e0c64ca184fa1071e9d6417fad3bc84ade4ce3c372c54538bc4342f974a4d7e840000000e3bbd69f8f3bf00642eb1cc7c31305229d551477390427c8bad127514cf90ffa069b4eafd19258605ae074fc4e8c4a48f7870e9d3c7b2032bc11818f7d74336d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31039375"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2599488843"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90259e9c8f9fd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C5E9BB23-0B82-11EE-8227-4A63E52355C9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2590738978"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1748	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1748	iexplore.exe
1748	iexplore.exe
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1844	1748	iexplore.exe	82
PID 1748 wrote to memory of 1844	1748	iexplore.exe	82
PID 1748 wrote to memory of 1844	1748	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://storage.googleapis.com/msgsndr/on223RmJEcl9fY1OZrM7/media/63bdad50a6fc4eca4bbd2ecf.jpeg
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
82b6e24e9d7fe90d647b5b81389401b3

SHA1
51f3af35027bc77cf6912e6dd3d6cc3289c19c55

SHA256
3483fda8fbc0fa1d77780c1c46e372c3bc834a45b19d149d0dbc8c2fba26322d

SHA512
3454b31c7111bdc0cf6ec133ef1dd6755abf0b006f77341b904fbb8ad25a81b548accc510f1590c2a3955f5bf86f8b023404e1acb9d2b028bb29067848936f7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
18850c6050892e216fd527e469770716

SHA1
1b91a9c98ea92d3c4d342527828ff8109b249be7

SHA256
b4c957b1315bd84a6d2845ba2dbbab14322e5a4baff3c0ad77bfaa0e664e784f

SHA512
8e5ae61f361a01e30a8e36deef88f898a58360ee456f220f322d5b7fb91e43d14e02b8b112556cca7e3762344b273f2b87e8c492998cf6215ea6952b393ac9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

Filesize
980B

MD5
ff8a43cbd8bd8bb76faa5cb2efee3221

SHA1
3f3971229baa5ccebc7964570d1fc2e413f6ac01

SHA256
fe28bd1c912ba9cf92f242778995a5e38508406fd4ac56f3438a005b033ebbf3

SHA512
c52415cb73c94b4cf230fcf0aad6ac0768745db926b965e717cf91b1a1c333a495c3a1ac7ab74072c8a2be864e98d3e547c0c631c85e020a58c4866fb84497e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RPW4GWWI\cloud_storage-32[1].png

Filesize
850B

MD5
352549ece32e8183cb6792d5b1e7450b

SHA1
6c6ea952ec11c2026e828f0118bb9a58e35ccfbf

SHA256
24283abecab24b0a7f50518ef5e9c684b1abd4fdbb31c6d0e1ca63a236a34d1c

SHA512
5cc8c80095b2928eeaeaa987fee7769fc344a913f89d4505f38687d87916351dabea19883550ffe4b95b2e2802fee7297a9927c845f78dd5aa963bff06ae7eed

Download Submit