Analysis Overview
Threat Level: Known bad
The file https://gateway.lighthouse.storage/ipfs/QmZLPedGjmuKeA2P5FTazDm5Zw3EF6aDbSjFYAmSMfj4ei/#[email protected] was found to be: Known bad.
Malicious Activity Summary
A potential corporate email address has been identified in the URL: [email protected]
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-06-21 08:45
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-21 08:45
Reported
2023-06-21 08:49
Platform
win10v2004-20230220-en
Max time kernel
199s
Max time network
209s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04d59dc1ca4d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05271659-1010-11EE-8FFF-4221DB3A75C8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3665281769" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3652467466" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31040540" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31040540" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008548dc1ca4d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394102124" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005856b77ac607144da59cdcff608a7bef00000000020000000000106600000001000020000000ed0fdc03f47023df1d317f9f1e035fc075a0d11580b512666057674d282570b1000000000e80000000020000200000000718f9e6b0ebc8475d719080801a6b8c8d13587a704d59296e93fb8ef1103640200000002f2fb28c5d7dbe33592f87c59744222e0df4fe96ddfb70deb8093194ddd5151f40000000adc1edf9ef3fbdc5be25ceac0666c6d20cbb56ed357213bbea81583a5c22caa17752a7d9b8a7253b50d687df334b1112a3e50d0f101d06753df899c16099f9a0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3652467466" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31040540" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005856b77ac607144da59cdcff608a7bef000000000200000000001066000000010000200000005b70d41afbd405aa6d3c8465778fb9b68046067795cac115754336c79b9fc00a000000000e80000000020000200000003ceefa3d7b8ee7e157cdb42f5f9f9e8838719de9fac236278b9d9cf1d3dee8292000000020b96f5334ed4a751742da1a50d375eb48c5fe22548b511bc7862000a4f4077c40000000268c95beb7bd7e6f9d5a3b3f7dc6de39d200e62349492c3eee3dbcc7f3a148330cd92872a18caa2e4a44fc8cef1142a2a8a30d3c62e94197fe47ee66d9275491 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 2276 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1044 wrote to memory of 2276 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1044 wrote to memory of 2276 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://gateway.lighthouse.storage/ipfs/QmZLPedGjmuKeA2P5FTazDm5Zw3EF6aDbSjFYAmSMfj4ei/#[email protected]
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1044 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.lighthouse.storage | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 18.65.39.49:443 | gateway.lighthouse.storage | tcp |
| US | 18.65.39.49:443 | gateway.lighthouse.storage | tcp |
| US | 8.8.8.8:53 | ocsp.r2m01.amazontrust.com | udp |
| NL | 54.192.87.164:80 | ocsp.r2m01.amazontrust.com | tcp |
| US | 8.8.8.8:53 | code.jquery.com | udp |
| US | 69.16.175.10:443 | code.jquery.com | tcp |
| US | 69.16.175.10:443 | code.jquery.com | tcp |
| US | 8.8.8.8:53 | 49.39.65.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.61.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.137.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.87.192.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.137.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| NL | 216.58.214.10:443 | ajax.googleapis.com | tcp |
| NL | 216.58.214.10:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.175.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t0.gstatic.com | udp |
| NL | 142.250.179.132:443 | t0.gstatic.com | tcp |
| NL | 142.250.179.132:443 | t0.gstatic.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 20.189.173.12:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\jquery.min[1].js
| MD5 | 2f6b11a7e914718e0290410e85366fe9 |
| SHA1 | 69bb69e25ca7d5ef0935317584e6153f3fd9a88c |
| SHA256 | 05b85d96f41fff14d8f608dad03ab71e2c1017c2da0914d7c59291bad7a54f8e |
| SHA512 | 0d40bccaa59fedecf7243d63b33c42592541d0330fefc78ec81a4c6b9689922d5b211011ca4be23ae22621cce4c658f52a1552c92d7ac3615241eb640f8514db |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\QmZLPedGjmuKeA2P5FTazDm5Zw3EF6aDbSjFYAmSMfj4ei[1].htm
| MD5 | 2b6575744ed06f447b1a029b6131531e |
| SHA1 | 656045da49139c7e4aef4b1c339506aab3c254a1 |
| SHA256 | d44b7c97eb1af5e0389ad1a47f3327e894a21563739b533e56e56f8aa528c815 |
| SHA512 | 8a48aee94dd8a7fca3ac037f63fbe8b240e4c6aab5829375e88d7d0b24c2693c720555f137e8be756ae415b755e2bfe0366a48243977decf4603dc8211090b42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | e6952a1b546e49bbcbd1f8081d402893 |
| SHA1 | aead1f5eda5d5773d12eda5e05d8f588304ae312 |
| SHA256 | cced3fa3cea61bff032e85dc28523c0ef52c18f8565f71373cabad1f16c9a12c |
| SHA512 | 8d554b1170f5a3096c2585cb6a06991d6cf99f85f40d890b1c905a73d94c479a578500dfcee85ebffa2ec15067e4b2f842c9e8c64ccd2515c3d6cd4abdb3859b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 57cdf6110f9169470652840b9ad5174a |
| SHA1 | 63ff540f9c2f154b5b8ab3ca0912a573732ff8ad |
| SHA256 | e735be26082eaee491597b63ae68b20a2fb1ce4a580369357525a4df60629fa1 |
| SHA512 | 11fdfdaa384e7e7d11a68e3b2ff4986c82ec06be6e7e56fd6e1be01994c8bf3d4578382756b72728b72bb3d0fe9f143faa2521fa5bcca6f6e719fed81f9fe96a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |