hxxps://mftx-zgfm[.]maillist-manage[.]com/ua/optout?od=3z46adbf6de10ff800fce93bc828869344681a7cf2e85ce13258f068af8eaa33b3&rd=1f9adfaf12822eab&sd=1f9adfaf127e0e69&n=11699e4c305b9e8

Analysis

max time kernel
102s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mftx-zgfm.maillist-manage.com/ua/optout?od=3z46adbf6de10ff800fce93bc828869344681a7cf2e85ce13258f068af8eaa33b3&rd=1f9adfaf12822eab&sd=1f9adfaf127e0e69&n=11699e4c305b9e8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000050cb4075e99a394c9bfbfafaa3c3dd9c000000000200000000001066000000010000200000005b409dc1b81f69d61f3a07f2bc09c984eaa8fd82667bc6ccda92ae5dc3aab71e000000000e80000000020000200000001c55afaafdcb93791fd47ad2e10c69020943f589f27e510e8707a8956ce73479200000006059046db67fdab9da60cf2298c426a9361ea02b840b5d40a7a403f405f882a140000000c959a0cf75e31483a41ce4e9377ed8e065f2d6f795dd95482b92bc61c5e776803fad33b937b175c6d3b34a4253aaa09bac0f32ea179613671eb7b392444a0bef	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000050cb4075e99a394c9bfbfafaa3c3dd9c000000000200000000001066000000010000200000002b47bcc0bf05db037f9c9461b3b09d31fd174b1797acf6b9c19462443ab78511000000000e800000000200002000000010c589bfb85dc2f824a8c3e1a579e3b475a8a25c3c58b293ff3df6fa0edd217520000000c38f3d3f907d1a251e3f15eacddda0be2dc960f959f224b130bd6841105a7ab6400000001c8933fbb069f4bbfcbc1c8521d264d5fd7bd7e2918cd4353a57867b7e452b3cee673ebcb98b5344eb2a2d8103fc876ebcc96b400f5d4d9f9e13ca3381693fa1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394783632"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f5699f4faad901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C78C1D70-1642-11EE-BEC7-7295A88F71B6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042127"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2628744661"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042127"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2619214481"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2619214481"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042127"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204d789f4faad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4380	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4380	iexplore.exe
4380	iexplore.exe
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 772	4380	iexplore.exe	82
PID 4380 wrote to memory of 772	4380	iexplore.exe	82
PID 4380 wrote to memory of 772	4380	iexplore.exe	82

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mftx-zgfm.maillist-manage.com/ua/optout?od=3z46adbf6de10ff800fce93bc828869344681a7cf2e85ce13258f068af8eaa33b3&rd=1f9adfaf12822eab&sd=1f9adfaf127e0e69&n=11699e4c305b9e8
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4380 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0ZI760GS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0ZI760GS\ui_min[1].css

Filesize
603KB

MD5
f2a292794f789380915de6f09f6097a8

SHA1
ad6ac899f99584b72070e67c3cd6441646a47cb0

SHA256
65cf181e5bd116a7d80cc9d7021ba8f1a7d9f3c3679f6d791aeaac0a4e862cad

SHA512
7463023c70bb8c0e5bab5ab650cdd963eb757c57b19ae51e8a2ed6fd9f8dd3184ce2845486dd61659800af58ab452a5fe9ffe7a1f3317aa0306b0ba484947a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JOEKHOXO\font[1].woff

Filesize
36KB

MD5
cbdddd82da22c6cbdd41ea4342266abf

SHA1
080a92c0fe8ff513ee966a446be89128fa31e79a

SHA256
251d58cc997156886bac2cefc52d1330129544d5f1d6c2a4722242fe3eaa7e9d

SHA512
766f4ca8afa36046cf26c2198bb36f6a4799d60d464e7ca4a09d9b9d7574960e685adc8aa47f401779697602364df8c8dd073736b5dd7791104f50a7ec207721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JOEKHOXO\font[2].woff

Filesize
34KB

MD5
50630c4304c7992118882cf7ff47b555

SHA1
47cccd24fb1f0059a1f9fe59baabc235ea2828a5

SHA256
0b0807cf790e08674439963e80f97b9568482f8187d1cd9a81e5f128efca0d75

SHA512
f7041ebd3b6d35049d95f1d574146bbc92c2658aabb66568da3df8b7e3d5904b746e0a591a57201d09f214e2472685abc2608730f3c4dbc163d560a346744c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JOEKHOXO\font[3].woff

Filesize
36KB

MD5
cf67e25500295a4b7bbc85dbf9868169

SHA1
191125a56e19c115e327774e8d169b225b83b4d1

SHA256
aabbf311dc3130bed6450bb308e0525f781f55c91d7a3e010807fae020456b56

SHA512
9bbb40ab4a66838451589f6f0afd0bce4094d4a9d2ba8640944fcbf0017c6ecb8c873232a1aa037fd010739a39e69ca8170f9b5a9ce3ee35d26fbdc8127a0876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OJJT0N7A\subscribe_min.1b05ca59c927a4b7bfee5076f59352d0[1].js

Filesize
18KB

MD5
1b05ca59c927a4b7bfee5076f59352d0

SHA1
2e95fefe341038be0691398596b088411884918b

SHA256
3a96ad1f6c8ba919216d26f471326e02d38d6ed3ee0397fd45fe151228708b11

SHA512
d338485aca45e370fb422cde67cbbad1f3d74fc872147b29210cd0f14d2507fc3e91080c5993e92a991d616b492b1c3ac7be82fd0f1ab82cef252aece33f9521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OJJT0N7A\zc_min_all.a94310f4caec907a9a319145d37ad10e[1].css

Filesize
658KB

MD5
a94310f4caec907a9a319145d37ad10e

SHA1
a38ae0aca657c1c4a1593c38b2234ef4acfd21d9

SHA256
0bf8ae13018b706f731b02dedc11ff3bd1d89f1689bd09029988be87949ee6d6

SHA512
ba9a2e7d5e658160321b86d76322796f77e6cd10cf9f818bbec020578edcd836ea245e7cf6712e1903fe8a41070ef2d464515f76e7b86e5aa09119bbf56b6e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\jquery_min.bf6a1efb0b61235faa871a3c4939a0f2[1].js

Filesize
688KB

MD5
bf6a1efb0b61235faa871a3c4939a0f2

SHA1
c17e4650cee9271f4bf13cfa93fedca903664005

SHA256
835278c0057d4158e37f557032ffaf9a09de6b8e9c88b8efb107f645aea57b38

SHA512
dbe2d3c5fc76936fe16c0811a7f6ef0e79d1f53b585572aab628d3f51e6a89da22e3f50c38ca8152918093d4cab41da581ce5babb21305215bb34678c337be9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\resource_min.73cb34f4dba67f903bf78bb50eaf2958[1].js

Filesize
1KB

MD5
73cb34f4dba67f903bf78bb50eaf2958

SHA1
bab0e010b5d17c5fd08b0c5cbd6e91326931438d

SHA256
57d0317d35f0098dfd91a3dac34a80a594011ac8bf00b43d6bcbc1e8c9c7baa2

SHA512
646a6888967d60928256b1b64fcd12cb58da53c4bcaba33dfe0f4835def485fa485cdb746cf1a549727f51f4c99ad364d9c21653230be932cd4a12a957128a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\security.min[2].js

Filesize
41KB

MD5
768175984d60685de86801864ce4ab90

SHA1
f1a7a72b6ac03fbf793c7858e3830e40b6a430b3

SHA256
532854b90306c5ba997632b48007a283400e1816ee81fe4a230f8deaf24b3232

SHA512
6c9d34163951a4118ae23c6da13fd7cedeec69044fec0a79e7df2597685a2a471db9eaed2d453cc3ac97dad418a99219f3d8143828283ff9db5ef35d3ce4e9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\unsubscribe_min.0d5bd274abe4e650a1f4b730f1e2c443[1].js

Filesize
7KB

MD5
0d5bd274abe4e650a1f4b730f1e2c443

SHA1
89bc4ae442b71b72eec109a77feb1d46e1c9f44b

SHA256
3bf3f65924ec82f785838f44d0c06b236c63af19d49cfa6aa8ee856fae45c300

SHA512
c0f69f653fcb5e4c443bec66a1dab462d7bce2950f04a6f13696e75eaae4a688b7358d57f4725af8c3ddeaaa5d52a6210afbf74f18a094a18ad73b10c4c013c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XW4YEBB9\zc_min_all.9b2a24a4fa943965389151cb4f9829e3[1].js

Filesize
8.5MB

MD5
9b2a24a4fa943965389151cb4f9829e3

SHA1
c60f8b551484fab38446fbd86c60a5ffed9c831a

SHA256
98e09ab99c3b92468eaf037efc2eb59ffc91e57d24a7b018da7bfa68cb7e46a3

SHA512
d2a412ac749a62ae70fd12bc33668973703967106db4a8bbf8c9848166975ddff70607e3a3ee9ede4ee81341690a9b0518a857f448e81f8656f32900b4609d9a

Download Submit