hxxps://bit[.]ly/3W6TjO9

Analysis

max time kernel
68s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2023, 16:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3W6TjO9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a07bbe79b265d14db3b0aa02a3882147000000000200000000001066000000010000200000005a1fdc44217d9c6017cac58f69a0bc913375c516312c7e7606cc1484ee9e3fcc000000000e8000000002000020000000f50a2abfbe2cb9991caf7e7be6ba59a101a55647106934b6ce9d1b047a8d548220000000878c5cc56cc812c9db71428af447c1e7a7be8c9e4c663a3fdfd67ec49d8fce0a40000000425158734bef26e73efa3a35fc02afef3904da3855e425d4feb7e3796030511a95fc67152fe102d9fb2733f4a62ec578341a555499f86cc64845702112f10ca2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A2627E7-19C2-11EE-A61E-E2F5CE34D8FF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a07bbe79b265d14db3b0aa02a3882147000000000200000000001066000000010000200000004dab4acefe5cfdffa97c35b1765f8abbd97053f9128fd7cf76ee9f715eba6de1000000000e80000000020000200000007ab93a2296c977302a90139fcd9b1890a41c06695fb5d85d9222932f091cfb81200000007cc197e51231eee6f4828db638351058653eec73dc5a8e52dff1ce01945c63bb40000000b1502cdfbc6991a427118a64dd37b87d5355dd74e6b49800bea323038df431530de8913757ea4cff98a97d9181e865810112ff878aa648c9b50a658fbcf66982	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395168385"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\informatixoficial.blogspot.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10da6872cfadd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a78072cfadd901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4468	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4468	iexplore.exe
4468	iexplore.exe
3848	IEXPLORE.EXE
3848	IEXPLORE.EXE
3848	IEXPLORE.EXE
3848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3848	4468	iexplore.exe	80
PID 4468 wrote to memory of 3848	4468	iexplore.exe	80
PID 4468 wrote to memory of 3848	4468	iexplore.exe	80

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3W6TjO9
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\MQO2GUMK\www.google[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\qwzqiba\imagestore.dat

Filesize
1KB

MD5
f05442423ca41e1dbe1486cab3f5652d

SHA1
17633a698e1b0bd2d43328087a73b94ab9d836e0

SHA256
6b59beb0a72590c4498873c7c586b87136b7c37a025babb6b8e7662c6585ff2b

SHA512
d92795dc8389e7906e946577aa5bbd850724eee827025791a2a0ac4219ce4cf96d84baca68e4cadd6d20144daf54c3c7c694d291ce8e37e4e7edc691ed289a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GVVED0TI\invoke[1].js

Filesize
26KB

MD5
affcc0a343126f51c3e69b52026ff24d

SHA1
1bfd99b1ec971afc51198dcb2ba3ee5bb85a1735

SHA256
0c16e29843132de98a01e2bc1d9433b53e4ea7ef50012387708301384d5a269a

SHA512
ade993b695ae14573c830fc12e4af7951e5580885bca78264ef1d2322b3e9396c54c9dc79cfc04daeea3fb143ecf416cdb1c69055fae6a060b46aa3864f4d3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HV5TY8S3\favicon[2].ico

Filesize
1KB

MD5
1a91654529f763fd6db649687b951a49

SHA1
2ae674884a7ddc704105744c68c81f5f22b39507

SHA256
fd6a5bdc406e3d6134f27b6dda1a95b739b58c8665111dc58f47c0db29a98f15

SHA512
403ce193ebd644b681d340cfe7f80ec4075c84883340de81fe1531e2c9bbc8c2c6eb6de5cc75fc183f9c0a5140e765a613b73df755a9726e507f1058f814c8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NKPTYI9X\cb=gapi[1].js

Filesize
135KB

MD5
9b08382669a20458489d8f66b9439d73

SHA1
ad5655cffaa1deafcea92745b8ad2dbf72f0f53d

SHA256
ef5b19b22516f38fd8c2e17c89b83d6cb52c96ceafb7feb39ce58dba32bff92e

SHA512
eb43b093c4b49ab128da3565ba636142f7d3c19835cd63f8bf9281e632af28d3ddac223f2b9282881f26aaa55f453375593c3d44eb98b957c3fa5e27164dca58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NKPTYI9X\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit