d0d36947c6eb2116ad8bef6dd26ecc1f67e6aabcba560ba68291136362decee2

Analysis

max time kernel
16s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nkrk.html
Size

124B
MD5

369859a199530f1ee0141bffec632138
SHA1

1550def794294b96adf8f8926f7b13c752f87c47
SHA256

d0d36947c6eb2116ad8bef6dd26ecc1f67e6aabcba560ba68291136362decee2
SHA512

dbc13082ab3ac98070bfd6c6afd00cac56e53b3c7b6dfbc851477b53d71817c440f9fcb670b7ead238a548864506524cd7ef828df0ccb8c27aac78658b462dbc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000a83286d9ec2b24c3363d917b64e68569c0f2222b6d4f193b775f3dcd4acf8bea000000000e8000000002000020000000504e45eb088dbef4360640fb1f64a04be419a646cbb5bd6e51df7a62d62017d420000000ac560b6feb120328eedbc9e85893fcb2dc3f28409d8dd1ad01f4217ee33aec654000000096bfd3b832af1ff80504ad8c7b9d4342f825a4cc0d32b97a26bd53bb145088eba35f68336656204a2ea91fd19a6778ed11ef300fc6373b954ea7f902d8517607	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000366606e9a7f3f4759f5cfb592b35571e91c7a3641fe30256e687e9d7c6e19a55000000000e8000000002000020000000e2eccb8248a0aeaad6606ab6dfab67d055a779ab68817adbe17ea4882973b4fa200000000a2d27f77cccdcd647d9b519ebdeb7af0ddbb7d336a373d45b8d07985c5781be400000004e76111d98fbf2b9093c4eccf88723f108260862c63d58ee49ff53dc29d7de89d5bae06133ce3c81a2eb9d6efa4c2d6d03208c8ae6a989ba17acbba7045a5a6f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b63ac817afd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d0000000002000000000010660000000100002000000057a8fede5af16dc390fbea7afff6f168379ce977428b0ceb5f9c47ad357795a8000000000e80000000020000200000007cfc1f80e553eb29293b06f62a232c272656ace6664876e2c5ebb8b1df1f653d20000000559151d0fa1320880c1296a4e8b2e1824660dcbb0424fb9722dab5a4db448ce340000000b9a52d84ce7b39539a916ce5c3d128a7df903849cc3d9e77f5078c350e5780650bb5dae464b865bc2350003d76ad2a29c53f2869c6db48801a15d5abf38f4f0f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40697ac617afd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0154A430-1B0B-11EE-A95E-CADCCB0AB347} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000beb7a2b9c748313b4ccc0f83271953df70d0c8e1d95d29b1ace4a53d9bc77ba0000000000e8000000002000020000000e8868c3e7dd569c9a8f271f193fb2e6bd02c1004f2c598769dd312944dd0585c20000000fbee50b6498ebcfb796d2205c870658dcf4301ea5866ee36efa2f0b744e8f88a40000000aed0f8cc60cd78cd6275ae24199b34a4a06dbf6109da8fa4154ac46c1a8b60a1ef21b5774c16c7fc3f2dffbb5bf9a144fe77523a7133fb040570ab2b0604070f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000cb94d4528905375e7f6f28072672f5aac143f815cfa8e7343dc0a67bd4f8333a000000000e8000000002000020000000028cf4fcfae29e44458c7ca552a593661954e42916f160c14cb189c2d8694c6620000000cb87e084f709ef7e582056968e2b50d75112a68870aae863eeb975643549365b4000000074d2f9151170d9246acafdf3b67b0416b39a0c01adfd8fb95f3b7be1ddd1a46b0a954cf4c7a2e20f2fd73762d7afe54b1a8a18aae87bfa0fd7da7a1c7869f209	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0bfcec517afd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f807c617afd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d000000000200000000001066000000010000200000007a144c899089d851668222fb414506cef5d86f7726d28c49edf5b6d53e760d8b000000000e8000000002000020000000a435a94adcf8e327acfa26801ba1b08f90af83fbfd1fc1bb6338de066a2f76f52000000027e5c90f53bf0e109bdacbca8418e88d0f084259bd1445594757c125e542770040000000bfad4b6f4767289c647d3ee413c072c34a40b7fbbcc3f20d81cb6c89bfe272e1f5acedbf6450ec848c2268d8e4b60210e2fd610b843350a7eec30104fde4ef28	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000e9a08f8a59d4b50778ae58d82b2d6560ecb5f12b45ab1d3809c12a89fe4db097000000000e8000000002000020000000921411bd421e7dde55edb891e64b49c624d283ef19fa07b9896d52bdd1e342cd2000000049e0e2ab3e1dbe003218fce4eaaac2c8b7b6fa745eec0ce78ee4250a34d2743440000000908f6752408d617860917c0ea3997ad251c72733d2b9e0713ea0f56554a7a9841109c5556bd054e9c561c78a74b84213ef09043a2028dc6c214df40397f4a93f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607dd7c617afd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f931c717afd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07666c717afd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1200	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1200	iexplore.exe
1200	iexplore.exe
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE
4796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4796	1200	iexplore.exe	80
PID 1200 wrote to memory of 4796	1200	iexplore.exe	80
PID 1200 wrote to memory of 4796	1200	iexplore.exe	80

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\nkrk.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5amy22j\imagestore.dat

Filesize
1KB

MD5
64d3ef56ecff9ae5125d7179c7202f35

SHA1
03ad01302e51593a0e2933191b4bfdd6d268ab5f

SHA256
1e99473dda0f22f01afb0d30b86cc34f1203cc55a8dcc849b25d4335244e750c

SHA512
53774399f64e3ade3725dfbc3a97de9b839e2495b2b610e9bb3a1293ce70361eee66d9c418dcf0f0b8a855c3c8b7a762a4b41cbbb544014a38bad4b4b241d3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQKW7621\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PQKW7621\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit