hxxp://yourtalentconsultancy[.]ca

General

Target

http://yourtalentconsultancy.ca

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B74A188-1C35-11EE-8224-C2E87CB59E13} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
948	iexplore.exe
948	iexplore.exe
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1844	948	iexplore.exe	70
PID 948 wrote to memory of 1844	948	iexplore.exe	70
PID 948 wrote to memory of 1844	948	iexplore.exe	70

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://yourtalentconsultancy.ca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
eb5ec2d13321c6dfb4e7256fe4141a3a

SHA1
4820d9ac529af2f062c1536a526be886966a8eb4

SHA256
ce2723a3c8bc2c57ecc4422d85f4e36b3fc3cebb0e597da35423ce1f1e04e440

SHA512
a51fb01734486dc36d8501c4275afafbe10840ef44c775251beaa616576c2c245f6c86e93f1a65a8ec72b4b1cf21dccb943710ab11b07474192a8d0880845948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
0ec6584095989eac64e36717470631b0

SHA1
e715bafc42f5636409508ba60f31b0cf482523ca

SHA256
17e6cca9b79d5276a61af4e3d22b3aa94b78bce21a41b652490db1167ff7ef9f

SHA512
2b873eaf87670bb435de5e8ea092150c83b069645c0b3b5fd0ae782abb03fd8622acd2589d46482f0cc83765c67c9f0151a2200c7344e6e4386b17ac677f0f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R72PNTV7\js[4].js

Filesize
198KB

MD5
89c304d47f4b57f37bac208efa8726a2

SHA1
1d6da61f3e18494383366dbe87ac6886cfc771e4

SHA256
d8de2ae74db035d3e3eb6765098325c27a2364e5452cf4237596178961e635dd

SHA512
7de99436aafaf574cc749e46785f271ccf15311f00bbb399a8ad8600e6724cfe09b2de9583aa3b306ac26ef460bd1fde41c81ba2ce5dde84c18150bb2f7b6f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R72PNTV7\util[1].js

Filesize
160KB

MD5
4d49597c1a349a88f4909fde4ef29015

SHA1
eec7d7ef6c2f5fccc6b4290ae21850e26c4be098

SHA256
4d2935f129d2b765826c2441511d7ee7db7539293eaedca6b08af7bba8c2ffcb

SHA512
997e209a2d3a2290d5cf1028af14c079fd11b6001b59840d53762ee89c642863050e1cfd1604f0416d50ccff6beb2093259cbe6136008c7a53551ca5762c6370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RNB8B7MM\common[1].js

Filesize
274KB

MD5
0dc73cb81c6139025999e132509dd6a3

SHA1
7a5faa81bfb458c69702c6677a7b8704c52f43f2

SHA256
e9ab5362c679d4f49c9efeca28590b0a263c1080be43d949861f2bdfb3db48d8

SHA512
6550326eb6f6317188baa3b18627753fe476cb32c75d9d3a396ff3fa01c62a536e4963b5b070cdc2274694ac2156c5c8e5da3bf2b8124920c8597444b7a432f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RNB8B7MM\cropped-Your-Talent-Consultancy-Favicon-32x32[1].png

Filesize
1KB

MD5
8e26162e11f53418e649a79d2dd542a0

SHA1
88c4b0393270ab063780d059107c207d346f399b

SHA256
556beed0760ad03df79a60f2993202794e0f5740db24f5ecd4d9bb6bc2da826a

SHA512
c9474f5aba213c05af2e0b0a2dbd0a2ecea52264b6cd702ddb0c8b26c5574ca5a112fc599a14784bbb6fd28bd455e7268d135039d2be789c35438177ca5b1a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TKY5VT23\init_embed[1].js

Filesize
228KB

MD5
40d0f25099853b528198aba42b0af8e4

SHA1
175296a3ba4df1aae399f3133258dba37a2af70c

SHA256
f1b393df7cb1730b168edc66023d0ecb52abcd399d06a6300e219652dee9cec0

SHA512
975f24f8152d82dc69273a6798b6cba604c74176f5d6e64029bdb7523edbf776624ce1cc00be723f3ceb7fc2d4177df035eaa58a1ce7c566023f25bc0a0ad009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\27DNMY78.cookie

Filesize
939B

MD5
6cffd6e77a371229835d64aff0ca0ff6

SHA1
1fa9cd5ab9ef624f8b0083d963231470e6f90139

SHA256
ca26307c4d61b1698fffe474ec71a31d86695e4b29fb52edb5a48ddb6c3e8b66

SHA512
612e2706e59d89c7beec6078bc1a1f79e480982cca235adcb99eaf35bd3a597ceb11f152f5c19cff98c94157978e1bbe21c3b186a97acd13b8e606dda4fda741

Download Submit

Analysis

Sharing