hxxps://ccxperience[.]com/caja_arequipa_v4

Resubmissions

10/07/2023, 22:03

230710-1ys1eaeg7y 1

10/07/2023, 22:02

230710-1x6vwaeg7x 1

Analysis

max time kernel
40s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ccxperience.com/caja_arequipa_v4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fe6e23b6add901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{85BFB5C7-1F6D-11EE-A61E-72A452026D15} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a07bbe79b265d14db3b0aa02a3882147000000000200000000001066000000010000200000006f9fdb69a9a1dde22a685d09cb52450897c37548e5f8f77abc881c0ec514f731000000000e8000000002000020000000a076157b2c9c9f56b909340341c2bf4848803d136449a278ec53da39d4f6cf3520000000df8cd85ceba517bfb2aadbd03922c7cde987ab940e56feb7a87b8209cadb653f4000000001c537f3463d560bb442c21718474ef67e9ce7b8cd85b160a655fee1273d96014d010b3637e71edbefc144daa6c6d64f2617a197f767ecc87ee32b8fb010383f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a07bbe79b265d14db3b0aa02a388214700000000020000000000106600000001000020000000c872ccd90420d50a8c7dfdb585321a57ad4b6eb4a2bf8e6c6c12ec5b07178c12000000000e800000000200002000000040ceca2056c94f9ae6ba5405ababf021b50e628eefd9766bdba600b35619b0d7200000007869bc75b7cd0e2e5851d1d81d23d06de468dd18935d0bceeb72f26fd9f1a0734000000068f15c7b1db5b9597c7a220e3ab3e1585d601780acf88117b09c2cfe693c4305ccc1cc06bd3152ddf2155428621329c0955a8ea328442a009e79008cc2e6de65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50355e23b6add901	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5020	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5020	iexplore.exe
5020	iexplore.exe
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE
2496	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2496	5020	iexplore.exe	86
PID 5020 wrote to memory of 2496	5020	iexplore.exe	86
PID 5020 wrote to memory of 2496	5020	iexplore.exe	86

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ccxperience.com/caja_arequipa_v4
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5020 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\qwzqiba\imagestore.dat

Filesize
2KB

MD5
4544772badbc93bebec5beac3f096b8e

SHA1
7240dcc6f07f973d070345befd7020292e6b6d7c

SHA256
8c638476e77a0771864847ff2b69190ecb46553763025068ac96e39150ab3220

SHA512
9758a9508f1cc3ed817d11c649fbf602a5afb0f55aaa135debd1ad53de521bcbe45079a3e0e4f84d869cd04ff2b29462bb3d87ef7d5ab1952569b929ab419afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GVVED0TI\favicon[1].ico

Filesize
1KB

MD5
0086678d4258375088ce30b7976778a5

SHA1
8d81ed57d69bc86b6d58ab465dc07ff7863707d1

SHA256
850834ddff4889ae0477883f0be18f66ed57359baa4c9b59fdc290b35179b0ea

SHA512
1306be9a5679b1d3d6fbe366b0cbf875148f087ab0218fce68c464c5f704e0de2a74d22a3bd9ab6d7a4dc84e74b0675ba3249eaf7e5897d74bb5566896f31897

Download Submit