5739c4824721ebbc10e69191a0a18cd3bb76fc14e1310957ba6400461c41c7fb

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kqrkc8.html
Size

6KB
MD5

6b38b9bc24ee3413a27b9ee2ecb45be7
SHA1

d2ebd8ca5489ac152149f398e895721de468960e
SHA256

5739c4824721ebbc10e69191a0a18cd3bb76fc14e1310957ba6400461c41c7fb
SHA512

5029ecea3fe0f2628ade07a914a16e329f5522072fae1831b1581f9b909913994d8a103591867fa7a6b1421a029812f3482e2d5e1f830f2a4d87832c0036dd67
SSDEEP

96:gupjojX3SWZ4ZVbLmbpxbML0Zk79wZFDkKZIe7/M3X3D1I:tUkZVbLmvML0Zk2ZFDDA3X35I

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "32"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebadd934471470438e7d54f4b866f62c00000000020000000000106600000001000020000000dc596ac7b19d7b69a74ec1250a3207f8d262d67ccd76c2a953b934d0ba0f4864000000000e8000000002000020000000f63bd0f1a8efcad930a0696ed9918dabfd12c2e385fb7e82859c5b44da113f04200000005158ba394ff8f9e4e6fda8c8111d1e42a96ce97f9b86efdc61fcb02acf6bd87640000000aa4dcce7c7294b91d9a22d595f3d5ac10e960da906877d3f839e90c533490fa2b3e5f9546d2744f6d80eb9b1e6ca66688cd123716ea439f0b5d2ff522c4cd71b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601a5955bcadd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "156"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 605d3955bcadd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebadd934471470438e7d54f4b866f62c0000000002000000000010660000000100002000000090a1f2bc818e0fad1d46f6fba21144b83af8be787e18a92ca5f9f662bedd9c00000000000e80000000020000200000006fcb09c576629562ff25dc2666e8b6d098045a60cca4255a652dbcb70ff1fb2720000000619da7f076694b09c9ed5f8aabccd120ff8fd04572139c689f5ba56c9537f3d840000000e42a9acb336dc6c7198ff80f20fdc97018a7ec2b9b2dc991d548347cee5d2c7aef23b02e84a23916679d449963062ca69184af0bbc57d966416065b4d77f64ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\International	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D9B8033-2018-11EE-AF62-FA18DFD6C72F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "54"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "54"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "156"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ebadd934471470438e7d54f4b866f62c00000000020000000000106600000001000020000000add0f3598559a96647be31f0574b93934f8797c52d307747a03e0694a3792438000000000e8000000002000020000000d344be6439b52824323f66b25f003cd0e0c44e6d0edaae59b4380bd8347baf902000000025a65490f74dd3f59d48006ac61c5aba60077a03942fd7d77b98a0629f98d72c40000000ddcab205362631af28fc225232000d02168307c66eb3dadcf109b6ccae25c9ac1bb963e5b3a00444026625cb28f8208606dc212dc68d4f39034e6f9bb35af765	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "156"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 201fd055bcadd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpCache = e9fd0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\International\CNum_CpCache = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "54"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1498570331-2313266200-788959944-1000\{7DCF76E1-7CAB-4970-929A-8F3678FE5CE7}	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3152	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3152	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3152	iexplore.exe
3152	iexplore.exe
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
5112	IEXPLORE.EXE
5112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 5112	3152	iexplore.exe	86
PID 3152 wrote to memory of 5112	3152	iexplore.exe	86
PID 3152 wrote to memory of 5112	3152	iexplore.exe	86
PID 3152 wrote to memory of 2484	3152	iexplore.exe	100
PID 3152 wrote to memory of 2484	3152	iexplore.exe	100
PID 3152 wrote to memory of 2484	3152	iexplore.exe	100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\kqrkc8.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5112
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3152 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\UNH1515R\www.msn[1].xml

Filesize
126B

MD5
25986e8099cf4fc7ec649c407f5f74d7

SHA1
daacefe95291d5375635456673c3e918c7576661

SHA256
6548ae1966e05a664e89b2161bf2b4ff6366e736f4f62104298bb5c3c6367528

SHA512
12fb23d4efc86516bb8db10d6601038e6e5302d6f383f90cd47ba3cd9087017ccd47f7fc8385a7d050d3bf301e77e7c15af75f9296cb445fbaee19ee39aab975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ffzgd5p\imagestore.dat

Filesize
866B

MD5
2dc46dca5e6742d626b59f5828e3a77b

SHA1
a9a1d9012ec087d18c3b91b1046722ce50ec886b

SHA256
18d8b4885361e0a708a542f22968b6601c679f08b986bef1186afd2e50dc25fe

SHA512
d1fb5d118f96ec1b52b617e3baa7d64a3c2f9fa6c23123ef3b96b76fbfc8ed000dd6b9a2c943b5827d37e9bbb1531b6c8036b39a049bfd7bb86bbcb85e4be0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7QVM26BR\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE6DF900E41DF3A9B.TMP

Filesize
16KB

MD5
69068631635c6566c891c12ac3984dbe

SHA1
f2b6abd13be4977ac56ccc64d543a4cd1c08254a

SHA256
79f57084e86e7ef7167ceca440fe37e143ca41607fc4936edeb8a48ba9b01834

SHA512
121f5b02b38264161eba2bf08f2fc257551e3480bb6998ea39cb935d74ccb91f2d514cbbc0ba4ab569ab71c0bbbbbf519ee527df9ed7c73aece4d9c384e1dd90

Download Submit