bab8ace82283d7b82f4f4f96c80d7d70fcb42b127f2e3144ed0820837d42a6ec

General

Target

nDhKzy1ieWlp19RtCMcxDioUexS1nJWqABCSe49Etr8ù.html
Size

38KB
MD5

304d7ff72db2821623801f7426270f57
SHA1

38ca6594338ae46831dcce38b61bef8a758afd4d
SHA256

bab8ace82283d7b82f4f4f96c80d7d70fcb42b127f2e3144ed0820837d42a6ec
SHA512

c0ea1d989a8a16b5a992a4ecebb579b0531500b26a1b996f0e6881fc3e20f677ab439aa2f934f6da2494b92f8b2fc35a0256e986d29acf8462383be7efaff5e5
SSDEEP

768:sXU7f/MWx/OAjx/OAE+VCPaSoorqx/OAbLVO8OhtSl:sXU7fES/DF/DE+VhoS/DbLVO8OHSl

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{758A4E67-5A6B-11EE-B403-7A33101E2FD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ded24a78eed901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0cbbf4a78eed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7d609770cd1254b818f4f87ebce2ea600000000020000000000106600000001000020000000141a7a444a637ab35b3f58292ab6d85d2807bd29de1659537563dbbab09ebf27000000000e8000000002000020000000e0f1cf87f6c5f5f413393914649f30896626407fced2ec654b824bad91669a6d20000000a179119473d618552dc9136fb439cbfbc6160b4277aa611cb927f806de176cb940000000cbdae3b4ce6c3d8e0f90d04f241521d2607682e21ceabcdbdd130c636f5b11947b3740101d7202bcccedb7ffa12aba4aa67ce1b4d9b615348da2aae02af020f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b7d609770cd1254b818f4f87ebce2ea600000000020000000000106600000001000020000000e46b2eb81335c7cfde376c109b941304d43740639b20415680beddff3becd9fc000000000e80000000020000200000005949921e7451c2bf5197b32bc6210ca2cbb319e7f8045c4c5776ff1847ca9c1e2000000031c0fc6172e86a305fa05e7b87737a584ee71a7ceafb603aabf54e2b4198fce54000000056ec8b38a9099554fcc258b2923c11afc8cb02fdb1b3e40a5138cb130f67d17d4af06062ebe3bdf310ad4584fb6020af4f08a6275b0c1377c41efe4e58211870	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
68	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
68	iexplore.exe
68	iexplore.exe
3704	IEXPLORE.EXE
3704	IEXPLORE.EXE
3704	IEXPLORE.EXE
3704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 68 wrote to memory of 3704	68	iexplore.exe	69
PID 68 wrote to memory of 3704	68	iexplore.exe	69
PID 68 wrote to memory of 3704	68	iexplore.exe	69

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\nDhKzy1ieWlp19RtCMcxDioUexS1nJWqABCSe49Etr8ù.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:68
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:68 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
342B

MD5
4de277c5311b624c2699d22864de8d75

SHA1
a51e0125f4ef7ec2a1699924e17525bee468e0e1

SHA256
3ef00b4601c100cbb1e05b9f1dba0a7e7f3133aa6e2c6fd1b8872bbeac98c6d8

SHA512
ec66c42b7a82030dd217eac8c4339ce40cb3cd32a60b8dbde039ec015719acbb7a350205f5e13e403b34ee92a2773ddcd01a6d39bc0cdb3d213b79da8749c2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD641FDE2CF5258A4.TMP

Filesize
16KB

MD5
0d8a2711a2d289a31767c6c48cdd157c

SHA1
336b0063d1279f7e648f1a2d39dd30dca0efeb74

SHA256
4603276170b9c4f22b374f249f7726e326bdb95a803bc90db49874e97034ad7b

SHA512
8fb20dd5c125583dbdc5feeed43ab72d6dac01a3c1a61b211d751a7060454a7cbab3e0df685f7567b8e6fc9bee404a6187cf2ecaca11c95482c0f69dbf574b94

Download Submit

Analysis

Sharing