ed66c578ee44a501f2fa50c5287309084023709f0aeef048a25fb8e8da4d539f

General

Target

19f7fc49fc8d6b486e657b70824d626d.html
Size

278KB
MD5

19f7fc49fc8d6b486e657b70824d626d
SHA1

ce7afb06ad1b5ec5191b21062c710100e8f48c30
SHA256

ed66c578ee44a501f2fa50c5287309084023709f0aeef048a25fb8e8da4d539f
SHA512

5860e4c97cb8f92e8ab657e1b814f4f12d48a1850fbc76e73684be125d98a640ccafed59ab1c297c048f564304c99c061e620107dea73b9a519d0f327d9a9117
SSDEEP

3072:SUXF7izOhkTPiPd0XiIfzfjflBHGnFi6wZPRx5xsUjTEAIl0+yi/UwfoUtgbk7D7:SUXgnfiMwfotcawm5b881g

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{897F7B1A-A836-11EE-BD28-527BFEDB591A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2660	iexplore.exe
2660	iexplore.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 448	2660	iexplore.exe	15
PID 2660 wrote to memory of 448	2660	iexplore.exe	15
PID 2660 wrote to memory of 448	2660	iexplore.exe	15

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\19f7fc49fc8d6b486e657b70824d626d.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:17410 /prefetch:2
  2⤵
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8MESK9AK\www.youtube[1].xml

Filesize
229B

MD5
e14260193a22ed6a3cad8aba837330b7

SHA1
3960636b1000cf6775487257d8d4307fdcff6315

SHA256
795cd73c7ce69dc91d7f6ef4b0bb286bd3a69a7217c52d2d3d458007eb50b2f6

SHA512
c5786d73d5347e835474a98b135fd06b1a30b1100620e5ffda613f515e18193ac3abe296b2d8f46207f9f9acdbacf76c736d3b913c7e10ae9117a78b577d0c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8MESK9AK\www.youtube[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Filesize
3KB

MD5
b311129f2cab488b5690dac110751c5b

SHA1
c7bf49d2b0950611b2a2770b2759ac192617e0fd

SHA256
dd1e95b900eaa51f07c607a99803006e979c5c1cc3bf3daf33907434072c5629

SHA512
61cc86862ac3465f1793d51bb933b6cffaf2a4a4b8ed8f7f33db3ce27fc317f72d7c778d08172c67497f0416468420bb97458f719014c592043ab57d24c8cf52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1RIAF1U2\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SB302YPZ\financing[4].htm

Filesize
7KB

MD5
2519b878e49deacadf2585415fa1286c

SHA1
b8567acb6e104fd1d566b8e41077528ef0f2d34a

SHA256
da149c8b615a2ddbed8483d59b559f03b1f6af9773b4d2edea11aa77bb848724

SHA512
2b1903093c2c809d772de26f1436c7142097b3ddb1f14b5af0ad4dbaf62f5956b3f627a4be0e27a62719af722d9604dae8fa66070f9a3ae088dc47229930e73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\__utm[2].gif

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\dc[1].js

Filesize
34KB

MD5
4e48ceb23e9ead7048b5650b75349127

SHA1
5b08f868a179c997df03e57b236923aaa99413f9

SHA256
9eea9509af3575cdd52cb269567859de368762b1d0cb7345706442218dab8f8f

SHA512
1e88bc3e8c95a4c8808ba27e9250ed0c80e30a95b827a2ca4b5c98a81717e3fda75b9278362d532b891205bf378bdb5e90215a1eba733faf8fb52c9842ca0370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W8BIYKF7\mig-gmaw[1].jpg

Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit

Analysis

Sharing