ae500da7e53630af0c5bd0f9c4c7d560698f50c472fea9d98fc9ff37816c8043

Analysis

max time kernel
137s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 02:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45115477e6e070b814b96023a3d4c551.html
Size

7KB
MD5

45115477e6e070b814b96023a3d4c551
SHA1

91ee8d4279b5afd0c3198c61d841ed6a9e87145f
SHA256

ae500da7e53630af0c5bd0f9c4c7d560698f50c472fea9d98fc9ff37816c8043
SHA512

921672ad3df34d4fcfffdecb956076f8e16d8019c68e7ffc33cff0e7e7d9e6e864d89e4e1ce608b9822385216af9598d5fac113db9be90f23284d8821f0c960f
SSDEEP

192:K6m4D5j9PaxlpEKb41a/gi9ECIh3fuOQ9d6hRJceEOuoGNNLEDjsqe1F:K6m4D5j9PaxlpEKb41a/gi9ECIh3fuNb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000052e1f1e756af32334074bebbc029a9105986e4e532df5d652c0637590afee4b7000000000e80000000020000200000002098422c5093683e7c50f4a71605680a71cfe1ad924611dbf4bab1a25754a6bb200000008907b76987ee7456346ba325f2ce25169de8b6836038dde4546360892ecd27b040000000af49934b8946d34f880052dc4b555bb12aa47cdbaaa0ed7ef047c220cf8b019c6f545b5b8c026d6af6de32a7da59c777e6b522a7f3c705a84e724bddf97e94af	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03610534a40da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000006d31f279c25b7022dbef07928e6238418a00c4616028c86088e3288d70e3b854000000000e80000000020000200000004ad397fb7c66f2c840af41770779b7f24b15a0525742b3fab50657a867edaf2190000000c8cf1b47b5b79e7dc9137affb02399c5b2faaeac7bacde4b01e16691855f245a028c38591ea4af8e09d890b975c007db90b9ca030fd02598be37a12c7306ed701962195918a675b4b2420db764c633ff3f975bf4ac9e8a3af05b9e6b826bead4d06b6fecec30d33433ceca0112797dfb167c63d7ad7c9bc81c7a4d8de3ed04c3964e9e840183cd804bb6d91a003e5c4a40000000282b6f8229ba5a0768d479fc8aa8cf8d8ab138aa8788eb72ea0edca968702dc046e46111ad6bf4e3cc1f44ab85ce69c10190fd600b94afeee826e28aac5f8f18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7BB0FFE1-AC3D-11EE-A3D4-6E556AB52A45} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410670927"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2236	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2236	iexplore.exe
2236	iexplore.exe
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1308	2236	iexplore.exe	14
PID 2236 wrote to memory of 1308	2236	iexplore.exe	14
PID 2236 wrote to memory of 1308	2236	iexplore.exe	14
PID 2236 wrote to memory of 1308	2236	iexplore.exe	14

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\45115477e6e070b814b96023a3d4c551.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236

Network

DNS

www.paypal.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

www.paypal.com

IN A

Response

www.paypal.com

IN CNAME

www.glb.paypal.com

www.glb.paypal.com

IN CNAME

paypal-dynamic.map.fastly.net

paypal-dynamic.map.fastly.net

IN A

151.101.1.21

paypal-dynamic.map.fastly.net

IN A

151.101.65.21

paypal-dynamic.map.fastly.net

IN A

151.101.129.21

paypal-dynamic.map.fastly.net

IN A

151.101.193.21
GET

https://www.paypal.com/en_US/i/logo/paypal_logo.gif

IEXPLORE.EXE

Remote address:

151.101.1.21:443

Request

GET /en_US/i/logo/paypal_logo.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.paypal.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Connection: keep-alive
Content-Length: 0
Accept-Ch: Sec-CH-UA-Full
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Location: https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif
Origin-Trial: AlIogV3KFtnbfVCyl9Z2NprE7FD8PYCt+TQiYdE3ppeJjJ0xJKcthYwOxXpRCNopxVWdOIENMcNSvQCGAmj0fw0AAAB2eyJvcmlnaW4iOiJodHRwczovL3BheXBhbC5jb206NDQzIiwiZmVhdHVyZSI6IlNlbmRGdWxsVXNlckFnZW50QWZ0ZXJSZWR1Y3Rpb24iLCJleHBpcnkiOjE2ODQ4ODYzOTksImlzU3ViZG9tYWluIjp0cnVlfQ==
Paypal-Debug-Id: f9794933f85da
Set-Cookie: ts=vreXpYrS%3D1799203461%26vteXpYrS%3D1704510861%26vr%3Ddca83b6b18c0aa300425f28afb362d2f%26vt%3Ddca83b6b18c0aa300425f28afb362d2e%26vtyp%3Dnew; Path=/; Domain=paypal.com; Expires=Tue, 05 Jan 2027 02:44:21 GMT; HttpOnly; Secure
Set-Cookie: ts_c=vr%3Ddca83b6b18c0aa300425f28afb362d2f%26vt%3Ddca83b6b18c0aa300425f28afb362d2e; Path=/; Domain=paypal.com; Expires=Tue, 05 Jan 2027 02:44:21 GMT; Secure
Traceparent: 00-0000000000000000000f9794933f85da-10a6813e5c557e58-01
DC: ccg11-origin-www-1.paypal.com
Accept-Ranges: bytes
Via: 1.1 varnish, 1.1 varnish, 1.1 varnish
Date: Sat, 06 Jan 2024 02:44:22 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Served-By: cache-lhr7369-LHR, cache-lon4260-LON, cache-lon4260-LON
X-Cache: MISS, MISS, MISS
X-Cache-Hits: 0, 0, 0
X-Timer: S1704509062.922077,VS0,VE146
Server-Timing: content-encoding;desc="",x-cdn;desc="fastly"
DNS

www.paypalobjects.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

www.paypalobjects.com

IN A

Response

www.paypalobjects.com

IN CNAME

ppo.glb.paypal.com

ppo.glb.paypal.com

IN CNAME

cs1150.wpc.betacdn.net

cs1150.wpc.betacdn.net

IN A

192.229.221.25
GET

https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif

IEXPLORE.EXE

Remote address:

192.229.221.25:443

Request

GET /en_US/i/logo/paypal_logo.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.paypalobjects.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: s-maxage=31536000, public,max-age=3600
Content-Type: image/gif
Date: Sat, 06 Jan 2024 02:44:23 GMT
DC: ccg11-origin-www-1.paypal.com
Etag: "5d5637bd-932"
Expires: Sat, 06 Jan 2024 03:44:23 GMT
Last-Modified: Fri, 16 Aug 2019 04:57:33 GMT
Paypal-Debug-Id: 9bd63d518d836
Server: ECAcc (lhd/370E)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Timing-Allow-Origin: https://www.paypal.com,https://www.sandbox.paypal.com
Traceparent: 00-00000000000000000009bd63d518d836-0995629df4f383b1-01
X-Cache: HIT
X-Content-Type-Options: nosniff
Content-Length: 2354

151.101.1.21:443

www.paypal.com

tls

IEXPLORE.EXE

1.1kB
6.4kB
13
15
151.101.1.21:443

https://www.paypal.com/en_US/i/logo/paypal_logo.gif

tls, http

IEXPLORE.EXE

1.9kB
8.1kB
16
18

HTTP Request

GET https://www.paypal.com/en_US/i/logo/paypal_logo.gif

HTTP Response

301
192.229.221.25:443

www.paypalobjects.com

tls

IEXPLORE.EXE

1.3kB
8.3kB
14
15
192.229.221.25:443

https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif

tls, http

IEXPLORE.EXE

1.7kB
11.2kB
14
14

HTTP Request

GET https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif

HTTP Response

200
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

845 B
7.9kB
11
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

799 B
7.9kB
10
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

1.0kB
7.8kB
10
12

8.8.8.8:53

www.paypal.com

dns

IEXPLORE.EXE

60 B
189 B
1
1

DNS Request

www.paypal.com

DNS Response

151.101.1.21

151.101.65.21

151.101.129.21

151.101.193.21
8.8.8.8:53

www.paypalobjects.com

dns

IEXPLORE.EXE

67 B
148 B
1
1

DNS Request

www.paypalobjects.com

DNS Response

192.229.221.25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25d22739f62e5ab65df93c2d188ec7f9

SHA1
e6345ac89c9144dfc9d98f9d6c4b02cc822b1a9e

SHA256
0a17d8ddf80c07533bb174bed78cb768e2b3b98a322cf524c8af3a728850760c

SHA512
0e38158b6c313bb888d993eacec8a0e7908b831b9227aab02e06c09118df3b34fc856d71777288460be16cb78c901716548a3c8925fa4da2d93d650ca70c4996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9497b71998a83616d43d92048990fd4

SHA1
138da925da485ea8cfba1cc387663de4cbbfc383

SHA256
08d2e2409b6e8ca9318449c020c25dcb2750bf2a5f5a87c35330d093e8f66463

SHA512
52a7458ff7ed0452fd362a609ea384a74d59f4d41451cee0ce697910a319a8a0ec736a8f96b635beaa69a53d09d3823b896c6c5265efb53056eba531b36dd024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c5a3fffcd245fbb017c341c4d6ff0a2

SHA1
f5038aeba99363193fe6d5243f93bdabcf2eab75

SHA256
7928087eb1770facea67296cd7d1f7dc8cb140be20d882241b0d583f2411f1c7

SHA512
2df4ce3416bfc706cdc808a9531a2e49e2dceed8d95cc60b88e240307ba6efa6ab352e462c9a61a454aef793b9e2e1f49b325381b06f9cbc0dc1c2c0e98f67a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd79e1f76f563211f7f83298061ac037

SHA1
d9dad2ea0cc3883b75a3dd9dfd6d775a25afd3b8

SHA256
f700c564898a171421ad9fadda9d403b771f111382942ef0cfb7611b2ff25a19

SHA512
32ed6458976e8814e47567e533a6ecdb38d7fcde001530039189e6a3885c4a453911f391976465185e703628f0240ccb0f4c4c5db987ffb134721b663b767872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca6882299079c72ddf9be9bc66241f33

SHA1
0e49e9290687d7feb23033c444e620d6b50c5777

SHA256
a9a0e66e3f72189281cd08a271b28a54e54519604509b81d7c2ff4135078bb32

SHA512
938ac909ec24daa23ac0520afa30169cf645e0330dcff649bbd66f51a6a1f680077c55a7b588ff84db68075def29b3aaeab160de02a12e87212b8482e4c91255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72d0be5b3aea30469c367f899c485ae6

SHA1
3b1834659ac46a930c9742ace8100f2431a02643

SHA256
e9129b0e2c8c2422fcccc3b62c862407ff54360740b895a4c562e3b2a56f7da5

SHA512
67b4645559f9483e0b7a2efc9c3c0ad1de923d5c5a0ece6fa59ebf309385938264b0605d8084ffc356f73c684643b8955b9e33b7b1dbaabc77cd36c26415a3c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fcecb322f5bd8fe017fb02c2cc91904

SHA1
f1b5bae1de25841f0cb76062b4aa882184bf1b02

SHA256
7edf6341c4702b66c2ed8efcf9347c759b75b1f166c92be244abcefb973194a3

SHA512
24ecbc95f1f81de2e687de52ae76964f9ed4309aeceae315c5fadc24171e4c37a867b7cce3e507ce85db0e89895503ef22388733021d7061553a0f56adf9e828

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD3B.tmp

Filesize
52KB

MD5
b5ddac3cd2f41482807c78edf53fd399

SHA1
42e686495c992babdf8eec632a2cde0e0a30e967

SHA256
2c8394f793d2addae5e60a8bd7b281b9692ede03c3c6e0c9058bf97e695876c4

SHA512
c5a8f7659da9dd4a590b8987bfb9be6b0bbef8061e23c82602346e7c3501c281662dba3555951cf85dd00be8047b7122eff542435fba934ea44e9b025cf4b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15B7.tmp

Filesize
64KB

MD5
69b8e2fe3bb7142b759bbc3bd3092cc2

SHA1
c55b032e44415d77a1a2f3f6c6c049b7cc32afd7

SHA256
d31cf766104ab57466eca8c74b0b1dc3f7729270b60df98dde747087ec3e8bb4

SHA512
c3b3ca6861a0e35822f0c5b6085f7fc1444b051548aec4362723d1b7a14b72cd832335ca29eea23ce8f9fb71f4ac76c6bf2b58a220722e7843461bf095970b7b

Download Submit