hxxps://www[.]attemplate[.]com/nam/login?id=UnJxRmZtQ3RsUzEzc1NQakoyUGcwWGI3NWlDN0dQbEFzOFkxaHpRaXVZcm13RVEyd1hZKzBlcUNwVzVtQ0NkbmU4TUhLV2JObzJRTWdGQWgrK2twNmFhNmFDOTg2WUszMlRtbDYvOXpHeWRkdGh0SDA0emsyK0pBVDhoU0lWSU1tQzVFaGkrSGhvcEk5ajN0all5S1hpaFo4QmdtdzZvb1JLOHdTQkY1bkh1NFVMeDJiUkhnT1cvai9oZkJPcWF4VzdYZWFTRHFkbzkveXhYWTIxd3hnOUlRZk9vSG5QcWVvTWFHa1RReVMycnRMVHVaL1A1bnZBS0IxcTNwYkhrdWQvcFc3QXppbVVZZ1VmcHRudndMNWpmL2g2Z25ieE5oZ3VFekJFdjlWdnJVRVBleVAyUmhjaXgrWDBNMUhBaE9VcVlUMkZPN1FzL2d1VitkZG0vL2ZnPT0

General

Target

https://www.attemplate.com/nam/login?id=UnJxRmZtQ3RsUzEzc1NQakoyUGcwWGI3NWlDN0dQbEFzOFkxaHpRaXVZcm13RVEyd1hZKzBlcUNwVzVtQ0NkbmU4TUhLV2JObzJRTWdGQWgrK2twNmFhNmFDOTg2WUszMlRtbDYvOXpHeWRkdGh0SDA0emsyK0pBVDhoU0lWSU1tQzVFaGkrSGhvcEk5ajN0all5S1hpaFo4QmdtdzZvb1JLOHdTQkY1bkh1NFVMeDJiUkhnT1cvai9oZkJPcWF4VzdYZWFTRHFkbzkveXhYWTIxd3hnOUlRZk9vSG5QcWVvTWFHa1RReVMycnRMVHVaL1A1bnZBS0IxcTNwYkhrdWQvcFc3QXppbVVZZ1VmcHRudndMNWpmL2g2Z25ieE5oZ3VFekJFdjlWdnJVRVBleVAyUmhjaXgrWDBNMUhBaE9VcVlUMkZPN1FzL2d1VitkZG0vL2ZnPT0
Sample

210921-lb81sabffm

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f3bb5bcaaed701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{82B2FFD1-1ABD-11EC-AF2E-4208BF05CDF7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339029739"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "338997747"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30912202"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8056b25bcaaed701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1460607727"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1460607727"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000005c0d7deede0d687172dffcc5c4c443be0a7e4428e02ec76c7e7fc309a0d04c38000000000e800000000200002000000031dce3b086e0b56cfd0e510c1b459b4285efa7e2ff306b86179d7a33a07fb91620000000e0bebfc627a980ec954285e0587b34ad3fad15e56c876fa15f2754d4fdea0ac040000000cb89f6e75fd376bf87226ce5fb87dda96057ec95c933003b0f5613835a0fc84648608b643bc1d9422cad1638c9d20426ff2c22a56f78e7652ff9d9a94c27a702	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338981153"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912202"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1469201505"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912202"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000766c00c55a7efec79e6e513cacc13b88be9a20f183dcec3a95741bbdfcbd46cd000000000e8000000002000020000000ee91e11ed77a9a54ce75e471f48a9011b734198755c84a417392ccf769c9ec68200000007dd4160cdffde460e2924638acf75549186d0c6329ae43aff4ca02f68e91a8f64000000001a58e25ea2abc8ca91e6a41151c40ab6e37ed5a19b69e42eab2a36e945d129d0a90baf8d3dbb04c1eeb8c6806273f4a0d62b4aaf21a5204774b2bccb9346756	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2056 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2056 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2056 iexplore.exe
2056 iexplore.exe
2424 IEXPLORE.EXE
2424 IEXPLORE.EXE
2424 IEXPLORE.EXE
2424 IEXPLORE.EXE

pid	process
2056	iexplore.exe

pid	process
2056	iexplore.exe

pid	process
2056	iexplore.exe
2056	iexplore.exe
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2056 wrote to memory of 2424	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2424	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2424	2056	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.attemplate.com/nam/login?id=UnJxRmZtQ3RsUzEzc1NQakoyUGcwWGI3NWlDN0dQbEFzOFkxaHpRaXVZcm13RVEyd1hZKzBlcUNwVzVtQ0NkbmU4TUhLV2JObzJRTWdGQWgrK2twNmFhNmFDOTg2WUszMlRtbDYvOXpHeWRkdGh0SDA0emsyK0pBVDhoU0lWSU1tQzVFaGkrSGhvcEk5ajN0all5S1hpaFo4QmdtdzZvb1JLOHdTQkY1bkh1NFVMeDJiUkhnT1cvai9oZkJPcWF4VzdYZWFTRHFkbzkveXhYWTIxd3hnOUlRZk9vSG5QcWVvTWFHa1RReVMycnRMVHVaL1A1bnZBS0IxcTNwYkhrdWQvcFc3QXppbVVZZ1VmcHRudndMNWpmL2g2Z25ieE5oZ3VFekJFdjlWdnJVRVBleVAyUmhjaXgrWDBNMUhBaE9VcVlUMkZPN1FzL2d1VitkZG0vL2ZnPT0
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\451025123A22EB28E59EC89C0BD4D0AC_746C096A78ADF306565AFBBDC1D03C14
MD5
7e8e5080dd97e96c05677317be5815f5

SHA1
879e57fbd3a2c1ec5493885ef8eaab884632f5fc

SHA256
1001e51c72af935d51d18b262d7b86d16780d6e0d781873f75d4b3796a6e222c

SHA512
f77560beff6fc35db146d0eab44d4304210a5c112d8017cc315443683c75e464016296142f86cc27e463a694a5c912ef5f20acf6797088d5716a353264717eaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
afb3184cd6ba3ccd4d11e3caf9605965

SHA1
529d9e77549890a7c4c6e3d4c0894894f34036c8

SHA256
4cfebe01e11ade084470601ecacf242fb858bfbdecdce1c36044d331dae56083

SHA512
4201d07b2b4d87f4a962b535172b51325a798c35257e0ff0d81d5eae77150d49c7d5dca12e04c51c95840980f811132ca79f28b327cfaa7a99566938c8b6a606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\451025123A22EB28E59EC89C0BD4D0AC_746C096A78ADF306565AFBBDC1D03C14
MD5
9e12777ed1043272a024a669abd8919e

SHA1
6a9246ea792c6c6993f01a995c2fcbbe3961b7be

SHA256
cfb5ea5e7ba09c608e7452390a9042653a3e686ba637c9ee93d37932ac7b97d9

SHA512
0b440e763388302334265c2a244e79aed523ddc3348f2d9479848f781628a62ff533822f416ec68af610b577714c09fe84cacb506034d5de971c48ec15a521db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
bb55aab23b8d414491fe0eb06dd478f2

SHA1
7d3af793dade78ce606f4c4365bf7f240bf5df1c

SHA256
7f114c3e583686c8ae3fdd14e2dc40d68d86b722dfcd442173c5e21ed44fa145

SHA512
735ddbb9c1792a108e662315e3c7e3a4122ab31b60917ffd168b4ea2e6d87bc25ad70880e68aee1a344dddf8279cf65f637a944418d974c62e10704eb115be28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KT9FHFBK.cookie
MD5
c2f1849837533abc8bddc72ccc958ade

SHA1
aabdeff5a551dae73826e177019e21abcaa15e34

SHA256
23b487c46cc59c5d7835379cf232b222f55fd853aee4eaaf3aaf72f31b0cccba

SHA512
2dbb2435100a8f76aaeb84700cd5459e46ff28859fb8d2f0f0f443297e2ead401b7fe40d01835bc7cb4093c75cbc64ab7bc0fb18e854e7eeeb41144d18c0bc06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\X7PWH9C5.cookie
MD5
09ff7fe01f3a8927d401024500d05729

SHA1
4e56d8f306912418967c56f83311e3cb25ebc31f

SHA256
f61531d48d7503ce6e8c22a5e6c0933f20bdcc8cea47257f4f95b19b442c7261

SHA512
358db896c052dba0446f6a551c8a4335097997415fa753ed0054adb6e44ecf2b41d0f5709afb46f3053bbb27b69d98f67cd3df007e1f90a666beba8bca8b8878

Download Submit
memory/2056-115-0x00007FFEC6500000-0x00007FFEC656B000-memory.dmp

Filesize
428KB

Download
memory/2424-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing