hxxps://attachments[.]office[.]net/owa/swebb3%40ccc[.]edu/service[.]svc/s/GetFileAttachment?id=AAMkAGMyZGMxYTk2LTAxYzgtNGI0MC05ZjRhLWMxZDdiZjQ4YzhhNwBGAAAAAADSfXBPFtZaRrCZKg7hgvNYBwBmNbXUTSwPRItnjHxuR2%2FqAAAABQ2wAADL7RfwKlEhT46jDSY4QhQxAADNRLzIAAABEgAQAFF1bG2XgXpDlbx0pIju5g8%3D&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMwODE3OUNFNUY0QjUyRTc4QjJEQjg5NjZCQUY0RUNDMzcyN0FFRUUiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNSUY1emw5TFV1ZUxMYmlXYTY5T3pEY25ydTQifQ[.]eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDNjMzgzYTdkM2ZiNDE3NjhlZDE4NWI4MjMyNGIwYTYiLCJzaWduaW5fc3RhdGUiOiJbXCJpbmtub3dubnR3a1wiLFwia21zaVwiXSIsInZlciI6IkV4Y2hhbmdlLkNhbGxiYWNrLlYxIiwiYXBwY3R4c2VuZGVyIjoiT3dhRG93bmxvYWRANTM1ZTgwZDUtOTlhOS00ZmM4LWE4MmEtYmFlYjI5NGRhMjM2IiwiaXNzcmluZyI6IldXIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzNzY1OTMxNzE0MjgxMzgxXCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiMGE1NWE2YmItZTA3Yi00OThmLWE2ZTUtZDQ4NmFmMzZkYzNkXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xMjE3MzYzNjczLTQwNTg4NzMzNDQtOTQxMDU0NjI4LTkwNTI1NzJcIn0iLCJuYmYiOjE2MzIzMjA4MzYsImV4cCI6MTYzMjMyMTQzNiwiaXNzIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImF1ZCI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC9hdHRhY2htZW50cy5vZmZpY2UubmV0QDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImhhcHAiOiJvd2EifQ[.]cD63JOBKUydnutf5Y_cix06L6EeO4OmRK4RjP1311pObKLpsBv_IHTr12_OB-W4ZAMJxaKkFMhfIc8KtNVSTbB249eR3CWxP4VFBYJmJJMPOGwjEvcxq5Na5vBjr-XuyDYDjQDzuMzmmhyMU5fFsIxKYtFYy--lK6ScQiyYK0Wd6IVJS8W01POZ1VKop4LchGejFVHa906ZW4w9y3NUqmcEi-MnTBe886or-eaOw3M_VxQNGH7n4qG_aXXVAdWfNDhOxqWWZQUHPQAsVOwAxYxISN10CxgP0jSBL-425ss9fKEjV-8janQDENwtEb-d2QEnH8S01YKiCzJam7a3oOA&X-OWA-CANARY=orI5HeFpR0Ozi5FEsTjMBsCwJJbVfdkYGyWZAgUrFg1eojJ8oWROzbhX-D6NU1DoZFwm--iaKQk[.]&owa=outlook[.]office[.]com&scriptVer=20210823004[.]07&isDownload=true&animation=true

Analysis

max time kernel
152s
max time network
199s
platform
windows10_x64
resource
win10v20210408
submitted
22-09-2021 14:49

Sharing

Behavioral task

behavioral1

Sample

https://attachments.office.net/owa/swebb3%40ccc.edu/service.svc/s/GetFileAttachment?id=AAMkAGMyZGMxYTk2LTAxYzgtNGI0MC05ZjRhLWMxZDdiZjQ4YzhhNwBGAAAAAADSfXBPFtZaRrCZKg7hgvNYBwBmNbXUTSwPRItnjHxuR2%2FqAAAABQ2wAADL7RfwKlEhT46jDSY4QhQxAADNRLzIAAABEgAQAFF1bG2XgXpDlbx0pIju5g8%3D&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMwODE3OUNFNUY0QjUyRTc4QjJEQjg5NjZCQUY0RUNDMzcyN0FFRUUiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNSUY1emw5TFV1ZUxMYmlXYTY5T3pEY25ydTQifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDNjMzgzYTdkM2ZiNDE3NjhlZDE4NWI4MjMyNGIwYTYiLCJzaWduaW5fc3RhdGUiOiJbXCJpbmtub3dubnR3a1wiLFwia21zaVwiXSIsInZlciI6IkV4Y2hhbmdlLkNhbGxiYWNrLlYxIiwiYXBwY3R4c2VuZGVyIjoiT3dhRG93bmxvYWRANTM1ZTgwZDUtOTlhOS00ZmM4LWE4MmEtYmFlYjI5NGRhMjM2IiwiaXNzcmluZyI6IldXIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzNzY1OTMxNzE0MjgxMzgxXCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiMGE1NWE2YmItZTA3Yi00OThmLWE2ZTUtZDQ4NmFmMzZkYzNkXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xMjE3MzYzNjczLTQwNTg4NzMzNDQtOTQxMDU0NjI4LTkwNTI1NzJcIn0iLCJuYmYiOjE2MzIzMjA4MzYsImV4cCI6MTYzMjMyMTQzNiwiaXNzIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImF1ZCI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC9hdHRhY2htZW50cy5vZmZpY2UubmV0QDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImhhcHAiOiJvd2EifQ.cD63JOBKUydnutf5Y_cix06L6EeO4OmRK4RjP1311pObKLpsBv_IHTr12_OB-W4ZAMJxaKkFMhfIc8KtNVSTbB249eR3CWxP4VFBYJmJJMPOGwjEvcxq5Na5vBjr-XuyDYDjQDzuMzmmhyMU5fFsIxKYtFYy--lK6ScQiyYK0Wd6IVJS8W01POZ1VKop4LchGejFVHa906ZW4w9y3NUqmcEi-MnTBe886or-eaOw3M_VxQNGH7n4qG_aXXVAdWfNDhOxqWWZQUHPQAsVOwAxYxISN10CxgP0jSBL-425ss9fKEjV-8janQDENwtEb-d2QEnH8S01YKiCzJam7a3oOA&X-OWA-CANARY=orI5HeFpR0Ozi5FEsTjMBsCwJJbVfdkYGyWZAgUrFg1eojJ8oWROzbhX-D6NU1DoZFwm--iaKQk.&owa=outlook.office.com&scriptVer=20210823004.07&isDownload=true&animation=true

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Report Analysis Logs

General

Target

https://attachments.office.net/owa/swebb3%40ccc.edu/service.svc/s/GetFileAttachment?id=AAMkAGMyZGMxYTk2LTAxYzgtNGI0MC05ZjRhLWMxZDdiZjQ4YzhhNwBGAAAAAADSfXBPFtZaRrCZKg7hgvNYBwBmNbXUTSwPRItnjHxuR2%2FqAAAABQ2wAADL7RfwKlEhT46jDSY4QhQxAADNRLzIAAABEgAQAFF1bG2XgXpDlbx0pIju5g8%3D&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMwODE3OUNFNUY0QjUyRTc4QjJEQjg5NjZCQUY0RUNDMzcyN0FFRUUiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNSUY1emw5TFV1ZUxMYmlXYTY5T3pEY25ydTQifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDNjMzgzYTdkM2ZiNDE3NjhlZDE4NWI4MjMyNGIwYTYiLCJzaWduaW5fc3RhdGUiOiJbXCJpbmtub3dubnR3a1wiLFwia21zaVwiXSIsInZlciI6IkV4Y2hhbmdlLkNhbGxiYWNrLlYxIiwiYXBwY3R4c2VuZGVyIjoiT3dhRG93bmxvYWRANTM1ZTgwZDUtOTlhOS00ZmM4LWE4MmEtYmFlYjI5NGRhMjM2IiwiaXNzcmluZyI6IldXIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzNzY1OTMxNzE0MjgxMzgxXCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiMGE1NWE2YmItZTA3Yi00OThmLWE2ZTUtZDQ4NmFmMzZkYzNkXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xMjE3MzYzNjczLTQwNTg4NzMzNDQtOTQxMDU0NjI4LTkwNTI1NzJcIn0iLCJuYmYiOjE2MzIzMjA4MzYsImV4cCI6MTYzMjMyMTQzNiwiaXNzIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImF1ZCI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC9hdHRhY2htZW50cy5vZmZpY2UubmV0QDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImhhcHAiOiJvd2EifQ.cD63JOBKUydnutf5Y_cix06L6EeO4OmRK4RjP1311pObKLpsBv_IHTr12_OB-W4ZAMJxaKkFMhfIc8KtNVSTbB249eR3CWxP4VFBYJmJJMPOGwjEvcxq5Na5vBjr-XuyDYDjQDzuMzmmhyMU5fFsIxKYtFYy--lK6ScQiyYK0Wd6IVJS8W01POZ1VKop4LchGejFVHa906ZW4w9y3NUqmcEi-MnTBe886or-eaOw3M_VxQNGH7n4qG_aXXVAdWfNDhOxqWWZQUHPQAsVOwAxYxISN10CxgP0jSBL-425ss9fKEjV-8janQDENwtEb-d2QEnH8S01YKiCzJam7a3oOA&X-OWA-CANARY=orI5HeFpR0Ozi5FEsTjMBsCwJJbVfdkYGyWZAgUrFg1eojJ8oWROzbhX-D6NU1DoZFwm--iaKQk.&owa=outlook.office.com&scriptVer=20210823004.07&isDownload=true&animation=true
Sample

210922-r69tfsffbp

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912465"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09dd5ebd1afd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3911653156"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30912465"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf0bf9682e7502408888acf3c72395f100000000020000000000106600000001000020000000007aa67feb1f014348cb7f335256eff87a55b50d4c1708ea1f21abf5e1a5a70f000000000e80000000020000200000007ebd67a54f62b610d5e668f9f346822bdd1400c0c9017a2603683824743d50b320000000a03032042b00023e956e14dd2a0ae0fa010b14da454665803bd18ad14d9569cd400000008262e6a783b7e2d0f35955d8048e2aacd3cec8717802f08bd41d7488f5f9964c329825f0d6ad8b5e3bf4795cbde147009c26e0e277042148f63e32a10450105a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5078afebd1afd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339094355"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11E83F3B-1BC5-11EC-B2DB-DAB543A68B6E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3868215723"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339110949"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3868215723"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912465"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf0bf9682e7502408888acf3c72395f100000000020000000000106600000001000020000000423f7ce70c5a0ae444b63e47f9d6340cf82f52d77ecd92bbf7510db658014ca7000000000e8000000002000020000000c489ee205602a6e5eb1734d3b4ad2512094020e1d70383a232b51630cd24e525200000005550588b0a682dc8a44b10254aaecf8e0a517d5529d78fe2f94807e3c8c7909d400000005530a29eaf20ae6e9c73b542fe4b55271462aa0a7625a776fc22c9c1f17e856fd296f0f66d8182d55d8e516036b94b780bb0d7f0131069bf92b3d5002a709280	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339142940"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

396 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

396 iexplore.exe
396 iexplore.exe
1196 IEXPLORE.EXE
1196 IEXPLORE.EXE
1196 IEXPLORE.EXE
1196 IEXPLORE.EXE

pid	process
396	iexplore.exe

pid	process
396	iexplore.exe
396	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 396 wrote to memory of 1196	396	iexplore.exe	IEXPLORE.EXE
PID 396 wrote to memory of 1196	396	iexplore.exe	IEXPLORE.EXE
PID 396 wrote to memory of 1196	396	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://attachments.office.net/owa/swebb3%40ccc.edu/service.svc/s/GetFileAttachment?id=AAMkAGMyZGMxYTk2LTAxYzgtNGI0MC05ZjRhLWMxZDdiZjQ4YzhhNwBGAAAAAADSfXBPFtZaRrCZKg7hgvNYBwBmNbXUTSwPRItnjHxuR2%2FqAAAABQ2wAADL7RfwKlEhT46jDSY4QhQxAADNRLzIAAABEgAQAFF1bG2XgXpDlbx0pIju5g8%3D&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMwODE3OUNFNUY0QjUyRTc4QjJEQjg5NjZCQUY0RUNDMzcyN0FFRUUiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJNSUY1emw5TFV1ZUxMYmlXYTY5T3pEY25ydTQifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNDNjMzgzYTdkM2ZiNDE3NjhlZDE4NWI4MjMyNGIwYTYiLCJzaWduaW5fc3RhdGUiOiJbXCJpbmtub3dubnR3a1wiLFwia21zaVwiXSIsInZlciI6IkV4Y2hhbmdlLkNhbGxiYWNrLlYxIiwiYXBwY3R4c2VuZGVyIjoiT3dhRG93bmxvYWRANTM1ZTgwZDUtOTlhOS00ZmM4LWE4MmEtYmFlYjI5NGRhMjM2IiwiaXNzcmluZyI6IldXIiwiYXBwY3R4Ijoie1wibXNleGNocHJvdFwiOlwib3dhXCIsXCJwdWlkXCI6XCIxMTUzNzY1OTMxNzE0MjgxMzgxXCIsXCJzY29wZVwiOlwiT3dhRG93bmxvYWRcIixcIm9pZFwiOlwiMGE1NWE2YmItZTA3Yi00OThmLWE2ZTUtZDQ4NmFmMzZkYzNkXCIsXCJwcmltYXJ5c2lkXCI6XCJTLTEtNS0yMS0xMjE3MzYzNjczLTQwNTg4NzMzNDQtOTQxMDU0NjI4LTkwNTI1NzJcIn0iLCJuYmYiOjE2MzIzMjA4MzYsImV4cCI6MTYzMjMyMTQzNiwiaXNzIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwQDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImF1ZCI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC9hdHRhY2htZW50cy5vZmZpY2UubmV0QDUzNWU4MGQ1LTk5YTktNGZjOC1hODJhLWJhZWIyOTRkYTIzNiIsImhhcHAiOiJvd2EifQ.cD63JOBKUydnutf5Y_cix06L6EeO4OmRK4RjP1311pObKLpsBv_IHTr12_OB-W4ZAMJxaKkFMhfIc8KtNVSTbB249eR3CWxP4VFBYJmJJMPOGwjEvcxq5Na5vBjr-XuyDYDjQDzuMzmmhyMU5fFsIxKYtFYy--lK6ScQiyYK0Wd6IVJS8W01POZ1VKop4LchGejFVHa906ZW4w9y3NUqmcEi-MnTBe886or-eaOw3M_VxQNGH7n4qG_aXXVAdWfNDhOxqWWZQUHPQAsVOwAxYxISN10CxgP0jSBL-425ss9fKEjV-8janQDENwtEb-d2QEnH8S01YKiCzJam7a3oOA&X-OWA-CANARY=orI5HeFpR0Ozi5FEsTjMBsCwJJbVfdkYGyWZAgUrFg1eojJ8oWROzbhX-D6NU1DoZFwm--iaKQk.&owa=outlook.office.com&scriptVer=20210823004.07&isDownload=true&animation=true
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:396 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1
MD5
8faa2f19a3e340bb19b7ea7b3fd45663

SHA1
a01311874a3baac502d45b56c951d9bb994dbe08

SHA256
37bc57fca367bae17aaaa0d5a7cf4ec07deee41f23d1a5a14ecfb31ab66644f8

SHA512
1e31bd6e91714f7178cd5a55ad4ac78a63619f9e994bc45610f644201a1e69133fb96d58c52f2403e7fbedffa0d92d5730da28148df94c235e0e4ac2e4297dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6184b0e7016067db51a6ecf5f3fec69c

SHA1
d95dc8253b3f7ee8eab391a9933de56929b7b9a8

SHA256
f0310616d9b89c76451b430a7849df7d6de967e7be98d4db98b18b13fd0d4c24

SHA512
1d5a39ff7c1a9896999b5a571ac198c8c7c667737f9970d1b81c49b6d20925bc800df7b5f2cc890a079646bcf8e7aba25934018e55cf555d1873f0f19dbf05c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_1941775A515122A167E3FBACF08992E1
MD5
cc74fa8631b8d67c9848576d23e14f22

SHA1
824d16010670a14bf85f7fab0025143e1af1dccb

SHA256
34aea7219354451adc5551e595e3c36ae5dfe17dc43e440ae72102f967000dee

SHA512
eb5dc89d54f57daf635befa2ccfa0730e1e2e7a0fb31e6c2134bebf14251eec24cfe310e1d185c8057f13d48554c98b1f2da6811018901b227f4940389ecd698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
2ddd736a972b2aa542ddd92149f57223

SHA1
27d72de7cbb862c1d152046b9f2df1ee0ff5cb85

SHA256
31fede432c32bc9f62ec95fd0bf7e7e262b4e515b29ba1741cf09fa295f2207b

SHA512
2897199cef5ae78dffee59b062bbb08070ccdf7b9b839a4483bdda49e04c4de0a113b6f1512b264f9befd3448497aec4a9ba2a78295d8fe4ca39d80dba49acb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\D8TL527O.cookie
MD5
51b95b6532e2a5052f5b6cbaea3d88ad

SHA1
ce956ed84f7515a4a91a5386bd3db255921d6cdb

SHA256
bd8c5023cd4863c25f7e18e277a6c37df514a98e84410b0d6e8c6099cc5e6584

SHA512
0dfa4c8685296e88f15c333bf874cc0712ad9b2ee8dd67f5ce620b98a58ff0b79194b449abc5de59798de3492d7ade093d855918cb6e8a52b4e5f4a72ea5bc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q0YHMBVC.cookie
MD5
44527248a3a0034abab6c4b7083c190c

SHA1
565aff2a3c6e6bcb06061d64e849fec4b4dbf01a

SHA256
3aaa30c14e123c75d66453ba4bf3006ee308c6a51d5bd46ba0c886995df28571

SHA512
87bb3e2cac90ab850f145d7e42419e5fe14dc1207add95ee01ce4375c6dc44fe99f4a82f9b4f657a85dab89e80164d9b4e4e83ef41387812d7b7c63f85c14367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\X52XIQPT.cookie
MD5
63a28cfcd92ef0fe90f1e9cab60f07d8

SHA1
36cf0ed72ffa0d8adf6f66c71d4c9c8760241250

SHA256
0d4505a28a2e1042de42ca29e23269c307eddd7c2287412a6f230753a40c7d5d

SHA512
842eca86e38fa87f3d016f9b4230cc02df785948848758b1f347b8b51af73ec09d81a3f9488d58d531c6f9998414b4b3be9d4d070db53e1a083cf886757e2db9

Download Submit
memory/396-114-0x00007FFFB4420000-0x00007FFFB448B000-memory.dmp

Filesize
428KB

Download
memory/1196-115-0x0000000000000000-mapping.dmp

Download