Analysis
-
max time kernel
110s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 19:14
General
-
Target
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637681075086603086.NjFjODY0M2UtZmVjYy00MzAzLTlhZDgtM2RjYzU4ZGU4MjI2MDE1OTAzYzUtNWYxMC00YjA1LWI1OWUtYTFhZWM1Yjg4MDA3&ui_locales=es-US&mkt=es-US&client-request-id=74f011a0-1802-4ed9-a24c-23443c072ecd&login_hint=ivan.rueda%40grupomexgas.com&msafed=0&state=tQ4DoMkWRuvGLp6oG-E4A2lzeuF_IvRt5ldtXkIqVb_K4KBCLsosedmrHKtVYpSIDsfiqAqwRKg6WRT0NEncHeXR1sa3h8F4TINdGxmsOW3tuT7Kp8VmMH_w-BhYRdW-x-RqArZb29fACe0mbDIfV5RIZ1j8GYxB-0Zl9CK-qh6MYQVRKe19VPFZab46XyYw-EN7MnwKjhuAL7itNZxK3CZYSyMTklmNGuuyscHVFqki5R2hSTQJ7oFJv3HqM9iPdNb5IG4LDu1hziRl1fHlosaNS9tTlkvaoUv5UrODJRp2wuB49eYbwL3LdbjJMAoEhEHGhwXYtu-ksSH4DvxAWToiHkendP5YBKT47NiOKm0rGLf5rZCKnzCf2WwSt8x4GuVDzuXNTizO3J06jWgfpMGrCQMoQnhdbRCNuIIEyvkq-eboO_AAH5kgV7w97Xjr&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.11.0.0
-
Sample
210924-xxxenahfgj
Malware Config
Signatures
-
Detected potential entity reuse from brand microsoft.
-
Modifies Internet Explorer settings 1 TTPs 49 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637681075086603086.NjFjODY0M2UtZmVjYy00MzAzLTlhZDgtM2RjYzU4ZGU4MjI2MDE1OTAzYzUtNWYxMC00YjA1LWI1OWUtYTFhZWM1Yjg4MDA3&ui_locales=es-US&mkt=es-US&client-request-id=74f011a0-1802-4ed9-a24c-23443c072ecd&login_hint=ivan.rueda%40grupomexgas.com&msafed=0&state=tQ4DoMkWRuvGLp6oG-E4A2lzeuF_IvRt5ldtXkIqVb_K4KBCLsosedmrHKtVYpSIDsfiqAqwRKg6WRT0NEncHeXR1sa3h8F4TINdGxmsOW3tuT7Kp8VmMH_w-BhYRdW-x-RqArZb29fACe0mbDIfV5RIZ1j8GYxB-0Zl9CK-qh6MYQVRKe19VPFZab46XyYw-EN7MnwKjhuAL7itNZxK3CZYSyMTklmNGuuyscHVFqki5R2hSTQJ7oFJv3HqM9iPdNb5IG4LDu1hziRl1fHlosaNS9tTlkvaoUv5UrODJRp2wuB49eYbwL3LdbjJMAoEhEHGhwXYtu-ksSH4DvxAWToiHkendP5YBKT47NiOKm0rGLf5rZCKnzCf2WwSt8x4GuVDzuXNTizO3J06jWgfpMGrCQMoQnhdbRCNuIIEyvkq-eboO_AAH5kgV7w97Xjr&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.11.0.01⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4024 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231MD5
aa5ff638f6285973e63a170957d140d6
SHA16711e342d675d01ceac1fe545b5f61af242d5164
SHA256201fee69a8de1c5aa298ad279f790a151e5ee8c1cb9f6830710987908547e08f
SHA51267dee02d0b7279e7699c796a6538f405dfc949b5c0da6e6a89cf97d1139d3acdaa8085d3469ea66b3a6fb03dfa27f89ae3f76f376d6c45331bf519cde4245466
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
f6c43ba8f66df7d9a8ba2cacbdbdec3e
SHA1ca1689ef9e173070d54e22ab81655771134bb7bb
SHA256edd8ca062a79f778031d3582d2ffcb90c3dda6a26cba0a7b01b1b12746912fc7
SHA512f4c14a7b5695d0c3c37ae1d0c3d857853f236fecdaa8270ce41ef09addc2cef6a2f75a8c9e0cea5fd6cfe7dd8df68238ab4703b4553c23d1d2072efc3b37fc55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231MD5
6d893405e05718ce5527f7ffefca9170
SHA14e5d5b7141d527711343a0cc4000222167fca7e2
SHA256709faf445098d4a9b5ca54e71c91aa7455d14cc182ded31e13d00d8a2d9bda7b
SHA512417645d4bdf2bce506bae6daa4b11c8abcb21e62ff5bf5cc6d104cd84ba299450b7c4ebd37ac65b277a0427d29f555d9c69f1913f025aca7c2633db27ee7a249
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
d420f53c1bef618bab0e64102ad7a3cf
SHA140c52a1d87edb4ebf75b65941dbd0bec38f03110
SHA2561dce5eecf62a5dbac7d1db48f7dd2d2fa9b0606f07d75b4248ee9eae10fc2d2d
SHA51265cb4dbe45d34ba3c8fbd02c283adc54d710c3921b44a669e27f79a88b56fc37cb36effc14581a3956383c5c70608d7af48221d6243f491451124a741ce63d55
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5IOM3QB2.cookieMD5
926e9dcfad4042e314c6e4e165b6a4f0
SHA1d53322f644282645f4a6f7e13066f98f8a6b23a5
SHA2569aeed302bd89fd161504f415f0f16d71b4adfea98e6800bd8a1f51690201115d
SHA512c4329e29cfed139debc25bfeee95dbe75487cff2508dba7ad9334fb5a043501b1c57bb82b1e04e615c64950fbe5fce73b5125101da28856e32dc0ec0a76fc338
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O93GPI85.cookieMD5
b9730d4c51108def154dd02cada14279
SHA129a1f53283dd74289a16a714a1eac31450bf0b5f
SHA2569714cd9245301b673d0229f45c5a9220344bf367cb38e5b4da9cc61f96c8b9c6
SHA512d9d09d7698c22964906c52e711d75da1cc27a2253b3f146003e8eb19987445d9d9d8bc776934862165ba8b44750e4966f7191447effeeeb4ef48f8abb0e48925
-
memory/688-115-0x0000000000000000-mapping.dmp
-
memory/4024-114-0x00007FFAC0670000-0x00007FFAC06DB000-memory.dmpFilesize
428KB