hxxps://go[.]microsoft[.]com/fwlink/?LinkId=550986

Analysis

max time kernel
75s
max time network
140s
platform
windows10_x64
resource
win10v20210408
submitted
11-10-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://go.microsoft.com/fwlink/?LinkId=550986
Sample

211011-p6y1vahcdp

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20808cb199bdd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7124d852bf681438a7e3f075293b086000000000200000000001066000000010000200000009727c78d50bce2fd2711fe5c637d233f505d8181fb0ecd4b8303e330ff02f6b7000000000e8000000002000020000000fc4f1ffc9d7bf7be9874edc3d820de20332040db20ced347f36cfd9c4879600d20000000cbcd3b4444dd90dd89d179cda3c9d9b7340b1fbbf90a0733a7de83d0642aa9a240000000f4cfa04016a98ce3a4fb8af2c5f6a6415030a944a04d44b77ea37b6c88da7144695a26fd5efa9b9208ee5881be56b7fdb1e4a7f8a699af7fa89b8ce65a7ab179	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{047DA7F5-2CFF-11EC-B2DB-EA801B2465EB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340626126"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340609531"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340658117"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

652 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

652 iexplore.exe
652 iexplore.exe
3740 IEXPLORE.EXE
3740 IEXPLORE.EXE
3740 IEXPLORE.EXE
3740 IEXPLORE.EXE

pid	process
652	iexplore.exe

pid	process
652	iexplore.exe
652	iexplore.exe
3740	IEXPLORE.EXE
3740	IEXPLORE.EXE
3740	IEXPLORE.EXE
3740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 652 wrote to memory of 3740	652	iexplore.exe	IEXPLORE.EXE
PID 652 wrote to memory of 3740	652	iexplore.exe	IEXPLORE.EXE
PID 652 wrote to memory of 3740	652	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://go.microsoft.com/fwlink/?LinkId=550986
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
d90427449e8b0e3416f8293f08a04bdb

SHA1
e4441e4d50e15bdf40858099022c866662c64517

SHA256
c84164dcccf212ebe1ee8a39f7bdaf3bd59f94942d670b87dedc6b55dc5a3109

SHA512
413e724171660edee03b2b99cd02623a47e3a38c735dff6ecc7fe09cd6b12df147b47a803866c19eb12db9344ef9c0686796b395f0b67714c6a08df4c9768cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
ca52e4edcbf1d84e6e435f6f4b82c991

SHA1
502a798dc2aa73b2b04ca9926c9da512f467e5f1

SHA256
6d9c99e4d1c210e5eac7364612cec25c2abd9911608a95812d5f94c17bb18d93

SHA512
0bdd3a473740e8535ad032072ac348692817192c2fa4d13cd2bdf974f0d2ed43e9a8945cb646b23b3505e028f911aca7fe5f598e38fa5512ad148c13ee1f1226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1cd35e473acad1cf72d4adf5eca86075

SHA1
071be7020570efc371f52776d0e20771fb229f09

SHA256
26e692ff7d9df36d18f29f144fff24d3be82c41e1bef06659acf3b4fc98ee7c5

SHA512
90976845cccb568bd25a8c8df0d85d7d81f08700e62f1f1b8fb55078dce2f12d29887969276d7acc29b48e84f07e8e523c1c70f29b0cf0fbef469b19ba638459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
5ea5bf2e8b89b24009d2e070dea3d69a

SHA1
37834824fd91515b41d027a40eba88ee700ab003

SHA256
8aa37b80061d905a8e63ea8c6c82d12431e41b75ffe8b63e761bd4f178df967f

SHA512
d758646675f93b6fdd4acab456dcb0b7f53dda57756bd89579eca9f96c6801b5519dfa6e12cda440f4611d7a287fb3aecd1c0d7261065d88b51ae14a48cd3ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
55190a38512f7159b2d1de1b1846af03

SHA1
563d1ce7cd71906c500c183784c53bc662e5995f

SHA256
735d272becf249caf2f53b563287f8031d8336b10b163aa58c7e09907afe194e

SHA512
ae15e13027e28d1aeaa9a2aa46fa515517ea17b337f47af57847cb6649c9836af4f6e4d8067759aadfd1be361d1f05484382138372ad0aa63ae7775d4c722ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
157f8c80e0885e337cd51e243e1972a6

SHA1
694629318bfb7098ec2fae89ffeef00c22f94300

SHA256
d27aad213496c5e8d900c9da832755ac53630a7469a35d06b2ffa6428f391fd1

SHA512
e74f675f3bce0fee834f2f553cf921e9eea28f0f26d06b780510374576904c99e5de67b91b5f7a85c63f219be71257668b5cd84870f278e571b4ad54b0d27205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3U0V2IB1.cookie
MD5
9a53891997f06b4226393e061eb5b0c4

SHA1
954bdc94013fec973df096ae1aa2954fe303f928

SHA256
143e532144f0d8a85c0001d873bc0289e2f5e55dcffc9bcfab01e5ec7995731a

SHA512
26d6bbc2dd2fd91554f20dfd8b74b73f44a88fb6ae71cb010d2ec5a98c86f12e7d517925be49f7d9cee2733a41013484150be996feb2a6dabb9fe729b5ce6e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A3DUQ1WU.cookie
MD5
9722127971a1e4f12c368bb1931ec02e

SHA1
d503102e9c102a05d21c289921d0e1e693bf9dd4

SHA256
59e5090a4341a2bb7b642959bc312b4369e575b57758d7531b0aadfd9d875ff4

SHA512
756a7e611c93d148fba9f6e8ce2e41f05ef5a9beaedae4e6d6b9e085aaf43d40343f4d4758cda2e6d9c1e0f15aaa3270a9f43c0aeea4516edbcbd5b7933c81c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RPOJA25Z.cookie
MD5
a6fdb8cc0be33b8dcbebf1a454d9442d

SHA1
ccd783566bdec66e6d83da613347f851b5d7a147

SHA256
348c878f649f5b4ac0c7ddfd1bd8156145332ea88549555032a6c7fc60f17b9e

SHA512
f5b7dbd37e4a6aee01547dbcfc9bdcf883aab841e6fb693aa38a05b7d7d63850a869ca16a4f01067c108e9b621722620d89541acce6a007875e7a6a4148970af

Download Submit
memory/652-143-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-149-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-123-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-124-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-122-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-126-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-127-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-128-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-130-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-131-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-133-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-134-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-135-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-136-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-137-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-140-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-141-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-120-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-144-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-146-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-148-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-121-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-150-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-154-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-155-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-156-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-162-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-163-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-164-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-165-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-166-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-167-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-168-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-169-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-170-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-173-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-119-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-118-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-116-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-115-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-114-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-174-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/652-177-0x00007FFD26E90000-0x00007FFD26EFB000-memory.dmp

Filesize
428KB

Download
memory/3740-139-0x0000000000000000-mapping.dmp

Download