e55e68f63e103f6a39a08d6c15900d13faedf3eb9ff6af0e19e997908585e54b

General

Target

Note514 ‮‮‮fdp.html
Size

1.2MB
MD5

ef32cbeb73aa743a027ae3ff4e43f020
SHA1

a32c5b965234c575b645969724a76d1e0f5b9409
SHA256

e55e68f63e103f6a39a08d6c15900d13faedf3eb9ff6af0e19e997908585e54b
SHA512

fca307f4d9ba330909192aa86e67f3bc3629ad4cfef95c41da6b401daf24406adb6ab16cb14b24a078319c6c9688b80caf614d8fa4c8809a6b68c4b88725d569

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\9D98A9F24C737F24E4E43BF784D0DF0E131D40E8C5 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000b5635016651e4fb226726690070017c9140b27a4848e40f0c56d3ba4e8dc968b000000000e8000000002000020000000037ddb570cc7f0ea421c081c6a6d2bf907a2eff69553724926c4b8936e196ffd80000000f9befa6fe58201824a0bfb56228308a9d308c23b90cf5f814097b73188282fe60d70580f51391ef051a14ee7e22bee45a169e31ebca8cdb90b35c7991bf8be2f986fa73ede84f9ec25f28fe8f29d97ed0f965e4fcd7f9880c95e516f911fd334795d2f786fe7b20f89646950c8a9c5c224b0d7129e33be4a266226f1cb4fd8b0400000004da1810f02ec2b438cc361514e1bc4c82331610b92493f0c7d7ed6fd6af1a16b08ae9f922d07b50c904c40645bac8bf3dd323bdd5b48c6ca582a0e356938de95	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806a6261a5bed701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000e0ea57728372c94c400916748e2c0738a09a7a76f92dfefe67332d1a6e3fd010000000000e8000000002000020000000da3d0b996366de552b456f656ce4a581ce3890d0146ef656afd46f520407246090000000972aacaba66a3a26b6a81dbba60dd203cd165131b61a33aa2ac7685844d0081ff8c02fe4ae95495d5d0e9980ff3d5bc58b9ea25ccc159f2f849a4711174895b015220a0bb4e58a1cf93bbb0def906ca759f09ed488e6a0766bdddcd59644f1a53b3814f4f347e8f8dfb79ad9fc679fe8161e743dea4231927266522f979bb21546d8efd9a9a1055de1ce276c7a84d09f400000004f04242d467e071e5ac31c1cf1e635c911d0be33b782dd47c4610dd6d8e8fc548c2c89b5aeb5274b99b7160445b18a02964e59b6474aca3c7b707a27612c879c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8AD0E401-2A98-11EC-8E12-EA801C2D62C8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000dde866110ec49d89a29c5e133963cb0050673e3e487e25f9a8136cee0b3cb425000000000e80000000020000200000009c9acc7631290ea710ba6551af5acf7135845bdf9714973121cbfe736e290e5e2000000041d5ad4bfc71922f453cfd88cc373912901b9b1c5eb5f21a42672f13633b35304000000014a3122d36ab15bb41a3881fe31770ce56ac26c260750d83eda8401aaefbcd1fe2fe6f758ca51b76323e143eeb45558b8a5caf341aa2b41d648cbd7d5feec26c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1720 iexplore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
1720	iexplore.exe
1720	iexplore.exe
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1720 wrote to memory of 1056	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1056	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1056	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1056	1720	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Note514 ‮‮‮fdp.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
MD5
595c76dc6466bea598087bfd5fd1751b

SHA1
42ec7b452b7178a4767a745b785d928a19f0582c

SHA256
33d0311ef114587184a17df62c6f75f77eb63fafc8db6f55e6adfd6cd1cd0291

SHA512
f33049432fc166d100802199c7733352acc852be631c6a56e311d2aabe4a4fe845247a304d335a98a4c974cc4adc9e3427f7199018e875f98624bf2a0c555c2c

Download Submit
memory/1056-53-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads