hxxps://marvinwqmanor[.]xyz/secure/global/link

General

Target

https://marvinwqmanor.xyz/secure/global/link
Sample

211012-xhksbachfr

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E23F0D7E-2DE8-11EC-AF2E-EE15F61CCFDC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000c50f3b64fa29e40d4e1b1e342db6ef81610e40166fcd1f1551effec061c0c48e000000000e8000000002000020000000d73e841d22dcc0956f9fcebe20cb68059c01497a7d14140d572e2fbe40c788f12000000064205ef9af65be8ac345e558582a68403c8ae3c9e2c69ff5a345c3fe616cec9040000000547a4206156499783648c17016138de9c4193ea23fd24fe251227b2a5537b8b6c6949b4cfa937a36c2be8fd5da7e5b8fab93a1f193dd1f1747e33a7a5a5db72b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340829658"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340846252"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00da03c9abfd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10597c3c9abfd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340878244"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000007bbff7e91aec25a4e8df0256fd5c85a344518d254a77c88975dca94bcddad1d1000000000e800000000200002000000074e7c31f281d9db42b10bec121fe9f33e7d14c975159a08c5b946e9416f3144720000000d69cbe38a739c9a219690bb67f72608c818e355f83aaa2e24643c30f81235cae4000000018088791cb3da2d749114c5a9e710dd53a7fb2419e786be2015ccd9693308b9e4b581a3649a8447a59ded6a410e546be06750a7ce5483114d976ef57a6de9efb	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2472 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2472 iexplore.exe
2472 iexplore.exe
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE
1040 IEXPLORE.EXE

pid	process
2472	iexplore.exe

pid	process
2472	iexplore.exe
2472	iexplore.exe
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2472 wrote to memory of 1040	2472	iexplore.exe	IEXPLORE.EXE
PID 2472 wrote to memory of 1040	2472	iexplore.exe	IEXPLORE.EXE
PID 2472 wrote to memory of 1040	2472	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://marvinwqmanor.xyz/secure/global/link
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
540b24c38782c59d419b3e53571d7442

SHA1
173e635887ea2c96b27c59b9eaa408a4ed7e321c

SHA256
1b255cc453354ca80ff1126b05deec63c9ac7aa823ad93b3ce2b71e81867514f

SHA512
d090b2d2127d1784d3db6d88d7133e06703a3f3f4b3d78ad61695a57db0bcf1c25288a114cd90094aeeb605bb6475bace48b925d16545f08cea7f74914e05973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
ca7b103e16ab093df1ce463721362d4b

SHA1
fe06a7b1ad941fcb8738ab11ae31a8c3c037b378

SHA256
5fd187b954f7269ddfd7bf593958358e98514fd6967d81fd40d60f4efca83467

SHA512
7bb82fa42613873669e7285da5ff3d458a2ad456b7e2743a794dc580490122a18991e0c8ce2f264ab2b843562e29bfe4884b5e7ac176ea2fa263a7f584ea0e5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Q8YJ86C4.cookie
MD5
6c70b46f7bb0847c29dcc6e992ce06d9

SHA1
b62862d39505a2f09a016b3733db420af9d4c82d

SHA256
3b9e603e6b788742e5a7ea6cb66d0bfa5202efb78e2e6357206ad09b41b697b8

SHA512
8b2525cbe066618c1b4a9d52e2c91cefa050d6e02dbe7ecb17543322f87192759c432b1641b14e558d987fb119338c20e86dc9d243f092562a95c71448a9d6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YU5J3UNO.cookie
MD5
c1ea6ddc7a720bc7349002cdfbc1a8bc

SHA1
418bcadb9a40cfc0ad727619b3a1aa7cc4416593

SHA256
91cfcd7ba0b67eb0b9bfc423b470ad5ce9bc9866db1b2b837cba2cec08410501

SHA512
bd5562caaa81f35c9b6db116db11bd6cf514cf96f45c132fa560316697ba9e2daea1249356e612b8d552efee806a3c39b48be4ce720c6c3ae837e58ab81c981f

Download Submit
memory/1040-140-0x0000000000000000-mapping.dmp

Download
memory/2472-142-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-149-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-124-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-123-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-125-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-127-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-128-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-129-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-131-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-132-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-134-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-135-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-136-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-137-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-138-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-121-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-141-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-115-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-144-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-145-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-147-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-122-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-150-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-151-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-155-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-156-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-157-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-163-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-164-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-165-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-166-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-167-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-168-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-169-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-173-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-175-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-178-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-179-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-120-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-119-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-117-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download
memory/2472-116-0x00007FFDEA690000-0x00007FFDEA6FB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing