hxxps://firebasestorage[.]googleapis[.]com/v0/b/r32zw1[.]appspot[.]com/o/5%2Fdsfghjk[.]html?alt=media&token=7b0335d2-e77e-4849-b6b4-fd8e3462db9e#test@test[.]com

General

Target

https://firebasestorage.googleapis.com/v0/b/r32zw1.appspot.com/o/5%2Fdsfghjk.html?alt=media&token=7b0335d2-e77e-4849-b6b4-fd8e3462db9e#test@test.com
Sample

211013-pk4zzadhck

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a63109125baed701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02411542dc0d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340892834"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340941420"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000467018124ec23e0f1fc36bc1e683c30e009fa3f78697d6cbe06b9fc434fbd152000000000e8000000002000020000000b02099d969e5a405fad9b7056db19c3cec1c1beaae8bc6742edce7cbf1a0368820000000ceccc6269837cfe742f0ff38c535c5dd78e2205f09bab3f5cb5f1958d539f37340000000c3c2f512a42df69522a3302a2aa9cef3eb86b500f1e3ac8556e0ecf9c78970b37746ea8a867d52792bba457e46d12e2eff7b01ed3cdd8b14b177a7f49cc46fe8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ecd7532dc0d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA8627BD-2E7B-11EC-AF2E-4E664A3D12E6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340909429"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000000eede46ed8037ba0e1bb73e4ce4a73be408deca8163ecf79bf8c5ce8b66dfe49000000000e8000000002000020000000be78a9e1d0dacf7ce36e97c04450ed8558643e70023cec17e9601829c0b815472000000034f1459f32d21b43430ba81e917ce77eabddc63b00b15540f1a33e6846c9754640000000e7a1e1ecf028d892bc28ddbd1a43a0abab9252926771985455df54f1b8bd47ae04f21828c8b80fc8e3712bd7cdeb041580387f961ad1ddf8f711415027736ae3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3800 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3800 iexplore.exe
3800 iexplore.exe
4540 IEXPLORE.EXE
4540 IEXPLORE.EXE

pid	process
3800	iexplore.exe

pid	process
3800	iexplore.exe
3800	iexplore.exe
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3800 wrote to memory of 4540	3800	iexplore.exe	IEXPLORE.EXE
PID 3800 wrote to memory of 4540	3800	iexplore.exe	IEXPLORE.EXE
PID 3800 wrote to memory of 4540	3800	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/r32zw1.appspot.com/o/5%2Fdsfghjk.html?alt=media&token=7b0335d2-e77e-4849-b6b4-fd8e3462db9e#test@test.com
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3800 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5B63LG6A.cookie
MD5
0eccaed2bfbffede46836aaa180da573

SHA1
4a4778066522d2d8a4de15013282547d36ac3ed5

SHA256
1b4f570f9133bee633060f74e5567c0c22db1611ff855bec0a56f429f61068fd

SHA512
572fced25bf2afa6a81b771f797df91e651a793a141b35ec7228836ff4096f5dd4e1343243ecd26cf09f5ef9dcc54c7c2e60a782f6a4a3b3490428a217bfabf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\C77TGCF2.cookie
MD5
0c201a375e481381b61aeb4260f3e40e

SHA1
ade161ac7266bede2ed2949dfc17ca261cba9515

SHA256
386132c7cb06dd4144059edde35509f0629e90e9c58ad4e244e031846e0be0ba

SHA512
55967ed79adf1a57a7585dfbcfa27fede116aff6c463028b6a86009c209e06996d3e958fe65e4c0ad29af72fd5ee5605dc53e5128f3f389a26fdf9700a33ae84

Download Submit
memory/3800-141-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-125-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-120-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-142-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-122-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-145-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-124-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-144-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-127-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-128-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-129-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-131-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-132-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-135-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-134-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-136-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-137-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-138-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-115-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-116-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-121-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-119-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-123-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-147-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-149-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-150-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-151-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-155-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-156-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-157-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-163-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-164-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-166-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-165-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-167-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-168-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-169-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-170-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-174-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/3800-117-0x00007FFBE0010000-0x00007FFBE007B000-memory.dmp

Filesize
428KB

Download
memory/4540-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads