e72900fb5d2ab6efc96af426955dbb8076e6b6a5de4a2c6a4f373f80f8523e9d

General

Target

Leschartreux_Doc#92543.html
Size

421KB
MD5

753114616924ea3beb30bf798201c81b
SHA1

5e5bb4a48d4f6475ce3fe2eefcc06edd86ddc689
SHA256

e72900fb5d2ab6efc96af426955dbb8076e6b6a5de4a2c6a4f373f80f8523e9d
SHA512

dbfa5a2ad32c5bd87854b6e4b8591d7641363d8cc02acb3cdd744ea9282e921d9db7cd5bc6c5f04deb0c7bf65cb3b9f43f9d4a7137ad128f5c6a85a155500a01

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\outlook.office.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\outlook.office.com\ = "43"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com\Total = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341061349"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203f14afb5c1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000059e63f54d4a9d90aec6467375561050d63a2f0ae5098b6de3a5a4834b73f828b000000000e8000000002000020000000e3be6caee3d3d32065b051252d9c1be646e8c10642ce6636fc3b336e5271d2aa20000000878b65c2830a9b9b9ee3702fd7d9f2e0d4d7ce6b0a22b1fd001b28c51bd6759d40000000a5e3c90d5fbec35fe31c1768718700f945e53c3fe7280dd6d722d26b95754affe80efb81addc7981bfb430a19234fe7076780fc56f27c41156bb0a7926a62774	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb1936000000000200000000001066000000010000200000004a6c7467d3d2b2b155fd911a041f2841755799f26d1936826a98edbc977c2593000000000e8000000002000020000000e2c0eb4ea73b89af9226aff9f81163c5a1b299560ba4d0400657d679ba9a97d8900000005aba75dcf1c7dc6fad915009f5a09021ba818d228b920a715d606368f83fce1db956198e8e8b517da3e9e323dafcd48d588492da10a5a1ea4417f957dbf8f3b2833a63a1d19af7669e0c275df7dbc003741c2bc889e8678678fba7b52a95651d42e20154cd346752e5cb0d7915522c1909e472570ff3ee48c4ed772f7f66a683f6ca49a694fb79ed6fcd0a7c6421b5e440000000fb0253d6419405de9fcccc9e980a240e6593ee8f99e701f2b723b9d233857077e8958231d934ca4b68f4987dde4f17f3f0bbf905855f65b288515395ac0ccb80	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D402B691-2DA8-11EC-B914-4E998413B4D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1684 iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
1684	iexplore.exe
1684	iexplore.exe
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1684 wrote to memory of 468	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 468	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 468	1684	iexplore.exe	IEXPLORE.EXE
PID 1684 wrote to memory of 468	1684	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Leschartreux_Doc#92543.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e2244d19498da4545b64e1f51127a709

SHA1
869e923011747c28c0b6f7c97caea245bcf9003e

SHA256
22eb951d597702d39b6b4ebf2b497ef02d08c910f385879f2cd3f151ed00bc77

SHA512
666b7da2d0ef9541af6c4ff3a07f75b4804aa301c03de4a1a31ebefb45beb9f3f9062f81d21e905f0fed4ae5c61dcea4ddaa03508d1ba88ca3e9df798885dbe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\r32q9i9\imagestore.dat
MD5
a523ba0d489fc2ba373523080aa5b581

SHA1
c707c7c331316979528ed8b3e3ac0a8dbab6800d

SHA256
7abc1698e0eaa5d0a467321ea64bac75651631a2c15ade8e40255c9865051563

SHA512
be60cc65720e5f9346b5e17f21ba42bcb69c7fb059106b5f0fe455e0b75f82da4b5f49353090f5d575730a20d0e86836b2e60bd6355d6d718bf38d4ed4980826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\r32q9i9\imagestore.dat
MD5
db2d26443755be71d52484c0424d3d46

SHA1
d89681b28c3521a7fb289c6e5f8227c7485c074b

SHA256
53265ce130e824c231cb19ae72a37155864da1af21a52fe25c1fbd820aa98614

SHA512
f24d8f18dcc21ffee0461d88ba953220b45622d9a2c102c0b51ed267faafbee89f418f39f84c847dad25588208c3791ac11f0076c4481d66f20b47ed08fbd14d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S13LRU85.txt
MD5
3407fd5e9748c9ce77c23665dd617c7a

SHA1
b08a5e40bc7bcad650fcf0b1c2bbd8f047bccf48

SHA256
02cd8632d51abeefbd5a4eb38b4fe316fa6477ca8d5a12515164a477aa3ac085

SHA512
77fd710f41cf5fe713128df6aa04c9b63ee6750124f179a4428f4f9d55461fafb7cd2eefa32ac29d5d7af33aeeedc076453f2a011ac61f898b348362c9ca7232

Download Submit
memory/468-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads