hxxps://www[.]noor-prefa[.]ma/robeco

General

Target

https://www.noor-prefa.ma/robeco
Sample

211021-v8chhsaeg3

Score

6^/10

microsoft phishing

Malware Config

Signatures

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 ipapi.co
39 ipapi.co
40 ipapi.co
Detected potential entity reuse from brand microsoft.
phishing microsoft

flow	ioc
41	ipapi.co
39	ipapi.co
40	ipapi.co

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5133C40F-34F1-11EC-AF2E-DEC7D0DD9661} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341651523"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341619531"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0869c9aa2c6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000760f5b68e3dd95e23398ebf5261162bf14f0878255cf475d1f42d4dc0631cab5000000000e8000000002000020000000dcc5eba061b72e267ec45f2e8d733cbd7c3545ba44623987e0a886c869e5d2c02000000007c4eb3bb14966db08e4554cd9bd013ed3e469197baf1ae8e6173598017ce56a400000009ef42e5c32a7ee837fd543f9541d91c6bbe8531f1cff81c6fc6755d677ffbef8e9b07039f0173a71b5532f6edee630f52f8c99d56a79868127eef20895ace04e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ae06b3a2c6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341602937"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d000000000200000000001066000000010000200000004b9926ad64b842accb5cda8795f043b7bd0a269cec824950a5c338bcd771bb0e000000000e8000000002000020000000d99d84c31c77e121628da12685442596c1d2b2057893f287543d378021342adf200000004a8399a28442665c52f4de55011d342af054a136108089bdf861d3fece8f2594400000009a3244919686c14ad0fcfe03bdd7ceb0347d02cd66b63365e3fe0568dbeaa91899056de23c27f2ed9eda411a08918979c1c8e5b1f188023639e571be6f86831a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeShutdownPrivilege	1140	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1140	IEXPLORE.EXE
Token: SeShutdownPrivilege	1140	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1140	IEXPLORE.EXE
Token: SeShutdownPrivilege	1140	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1140	IEXPLORE.EXE
Token: SeShutdownPrivilege	1140	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1140	IEXPLORE.EXE
Token: SeShutdownPrivilege	1140	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	1140	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2888 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2888 iexplore.exe
2888 iexplore.exe
1140 IEXPLORE.EXE
1140 IEXPLORE.EXE
1140 IEXPLORE.EXE
1140 IEXPLORE.EXE

pid	process
2888	iexplore.exe

pid	process
2888	iexplore.exe
2888	iexplore.exe
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2888 wrote to memory of 1140	2888	iexplore.exe	IEXPLORE.EXE
PID 2888 wrote to memory of 1140	2888	iexplore.exe	IEXPLORE.EXE
PID 2888 wrote to memory of 1140	2888	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.noor-prefa.ma/robeco
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D2D3659CF5A65528555CB96FC902E8
MD5
dd2f43b60023462c9b1a8e106a0754cc

SHA1
6388296a245bff5344e380175774292b4002de5b

SHA256
f4caa51942e02b08cf7339e027a9b5b66e1bf437033b1cb85e15feb556cc875e

SHA512
9577400d6250efa012c4a25d4577f515136d3f9185afdf9750adee188e07d51a4a862fb4cd478e5d7fd73e6472ae6230c6e06a738f4b5db9ac45e08d730897c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
975953cf504f62b8abae0a1684bee07d

SHA1
8ec03e41e38feb387d014dc487b3c1c4a4565512

SHA256
75c45d93406828a32681fc3651bf6410192a8fcaf308f425a44c9553bd92f31a

SHA512
7feaffa5a8f1eab9edbb8e44e982d13a97e9eee0ef2d4dd3ca7cf5fae220e5c739fc00ef5b432284d97ea040685c255e23f8b6ee12a37576871d73bc4059c3f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D2D3659CF5A65528555CB96FC902E8
MD5
03b7674cfca4887c5d7901cc198b4b30

SHA1
0427d495a1b0f6a3c7eaa9c345d05ac8cc8afdc5

SHA256
e4cbf9d459c93c7d11d07b90515a6fc61634dc10a8e321a0e4e8f815cfed4bd5

SHA512
53ed2b4a0a1026e6b0f686e493548da6ca5033dd572b7bf02d9db24230c3f8c1ef9a6ba0f1bb15631536ca777696812e4abf5a6dbf30b74173c6c7dbb2f67f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\GJ7HF232.cookie
MD5
30dcc32c551a6ffda758d332f97324a8

SHA1
2f34eb53d206944109be9b58f3bdf4d9d3fd3a19

SHA256
e9a87c9118ccdb4e20ec9350141c32a30361080004a5afe7b3d0fb742dedef0b

SHA512
bf8d3f2ba32066d7153d8ac61cdfbe181fc865e7be6c068d2cc57e6eb72b15303f72292395c081ed05b11fcc51a2af12ca5502eb22ba914a505c301ded91e61c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IEAH2KK9.cookie
MD5
077ed12247702c8034779cab848b9978

SHA1
151703189e426c290d44e6a87908fc6f90d8d9ab

SHA256
12c3a65b3a7ad4c688037ba97f6cd402fc1ee47c8dd2ef99addac40c53efb22c

SHA512
c06cd76de13248a8d4e9648a2b3af5cc02ca2045b36f8119871424511427623c3aeebc3c73e0c8a273693635db72b0c5db84c9b1af52fd0c9a405d6d58881f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SVPZO04J.cookie
MD5
a798fb55209a0e34d567083b2f9f93ba

SHA1
3ba252476c2a27e45f4ef20200a37f385081a8e2

SHA256
f2b0f35412a28fa922593cd6b47c7c0ca051dc11a37cc04bcc9251ed83b8ba93

SHA512
714fe49bdae93391c6902474171fdb336d0d6b9d60cabaabe3b31287e76f124a706241944c3a367b3cfc8725d387079f49913a6960b04b02788ea808c6aeee97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XR8FXRX7.cookie
MD5
d9edcb7bd336ce632a73375465ff9493

SHA1
1eb5997a75e6a15aa252663c630a8ade0420a441

SHA256
778d3f4687948e0e5e032f845606aa013ec4b3186be752061895315f7d9116ff

SHA512
c289b842a2cafe665a1eaad17ae74644a0608942ce06dda713db7fe86872adb6378d697f09026fca35b61ae9ae8d8f3cbc2999fbfa20d2a883786cc45dc296f7

Download Submit
memory/1140-140-0x0000000000000000-mapping.dmp

Download
memory/2888-138-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-149-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-122-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-123-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-124-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-125-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-127-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-128-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-129-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-131-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-132-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-133-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-134-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-136-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-137-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-120-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-141-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-142-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-144-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-145-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-147-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-121-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-150-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-151-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-155-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-156-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-157-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-163-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-164-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-165-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-166-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-167-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-168-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-169-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-119-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-117-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-116-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-115-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-173-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-177-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download
memory/2888-180-0x00007FFE0D210000-0x00007FFE0D27B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads