c7e0c721799b060365baffbdea91c83b3e90e76694488f706338d61b80814eb1

General

Target

Order number 4192 (Account Invoice 168100001849).html
Size

5KB
MD5

ce95e62ba83415bc28b21711e98baa13
SHA1

29f9bd33074e201af10119b52797f61dbf50347e
SHA256

4c059d9876c3e0ab630bbf69f3fb3d55bad17819ffa59c1636b280218bc65acc
SHA512

0b440b0963f738142bb20e96aac24ccf0606acb09b1f24bedfb1d37e94690163e90222424060f8837b5364521ce8622e07a9ca14eed87d047e61614a70d275e4

Score

10^/10

microsoft persistence phishing

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000752087f400333f60bfb239da00c6766482d7896cb15f61adbd17dc4c0fc90842000000000e800000000200002000000026d7f536bfd7ab05c0b37f5c1e01d2148a288fd83a4c651d62fa21ab1633d3bd2000000091c06a710905848a3dabe686475080b0afcb2bf67c3d1159e17018005faf2e014000000063f8652c27f5458edb14fcd9fbd8112f0e60a95e3701610d9a48ce69188fb93ae0db5be07fd248a9f3c63d15571493a0f85c3ca4791070d33f8ff05a5b614728	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.office.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "342035364"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30919200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204ac35e20cad701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000a40226034d9eea8e8a2219ee8902c73881f705931014ab64b620f06fd13c18e8000000000e800000000200002000000090a5ddb2307443cb54962ad3189faf5f61d2ae1ef8c316caa190b4500c655a64200000006f653f7de3ca46de051c67d8ba3191befc1618ce2b26c90a0a3d570bd323b048400000004203b4f3d50003312fc45293a5b5534caa294eeef66dc79233faf4dd817853f431b5daccee154cf688b0a51f7b80b8c39f05a19a3472133dbdda97fadc5503bd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2029845f20cad701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40aec56420cad701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2F0B6A0-37CD-11EC-B8A3-6A03DAF87569} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.office.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000a3ce9d30b4376bb9cc3b8b6e2bae7ccde5a8e3efe59a32885a24a591e0b4339c000000000e80000000020000200000004c0b77c9281c74a8993acc56edad2f1d4d0c4244c9e368d28f5756706882b18c20000000d10d0ac3dad09199d8dda540da4ed481807ab2235ac885889b07779c4e291c9c40000000324cca0760d3ef0aefb20d456edef733fe7c4c63b9c7f02381c5bd178e30f1c6ae7cb27ec63ad925124bd1a26b21147ac39aa426c2b5141d7e21d224b143abf8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30919200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000d3ace15043a271b81142a3131aefa5e3e47245cf9cdaa29a98bc4c49f4af7d34000000000e800000000200002000000064612c10f5e63688333885154ec2dd6713b76a6b8061973cc69193f19beb79732000000011352f7f3d6bd7828286b6796d8b479cb34a0eda3404cc5b277ae60452c7c85540000000b32de151493e867cfdbc4f56363067c773fdf275c3474c733af1b05fdb7f99bba5ed37d6811dfea5b8326d6064f9a320a5e4ecdc3c797cec9b8f4990e5ac61c3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1487357329"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1540951103"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "342003373"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30919200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341986778"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a05b8c5e20cad701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1487357329"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Modifies registry class 45 IoCs

Processes:

FileSyncConfig.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

640 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

640 iexplore.exe
640 iexplore.exe
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE
684 IEXPLORE.EXE

pid	process
640	iexplore.exe

pid	process
640	iexplore.exe
640	iexplore.exe
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 640 wrote to memory of 684	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 684	640	iexplore.exe	IEXPLORE.EXE
PID 640 wrote to memory of 684	640	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Order number 4192 (Account Invoice 168100001849).html"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:684

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
05adc7f9b5d2cccc9837b0bd33fa81a2

SHA1
aab9cd536f6ba14dd72facc4bf8738b5a23f2ec3

SHA256
7fc792dff5bd4f9383f2f5d7bcfd69453420cbd639d9df1587592e4bfc0acb5a

SHA512
5a3f695c3cd7834367e92f0ca291ec800eff19f6db673501c8f29d513a3c2e238444fb464fcdc9c5ae94fcceb7c5a97370140a54bb42e903316323a67610e26f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
18ff860a4d87ce019e1e5395d2fd1362

SHA1
8ed6f68642cba1f3011290f1efe9d1a13f69012a

SHA256
313dbdcbff4a4b7b49e034f2362805ac2b009b50c7d2f26b36233c76eae81fb9

SHA512
b865a29b5e86fce6b2d0db5e78cfc57d02a429c3722b5f955abd3335e43186f61840265d9094929cdb2262c58638d5b22ca9f185b26b165ee875cf4a23a3ab69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
ca3361cd47ce4525397ca1c23f6ebbeb

SHA1
08e8fc80445199157d31848fae946a097d4b5d5d

SHA256
81fb46b6c7d425bef4c92b7980ba0bed0849c951aa48b4406ee6ad6512e509a6

SHA512
79b648a20d883e993709f7e688642f4a816ab1b7622e14bdd5009beb31e95619c346cb39c183fbb0878846df77723cf7dc19dec23e69e89bd45086e62c63c28c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a11f0c9b3559b7f1820da6e446f03a7f

SHA1
b6f9122d057f7a6a210252fcab3a6eb0ff5e5b72

SHA256
d0b96f4e15fb982b8832354ac6173ac432287e9dbccb59c9d4c1f3d6bbbd5e75

SHA512
6606c9e74fc7370d434cf6c6be9be5e55f8e378706b4a91cf41205fad3f3cf1d0f650ddc4eb2edd3f598630e9c1672b580cd8b8072fdfb3f5d117dc08789b5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B3ARSLMP.cookie
MD5
4410911f62ec4250dd830bd283060675

SHA1
752b86f4d7655e73d8398ebe8b12657d5d5786b1

SHA256
2c82cb330b5425685238e37ba93e342c794eaafe04dc5edac290958c3b29a7b9

SHA512
7ebbea57fb363ccb0df282c68d97146963cfab6c6ce5e69f93368d0000d493c8444b1ec6b5efe7a0ba56d30280cf1a78002556c6260f8b08bc89d6fc52537752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UZYPQFSJ.cookie
MD5
fab3f2d345b8a8a2c52cedd8c5008252

SHA1
54803c5aff9d6343ca9b47fa0e2b724bdde95159

SHA256
0c72e80ea002d4dab91b597dd759d635f57f93e14482b96721d140a53fb1b444

SHA512
c41d0b47609015ba86007e7e47bc447710204a39cebc5fca287b9f9e0de8749f19e48f3fa85d9b6a346860258713649c1f5b9e7ca7ddba8e31fc47c0a195be97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZP769170.cookie
MD5
e172e154445b7e55db499ccbda0fabe1

SHA1
8f0573942a87460b5a445e9a7168d390c5f4420b

SHA256
2d1381260fd40daf9012dd6a407aecb5486162841727a210a54b99ec2cc72cab

SHA512
2dac951bf41f1936f67258c87aaca2e50e04a16b498b3ee6fafa9b06b2667bc50eb3eb2875c093a6e2a27edf83fafbbb4323f97e4c3816bc1017c2b3f168e228

Download Submit
memory/640-140-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-148-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-121-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-122-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-123-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-124-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-125-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-127-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-128-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-129-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-131-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-132-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-133-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-135-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-136-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-137-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-138-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-119-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-143-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-145-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-146-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-120-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-150-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-151-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-152-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-156-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-157-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-158-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-164-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-165-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-166-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-167-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-168-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-169-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-173-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-117-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-116-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-115-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-174-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-177-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-178-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/640-179-0x00007FFF64E20000-0x00007FFF64E8B000-memory.dmp

Filesize
428KB

Download
memory/684-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads