81124963b7fcb08c77bb05a52a48d36fd1ec957e0129f28f277744c4bc35ec92

General

Target

Maysanmando_Doc#92543.html
Size

421KB
MD5

db2535c802086c8a6d7be256c9698057
SHA1

60d22a53ab56e960bf5d2ea924f222ec0eba76aa
SHA256

81124963b7fcb08c77bb05a52a48d36fd1ec957e0129f28f277744c4bc35ec92
SHA512

899e7264fb78ae996993b01ed5e8f1f7c1f753e9e45578ef6eddb7a932b40ba2f9b8fcd86bfba448bd00d81d530b1bdcdd1eaeaf2accbabc27328366f1b86209

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8797D731-385E-11EC-98EC-4E2873F54638} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com\Total = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\A34C9E1B5ADD94B9AC387C79B80C8128548FC4859E = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000009cdd3e06933a3f52120480eba5b8d189fb8458e7ce211117d93ed9da9a310370000000000e8000000002000020000000f36c979c48e11f949bd5e34051be9003c699bd20f03ab24e556e79274dddd60c800000000c93e1959f74f0ff88990030367d43e152e2e9f022049fc371e7cd6f6bfac0ec8cd638713792c34ea8cac8741207e70ac12867a896a5f03ff6944200272cb8f7deb0b13c2ec9cb0189acdb51cc0b50eb98c3b8cf830e0bedf19e2bc99e4685826d236e668688c609170d8fb934b0283d7aaa17d854d466afdd77356720e60ef24000000039bd95e5a62b6a2b4d8c1c698a994d6fb93aefcf7dad3f2767b2ca5b12cf0abe8847c3b1d696a0b2aa890533b62ccd70d518b613cea7ed31162b5f9276e5a488	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000003f562eafc64b88f49eb85fe0ae8327ad1f3a915263a698103187b4efda90eafb000000000e8000000002000020000000d57687683b364071d3d5774d0b26cef0e0ca143bc69355a99e0d1fe4807c82aa20000000fb87f89d8dc6e15bac782169911c3df5a101f646b667be79149bbc6e5630ed9540000000b894b0cca7c5326c0ee5c2522a58b4716aa98c4ddd5c0ba968801b045d652667642263e01baf8e1044321309a566be0b3d1e5a02b226b300e42a2e809ddc9369	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\outlook.office.com\ = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "43"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\outlook.office.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342238898"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000005700715ffa1352f361b158063e1bf7bea72187ac73181e1ee19b6d1594cbaa8f000000000e8000000002000020000000474b474666c0f3f32575c06116d90b0c1ec4238dfcfd3710747b3888549ace0990000000eb5fe6f1b91f53fa4c471fa5e47dec04ef6bd2a7b5ce02d15e8de500347b36bb759a8561730daf52cb02aa6bf5f1653b28df34c96ae8dffab1f159087041a027ae00900b70ae05e298f780d3b91170c3ff9aa27d6682228dc5dce5f6473ffdb00d91bc4f397ac13d98bfe76ca82f0cbc3fdac1d09bd30376340fa7185dbd826d4d6dc89e1e6b39a80c3b291b180f298f400000008272e52567e2d2fb42279d04f46f80873444e8922e2ced0bc6c430c5948ea300b838130c53d61888528198d24ca99bd3989d9e70510d5a8504132090d5e6edaf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3005575d6bccd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DOMStorage\office.com	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1812 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1616 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1616 iexplore.exe
1616 iexplore.exe
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE
1812 IEXPLORE.EXE

pid	process
1812	IEXPLORE.EXE

pid	process
1616	iexplore.exe

pid	process
1616	iexplore.exe
1616	iexplore.exe
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1616 wrote to memory of 1812	1616	iexplore.exe	IEXPLORE.EXE
PID 1616 wrote to memory of 1812	1616	iexplore.exe	IEXPLORE.EXE
PID 1616 wrote to memory of 1812	1616	iexplore.exe	IEXPLORE.EXE
PID 1616 wrote to memory of 1812	1616	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Maysanmando_Doc#92543.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
f4bae6e2ae34b4df10b88af2af48bb79

SHA1
c1d05e65d29a4e600d1f2fde45bb28fb41a20a61

SHA256
794cdee8d3c1e2b1f2c28b1898cfb47fa759db06859d85ce19047a4b5934605e

SHA512
e62fe5d584961ab6d8848b0e07bba2d5bc014dfb2fff9593a8d35f463dada96d36f45c9a959a46c7eb2c4e67f9b62992f5385202f5b426e43a87ac3218e0c5a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
d0c19546e4e1d53efa073c7df36acaa1

SHA1
9aaf4fa7296b8c8f25800abf9bd253d4fcb2f3f8

SHA256
0f35a1d8fe5ee07b021305cdd038998c06d69fe4bbfeaf899ba659a5d568d218

SHA512
0016440937a483df3aec3407d1a76f2469e9d43111cc5b53750ef6f1d349a1303ac22b37a3394d6c53b1868a9e39b79308c66c9b48bd3688073f37716776fede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8c65ba4b7965976b7354d1a80f0fe8f3

SHA1
a0ae77bf319773487d41694a255b86e2518a275c

SHA256
357e7f3a5e8d3c34fad96273b1803767ff37e87ff293ea19e1678d2efc821038

SHA512
1498e5b2167841dad443002824cd64cb82470adc2ae10fdf76ea5a741a09f7eb0e807544b60b0f6e83cbc1df2b46a1e1b8bd8e0e9485413400f25eb92f91a8d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
MD5
cca1943618f0555eb45dc313eb9e7b01

SHA1
379e2b6a7eb54c1201e93526a025246f0c6f29ec

SHA256
d3d3da656ce0b77e79a75d9fd88e108340c25c968ea54ea8d098439c3d37d83d

SHA512
0b81efe805607ba6d4576e614d179fb793628275afed180d2cb22a0af534b5c2483b48f1d364746d3c3f87091b6b61d27fd6736bb2e370dc03296808519fd8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.dat
MD5
14b7c6bcee9fbdf5966aded05e850446

SHA1
51cf608c8fa33572d375e6adff645cc6e060d602

SHA256
756bfd8273ee53aa407cbc3ad63d4a4c38eb57cad2ea7b4e8c6bce10883867ae

SHA512
9dca4b56a5f93505eb21c1a4bfa2ffea56368df18985d34d0585b1dd26b27670ef53a1454e2d308c4ea873bf118397090135c6afcca0fbdcd860119134dd1122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JSFCQJP4.txt
MD5
0c61a24d884bf5fade9f924f1c7e4cd8

SHA1
2392b19b121ffa2335ba4dd3e8ed864e8d706a34

SHA256
1f1214c6fbcceb90c0b90b1285c008a0ae27a337c7a9dab02f23e59a9ee7e6bc

SHA512
201ba752d84de9adba1501c85ec356daad93b31dcb43fe6eab7d7d9d1c155530e8cb999b7b7f169c865d4255bf5db0d63fa8a5ad08d35d1c600107bd0b7ef2bc

Download Submit
memory/1616-54-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

Filesize
8KB

Download
memory/1616-55-0x0000000001F40000-0x0000000001F50000-memory.dmp

Filesize
64KB

Download
memory/1812-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing