d3844832d8214cef2c64d8bbb4116ae16fd17dc7ba74be95b4dc386f3f3de10c

General

Target

INV-37153-DUE.html
Size

1.2MB
MD5

512fb8f68762a521eaf27b7238f94139
SHA1

65ebecb99fbbedb08dcc5ad68f1c864fe424e35c
SHA256

d3844832d8214cef2c64d8bbb4116ae16fd17dc7ba74be95b4dc386f3f3de10c
SHA512

f7c1123a0882abce954c195a0f3b07f0dde823be011f2b8a3d96c7924fe909c5728697e5f29fb29cc00ea890fe46264ea70befabee65bbda90642801afa7f6c8

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c30000000002000000000010660000000100002000000014324dd70537e59952eaaec66c55e27462518bd2e59d0bea52ce88c536381198000000000e800000000200002000000088326817a48c7fbbaadcba813dd39940bfbb2174e085ebc478c3dee28a630ebf200000005174bebeef33c2f5308400bed81cd0ae7caa080228d3a3a9659a99405d73d8bb40000000b5449b819ec054205fa8f1b50420dc35156ceff134bff4e7be47eaada95f9eab89dc1b6edcdcb0bcba27abab75248289fa8e7c15a8b6a5ede60489833af5c6a3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e4087080d5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343237505"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40a5ee6f80d5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c3000000000200000000001066000000010000200000000e20ac0d42a3601881ca71bb5608ea2fbbf5238d185c5610b20fbf3bd43a4415000000000e80000000020000200000007f3e7040e7cdf99c95d9ef226eb56902eb016a5d4814027875df257a52867b95200000005f759349e9113fc69ffcce7155893aaed77391f0958a61568b7e87c4a576e37c4000000028027720ff16ca4d8dcb139f3f4b4628a1d85fd46e58b650f9069c85092d079de41940a0ded2e357da4702d4c05679cdcf7adda19942f9243b9df1f465d0ebd0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "343286092"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{274DAC72-439F-11EC-B34F-5AE1374FA507} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "343254100"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c30000000002000000000010660000000100002000000086e7427e8de747fafa74708735a00790908cb9698279b64634c6facd694ec87d000000000e80000000020000200000007b179659517611d12872148c2aca98233e134a8a7ff49e2a875c05a8b90afce220000000f6281be8b1230a6da88ca51ebc36670e33195598c1f60d1451b90f867808768440000000852edc8f718062525dd214a56e0fb79a40785c4ebc115f5ca037a868c212b11a669a605ac0ddaaa212c33324656ac965d2bb74a7eb4895d1b3bfe2dbe3f8d2e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40512b7d80d5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3024 iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
3024	iexplore.exe
3024	iexplore.exe
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE
388	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3024 wrote to memory of 388	3024	iexplore.exe	IEXPLORE.EXE
PID 3024 wrote to memory of 388	3024	iexplore.exe	IEXPLORE.EXE
PID 3024 wrote to memory of 388	3024	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\INV-37153-DUE.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
7990cbd91bb3e72d5bcbd85c1fe8a8af

SHA1
81a48cb8c1a2db119d5f681cf4d02a2273ae8b49

SHA256
8ebbcb364f17619a144cdab11f0d44848391137b24eb23f34c0979f717e2978f

SHA512
087c8df2e5823876e5a25e3ade34c4b6199e50f1492ebae9b1667d0a24c9fb5d8fc3b5cf128387999c291a0dab4f80b67f6cf7d5b2332a7c5e93e2e2fac07655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1c3ed22c003b0e1724a802f750244f60

SHA1
c83f95230ea4d3ac58c4f5d5a7504b0f5eedf0ad

SHA256
f24de6edda835df45daadcce85ecfeaa1f5a363a16faeff1c16ae55ec57dcb6b

SHA512
7f9f0395307b63d4bda636b132533f5e62b36bfa78ff0850c5ba0a2ebe3f426b0a18232993a35bfe9166d9f86d2dfe2ad6429fc864265a0bdf6d4f1f25d26297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
f3580fefe624b23e7ee08a37dc6194e7

SHA1
21b54997a86bf4c5c7d692f030d92e9b7438d632

SHA256
78be30aff8f3a0f90af8e0cdc3444036228a30160f6c5a970ae9d9a3c37c9de4

SHA512
e8d6e86650b66cf36220e9d75b05a168c5c5371b697b9db6ee500c7a36d3234a0099d74c16f285e1f7288d67f9ea0ec5b685168e6dde05abde3ab2a8a6d61be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
aa9c245fdc55a6af7768581459945de4

SHA1
cd081e0a3dd69d2aa9b79c8f50cff8d1d13a27f0

SHA256
7ebc20526f58b3c3d4509c57a74fc58078463e588c87dbda0ec4a87dd764776b

SHA512
f01403ec887227e064b4f9dfec39adbb496b74008a9d731243218c87d3b02c33b2ab2d75701d6a4b29eb5e6faa963356d52bf86e36d32eb476a223e7b0c54a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FIPPI9X5.cookie
MD5
7814a1ec0d9cad42213456a545e740b4

SHA1
782e3b7b1332dec35e26845513b66bb74bac7f6b

SHA256
1d8f582ad46336d5eca1495c25c3a8fb73687701adf6c57d2c1109fdc1da28d4

SHA512
779876e97bb52990162f38dd46e50354548fce87cece111806270c19338ce05da090ccd5fe0efa2bfa037e5435fbd948502fd03bc7d02d36ed7754f35ac17330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FJXSHXHW.cookie
MD5
4574a1f072d3fe0edb679dd028b89b3f

SHA1
57e158973240f88f6d1c1df176ae9c2ce798bd51

SHA256
e4aa56d7721f65236da06ffb337ba8e8f2be0f3e64271a90f2f053c4414d0fbe

SHA512
57fe0d7d74fb8c746924a146b6efc25c82f6089f762555e83975a0da1a9d9102088253413ca77705bea4b7aaf55b2578a71408eb6b089978b37dd5a9d443e7a0

Download Submit
memory/388-144-0x0000000000000000-mapping.dmp

Download
memory/3024-149-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-155-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-128-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-130-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-131-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-132-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-134-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-136-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-137-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-138-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-139-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-140-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-141-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-143-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-126-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-146-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-148-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-118-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-151-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-153-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-154-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-127-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-159-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-160-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-161-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-167-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-168-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-169-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-170-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-171-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-172-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-176-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-177-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-181-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-182-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-125-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-124-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-123-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-122-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-120-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download
memory/3024-119-0x00007FF88C560000-0x00007FF88C5CB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads