hxxps://eu[.]docusign[.]net/Member/EmailStart[.]aspx?a=71a05407-44ac-493d-a597-758c946b3e49&acct=d43ecb71-0641-4b9d-88e8-b2c7e93515de&ame=olamide[.]kalesanwo%40etranzactng[.]com&d=2016-DocuSign-Direct

Analysis

max time kernel
120s
max time network
136s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eu.docusign.net/Member/EmailStart.aspx?a=71a05407-44ac-493d-a597-758c946b3e49&acct=d43ecb71-0641-4b9d-88e8-b2c7e93515de&ame=olamide.kalesanwo%40etranzactng.com&d=2016-DocuSign-Direct

Score

5^/10

docusign phishing

Malware Config

Signatures

Detected potential entity reuse from brand docusign.
phishing docusign

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c300000000020000000000106600000001000020000000e8ed1c58e023299dc14203c2394ded5f3403ad3965e6a57d1e7eb704899b6a6a000000000e800000000200002000000011a8682e42f55438c985b2b94df9bd70635c1306d932b6c8583f149c22d7516a20000000a1977b6d3dcfac2b1172772f9668e9ae81c43be52451d685ab9cdbf0056a0175400000005967c64cf72d7ba2ec4771bd2ec1cb980e7cba6431d43073d5993b0c8674f6d26d8c15669827f4f6c541a9ea247c074d820c247ccef2a8f821790dcbdd110bcf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57A261D1-43C1-11EC-B34F-5A9B42F9038A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8010e76df3d4d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343176970"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "343225556"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "343193565"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2420 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2420 iexplore.exe
2420 iexplore.exe
4204 IEXPLORE.EXE
4204 IEXPLORE.EXE
4204 IEXPLORE.EXE
4204 IEXPLORE.EXE

pid	process
2420	iexplore.exe

pid	process
2420	iexplore.exe
2420	iexplore.exe
4204	IEXPLORE.EXE
4204	IEXPLORE.EXE
4204	IEXPLORE.EXE
4204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2420 wrote to memory of 4204	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 4204	2420	iexplore.exe	IEXPLORE.EXE
PID 2420 wrote to memory of 4204	2420	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://eu.docusign.net/Member/EmailStart.aspx?a=71a05407-44ac-493d-a597-758c946b3e49&acct=d43ecb71-0641-4b9d-88e8-b2c7e93515de&ame=olamide.kalesanwo%40etranzactng.com&d=2016-DocuSign-Direct
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4D1ED785E3365DE6C966A82E99CCE8EA_C37F852CD8767F214EE9056200353EB1
MD5
918068829aba2fd47e6ad17db7cced34

SHA1
e233ba1a2e3c350da375eed58816b8b0bd73f75b

SHA256
46e74259b664d5e5eb3f78149e19ee4d3e8f63369065a955704563d279f4f207

SHA512
5c58e4264135dfc4961c01089f1866f810f40962f807c39e7730c0fdc0b3ed1b493e0dc11bdc49e7239380b0a2481bbf30161e86fcdd4dacfb5f979084b50be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
ea0931ee0abc2503c6c70709255b7f47

SHA1
441ce6f261a6339cc0851bc237bc39dad207a43c

SHA256
25073f24dc38e64e85a73d772859d9cad2ed0858f446e581505d920864206d0a

SHA512
0487683a811a62c685451706632f181ac6412ddd60d9533e708a6e61407ecf34ca1a3e7b41f05b85afa66906901e93863a6b0fdf5357ac65fc7a18f3d43f6bb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
8697ba20551acbbc9cc8d55cb0013485

SHA1
4881c1260561a7951937737d132d64944a4bd61e

SHA256
5f824085d9598fed23e083dc2fbcf08c74bdbca745e2f94b5979136226e37a45

SHA512
ba6e1d84ccff5b013cdb4f9430c6532b65e1233c3be23a99f15e9590545e86de7f9e91134f2b83c7bcae3f710d5dbd9feea560309bb47181b70b3c4f0872bfff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4D1ED785E3365DE6C966A82E99CCE8EA_C37F852CD8767F214EE9056200353EB1
MD5
5606ceafefc8e5666d9fedeba2ff9d5f

SHA1
7a27fceb5c24857955086c003576e15a683e9b01

SHA256
f63b507e37213c0ccb20c294b16c491135e28d4d5058b8af233934dd582c8474

SHA512
a5e133cff12bf49ac1fa039a166023e58b47c08937f1356db9f2947e03a885a33c8fa6a979c81519b4ab266b52692a7c46a5a441b481cbed26adf8c408e26df5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
8aa44a33b5e0ba4927b16e88c8e111e4

SHA1
1ed0fbcc9f33b6503916e3fee07abea4427da20c

SHA256
20f234cbc4c9948916081efdb198802194445fcd7dbef275d1a2343d320c8ded

SHA512
8a1c63c713a436df0363156ec04c9ed75c7f1a5ce5cb59d8cb101fb574de50413e9f4f2f59cc7ffa5e03c125e96da8a98f1363f23b0f7827737ff6f3b2f90ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
91b84aab7b94c88689218012daa32c16

SHA1
16fad9d9a6061753a8bd3f407ef92bfa26daf006

SHA256
9614f6fb0899608081367a75d429221e38577e490a0c0da4fad3364497f94047

SHA512
05e270969e9be49977815b2cfad451a5a1c5d509739534b738ec7f2538c7b1fb7393259f7ca206a76853ea928fa306a98105872ece9c373039b0febdd70c5941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\70GKX3PT.cookie
MD5
fb91b89d6d6b884cc8542e3015b335b1

SHA1
f3f6fe1231273c1c30e058e9a2f3ee5ce2364371

SHA256
28259254f81377c69c17a001be201c06b888abe5811000fc74bc51fe7ddceb64

SHA512
87a5e8a51ff7cc0228d201374932e6d10c849e69f22dc2980bf8475fed350668409c863c44d780c4f25babb17dbcf23117dfab342b298d0ce5737f1068d3b1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\NR6IXYPD.cookie
MD5
e4b2e78e51effb3b1fa6163cec9ad1ae

SHA1
4d1c5d544dbbd95bfb9246d1a2d31f99df209da3

SHA256
79454e3f849245bb1d6291b21672b0fd9b960ab7c2ffb3c7285c21dfef7bdf77

SHA512
3748541cbb5039638a5047df09cfbaedd65ee70f628aa9acb022464277c23980712f33707481d949b9590a35b07820425835b802238fb207686f248e9edc457d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PM572LLV.cookie
MD5
e9b2ffa56319edb52c77229d7821b79f

SHA1
9e8f54961230d1e314844242133406f1f79131c9

SHA256
63688ed05062c5c0c30ab304b3d18e62257e1e230ef02e5af2df466b1f350200

SHA512
04508a0187338896264958080354eface11fe233117965db1d142e43b9c7e5b6e38d266728e5399d545e2e1fab97e01ef22a87cf8a77a5f93cc522708202cb9a

Download Submit
memory/2420-152-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-174-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-132-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-131-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-134-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-136-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-137-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-138-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-139-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-140-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-141-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-119-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-144-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-145-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-147-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-148-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-150-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-118-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-153-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-154-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-158-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-159-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-160-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-166-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-167-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-168-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-169-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-170-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-171-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-172-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-128-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-130-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-175-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-178-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-179-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-181-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-127-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-125-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-126-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-124-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-123-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-122-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/2420-120-0x00007FF9E9F00000-0x00007FF9E9F6B000-memory.dmp

Filesize
428KB

Download
memory/4204-143-0x0000000000000000-mapping.dmp

Download