3e8a6cdec188c0ec8a963c6069a585cda2121c2cd66bbee0e9a8c02b7710f183

General

Target

New Fax Receiνed For.htm
Size

710KB
MD5

cc600e0ae18f94b7317b73f49b119fbd
SHA1

ec1eff7473bd7743658c75555b3f3b467ea9fb85
SHA256

3e8a6cdec188c0ec8a963c6069a585cda2121c2cd66bbee0e9a8c02b7710f183
SHA512

63a14ad8b0a3c2a134616ce97657d921924b74356bd4a2faf7153c170a6f280e1325ac67bb32e4b0deec726ca13720f6f7057e7f5ddbe479d8bc93a058a27a66

Score

6^/10

microsoft phishing

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1056 4052 WerFault.exe iexplore.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

pid	pid_target	process	target process
1056	4052	WerFault.exe	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CpCache = e9fd0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CNum_CpCache = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B85EB787-43D3-11EC-B8A2-FE5CCB647586} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009acbbc286be63c4682a409f320de94d7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1056 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2700 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2700 iexplore.exe
2700 iexplore.exe
504 IEXPLORE.EXE
504 IEXPLORE.EXE
504 IEXPLORE.EXE
504 IEXPLORE.EXE
504 IEXPLORE.EXE
504 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1056	WerFault.exe

pid	process
2700	iexplore.exe

pid	process
2700	iexplore.exe
2700	iexplore.exe
504	IEXPLORE.EXE
504	IEXPLORE.EXE
504	IEXPLORE.EXE
504	IEXPLORE.EXE
504	IEXPLORE.EXE
504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2700 wrote to memory of 504	2700	iexplore.exe	IEXPLORE.EXE
PID 2700 wrote to memory of 504	2700	iexplore.exe	IEXPLORE.EXE
PID 2700 wrote to memory of 504	2700	iexplore.exe	IEXPLORE.EXE
PID 2700 wrote to memory of 4052	2700	iexplore.exe	iexplore.exe
PID 2700 wrote to memory of 4052	2700	iexplore.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\New Fax Receiνed For.htm"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:82949 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:4052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4052 -s 2520
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-141-0x0000000000000000-mapping.dmp

Download
memory/2700-143-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-120-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-119-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-115-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-121-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-122-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-123-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-124-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-125-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-127-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-128-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-129-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-131-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-132-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-134-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-145-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-136-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-137-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-138-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-140-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-116-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-117-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-135-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-146-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-148-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-150-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-151-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-152-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-156-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-157-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-158-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-164-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-165-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-166-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-167-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-168-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/2700-169-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/4052-173-0x0000000000000000-mapping.dmp

Download
memory/4052-174-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/4052-175-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/4052-176-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/4052-177-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download
memory/4052-180-0x00007FFD2BE10000-0x00007FFD2BE7B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads