hxxps://onedrive[.]live[.]com/download?cid=540EC15E17DE966E&resid=540EC15E17DE966E%21107&authkey=AJ34FnCVandAjGQ&em=2

General

Target

https://onedrive.live.com/download?cid=540EC15E17DE966E&resid=540EC15E17DE966E%21107&authkey=AJ34FnCVandAjGQ&em=2

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000281eef3a5d57da76b02012214d788db59df7bdbdcf3c976633a023445601216e000000000e800000000200002000000045fb409780440cf8e04eb7e03bc9e425ff51f9c8f488009d62b9abb665eeb574200000001800d412128e069664526121843884fb25279fbd9e643f2f69453b6089f1a8be400000003ebd207c6c7bf6448feeab4dd79e5b0eff1d18c8754e1bf6a30a78811e5b30ce8a72f28cab4f3bd187e42aadc2bcec9b27b99a1dee860544bf6dcf6128aed8c9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40bd9f608fd5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EE15CB1-4182-11EC-B48B-6628CB9A22C7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000075ca4d9ccac3e4ea876846b0e31887ea355916c0973fa5e995f12f1e92a86106000000000e8000000002000020000000a0fd9be7a5b1f4f15499ed2efdbefc5950c54e9f76fe285607fbf60939b7e2ff90000000b555c1d4ff796ca6db2ad19e6e75465f28789a6c0cb0420b5df3dd091a74c468dbfce36f5173b57d5c5bc9966750ba2973c09ce2263ebcf59f5faadc07dd2a03a38506ff6f2ad72766c88c0a58ac4ea141ea1004837a68468cf140fa9d2230e2618199c4e9a2348942d10307b8b7da041eb965f74c38a091534344cf1f0d646fb42854efa2c4b09f45a324fb4595e06f40000000c791d121892fa1b97222520193d933535f91b7f75d6943974895b13ebde7e6bc00f8d853f7df441392e8108d7307c7172c8c7283ad33945e4de1fd862de08f2d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343243906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

956 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

956 iexplore.exe
956 iexplore.exe
1776 IEXPLORE.EXE
1776 IEXPLORE.EXE
1776 IEXPLORE.EXE
1776 IEXPLORE.EXE

pid	process
956	iexplore.exe

pid	process
956	iexplore.exe
956	iexplore.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 956 wrote to memory of 1776	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1776	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1776	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1776	956	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download?cid=540EC15E17DE966E&resid=540EC15E17DE966E%21107&authkey=AJ34FnCVandAjGQ&em=2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
be13634e20a227787cac1290365ec07f

SHA1
28452f95942d6b118b739ff8000fec61a04c8e81

SHA256
00769bdc1c8b8384cf78841326d50756a37e014ace2d7c52053a380f23deb2c4

SHA512
9e7ee725177dca00d2fe868fc017e734578f09c15ce55a9c8cc7daab1d6890a79acdb103904e7d05d353350590224ae1180200f6f5fc423648aee01e4e2d1762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\r32q9i9\imagestore.dat
MD5
c14c4a22470473162fc1a9ea3b03cf58

SHA1
2059ed8615b5976eb924f79c730f87d145aa65b6

SHA256
ba50ed1989430a40d0bf811e654b9f0bc1a1f57e42a8c64cf148ed58a2f81334

SHA512
951c2da264869123dfe7a6046804244d78b5f2db2d2939e2133bc97e9d4c9e5d50c9e2cc42d8b7c78289feb0a4a28c33ecb71a77837b1956a2e5efc1d92e99c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SLVGT3PR.txt
MD5
471726fece321e6d918cce9d3d3e1eda

SHA1
e48200f66002dc1be28a40a48badf9c4efad4b24

SHA256
e53eea82afd6729f759bb495009c7d3402b9a0fc0e506dda225dbc8f80ab8f06

SHA512
276538b94ab813d3f064eea485a1c624bb0c3d06769d6c1c8f606af895c331bbe6028af337be429072e3a2816e8f45e876554658f893c0fd86dfc26c0384feed

Download Submit
memory/1776-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing