90c464099ad4f02a8c5925a0f631d4d9b6e75a425176375bf0e170ecad50d561

General

Target

Payment Advice.html
Size

173KB
MD5

f960ac2710faa1aa99b3fb5c69ee5720
SHA1

305de909371eff47b4e758f6d3d7afa60e478176
SHA256

90c464099ad4f02a8c5925a0f631d4d9b6e75a425176375bf0e170ecad50d561
SHA512

10df22208b6148f3c639067210a7dcb9a4dee3d538fe8e05b1f8eac415b6841a33e6bd761f2d1862e577a0637c483805c9cdd12c4be5987b087099b80df5c06d

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000007cbb030f46a70466ee451aff1340b826df8a5ea9efeee5e53160e915bbc1608000000000e8000000002000020000000a72e1436774a8713dcc0c75a453cc6dd8efdb4abf88046e29e483ecc6c89ee3e2000000041e671f6425a15843230470718c7777c28da22007a433e973d8e8661441e99654000000073898d7382efbc9d8019b9b286c536a633f9a2c2d0888bd518b9e6f8bc8049e75344c8c65cc4b9053080b4700029d11834f5f23c5974c3ecb6b6d02052909c09	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343408883"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E2DD181-4302-11EC-BFD7-6E82E447E8A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701d85780fd7d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000073f17969daecfe01ce4e88c8775c9d5aa5f065bb282e4bf61b623bf0f80ba4bd000000000e8000000002000020000000a34658375f9a20463d1566be2514a7cfd0a6d93df28af66322eb28af884a56f790000000860cf684ad80402d7baa4bf8f1373951d79a4818c2d659a0b065422b447d9439f48c945dd29d783af762cf66c4631f352406223a721e44e726ab1a33b3d94794ca4c18b3dfc9acd12b9fa1be92f278cbcb9c9b111140ea8911268c38f258988cd15361cf509a2c8d99b1ed6b19b7566da00d1d57aa713b10108c885c6c306e408ddf694377edbdd115016753590458c14000000002331b165c00bddbb574486539dbc620416976cecb87c1e474543930ae1f8b540b8c38ade1821d774bd86e3290b8f74a08dd27f72eab2a20cc7715fc1b9791d1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

944 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

944 iexplore.exe
944 iexplore.exe
1464 IEXPLORE.EXE
1464 IEXPLORE.EXE
1464 IEXPLORE.EXE
1464 IEXPLORE.EXE

pid	process
944	iexplore.exe

pid	process
944	iexplore.exe
944	iexplore.exe
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 944 wrote to memory of 1464	944	iexplore.exe	IEXPLORE.EXE
PID 944 wrote to memory of 1464	944	iexplore.exe	IEXPLORE.EXE
PID 944 wrote to memory of 1464	944	iexplore.exe	IEXPLORE.EXE
PID 944 wrote to memory of 1464	944	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Advice.html"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
acaeda60c79c6bcac925eeb3653f45e0

SHA1
2aaae490bcdaccc6172240ff1697753b37ac5578

SHA256
6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

SHA512
feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
efebd7b18f607ba44f1324edd02ac837

SHA1
e36032e73c0a9b2d04913ddfa43d2554a3af70fd

SHA256
184995977e6826caaa09d1beef617a505ea33ea133c40935d24814e16495f1ad

SHA512
34549a9dda2ac9f293f8e04f47a847aad79bfe3bce92e975b3cf24b123c7ff565a3f544eab11489a480a744193755099afc4294126e1b4823c7dfd0a51cb13b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\r32q9i9\imagestore.dat
MD5
f24f4c98689d21e59e42104fcb275283

SHA1
78404f7dd04f82c0ab8338fbad434b997576f863

SHA256
7764181fbf17afdee7077474d95a7edfbdb6501f20ad7d2e32aaf4ea98214f2c

SHA512
1707510d612d3e8f7ad1e71790c861e5b208d2f5c40969d0823902eba9c6a2ad5daa42f431b7b263c09f88edb3f96e23294f62802af9fe734bec4665f455475b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZTOX9SBQ.txt
MD5
b7d73530b64f22efad9df008903bc5a0

SHA1
732bb56d9bfc615a6d3743be720f7abb1958cb33

SHA256
b5de0692f06a806c6c010dcc68a2728bea42f9823298ef9ebda268eb363e8a27

SHA512
cc598c6bf3e3ffe2d6431f7a4936fbabec1bf14edd44b403b9f6dfd8b914f3f8e84455ac52736d6001a2cb51cc6c9320a46e867ca62aa5f27f741bf00b4cd31b

Download Submit
memory/1464-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing