43fcc0500664221ce892a5ce713e27935b478389e463e8bc209880960acbdd83

Reason

Machine shutdown

General

Target

ATT0002644.htm
Size

429B
MD5

9d950526df17880d6dd9a2c062460514
SHA1

6ba6d639957de2090e11c846267b16f1f653069b
SHA256

43fcc0500664221ce892a5ce713e27935b478389e463e8bc209880960acbdd83
SHA512

f08731f68ad62fd50398bf0bd66d602700f2f2b53bc4fae9412cc0eb7494419eeb13d439733d2f49c67ce93214a96c8027e4170bb9ef36beccacd545e80af157

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://www.facebook.com/"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 8802dd1d12d7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\voiplogger0365.xyz\Total = "100"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = c00e351812d7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "125"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url8 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "232"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "232"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\voiplogger0365.xyz	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "64"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = f041d51412d7d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab000000000200000000001066000000010000200000009e5bc3912a404381106a8068abe774e15cd11c4324defc2d390db777c10d9997000000000e800000000200002000000026c82188f2b62fbb64c7cd4f4e8a6f4937f1b048aedebfad0d62664c2381e2f85001000096a6bab37039e924b0562e74dee5427683794489ea8296ea7a67a3449124879c9de7db19a8d535c651732d17b92b244c846dce415fdb548257d59658833a2cf060348488e019174066ba304acbb2124493b7344008e06836b3f25bfe66c71485c28c44cca2bff4ba81a0cb157813129065ca4687c36784430a8747911895115df752479da6070debcdd7895b280039f389403f1239a5f6bbcde087b443b81749e10b6b357516c45361fdf1f9cc70bfaea78b7f72bb456f3d42aae5c8e920437c193125b399d6dad37552e1574f606b49f9ce5f1b0c0a3a96e3d5dcc49dbe9a234f92207b35080d7d9e0b1bfaab6ff767871b3ce0757b31508caf6f059c1fe9d81132a18a7a48e336ae97779cd0387081d15e63193713960b3d0ef8367823fa8657080dcaa7322e13702dbb5c8c3a72c54f42d5983ffda296e584273ef2a6c15ac358266d5f364c57372561805b6146d640000000d250d13411a190084d632b65d92803cf679ce2da581005923080ca7dee5f413668869eb9dac48232c177c5ce66f70352bc4597a3c442411ec95dd18f4ef758ef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://twitter.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://server.voiplogger0365.xyz/main/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = c00e351812d7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://server.voiplogger0365.xyz/main/main.php"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DBCE7D1-4305-11EC-BC95-42884776E148} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = f041d51412d7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url8 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://server.voiplogger0365.xyz/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

880 IEXPLORE.EXE

pid	process
880	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1928	AUDIODG.EXE
Token: 33	1928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1928	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

976 iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exe

pid	process
976	iexplore.exe
976	iexplore.exe
880	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE
976	iexplore.exe
976	iexplore.exe
880	IEXPLORE.EXE
880	IEXPLORE.EXE
1612	iexplore.exe
1612	iexplore.exe
880	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 976 wrote to memory of 880	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 880	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 880	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 880	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 1612	976	iexplore.exe	iexplore.exe
PID 976 wrote to memory of 1612	976	iexplore.exe	iexplore.exe
PID 976 wrote to memory of 1612	976	iexplore.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ATT0002644.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:976 CREDAT:209975 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
6d9fa0b709f9eddc1a2ae5393eea76f5

SHA1
4ad4a0c70eb180949acf3c2c1fbfafad4506fd0f

SHA256
28b1ac57019df9cf1f10e414c59a425dd3a8cbb4b45a733404689649d2b67d61

SHA512
bef3c3a4e1671ac2c66c49e418170e409df5d4e3f93227ba638cd08b43fb566d3ab20a7325e9ab3c0575bfe8a31cc337feb7cf3a241f8bd4c0952c70c57f4bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\01ppg24\imagestore.dat
MD5
9e892114c5aa07fbce6c1b46ae18ab7c

SHA1
a3344bb6e09bd41b0b2b863e37f32560290e9cf9

SHA256
c7187d9632b601e955ac155599be202ebca142c0c6c4969d79fc8f64d33a46e6

SHA512
61b334d1f29780a6d9441e3286332dce4e369ed65d1e46e89de7c6f1e78df5ea098644d24a900657801a45de6a9e77383b3744577f56f5ae0b369654a8f0b72d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8QLR9YDU.txt
MD5
d059f0b45aa465e279695689ac988e55

SHA1
74d840dcf506dc880a4ee85647b98564471593ac

SHA256
57a571722dfb4fe30e8ebfa62ec8930a1e4cfc4e6432af054ab77c18e07c4978

SHA512
9d6f91f5145c28bac6d5e5898c9dee02f7f22e15d523dc4b658b38c4df12f814e1edb9a48a89145526f048867e9ba8f9286b9146f67e40ec0b96f85cff39d9c5

Download Submit
memory/880-55-0x0000000000000000-mapping.dmp

Download
memory/904-65-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/976-57-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/1232-67-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1612-58-0x0000000000000000-mapping.dmp

Download
memory/1612-59-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1612-60-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1612-61-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads