2715f779e8e67f04a8de49e5a0f29b667cec8a614cb03a24a9c6cac6e9d88505

General

Target

🖨INV_6204216.htm
Size

710KB
MD5

e517651acf63b6b1e684eee92c473eee
SHA1

de8b7cce62a64e01c154bd0dd579ac3c39914f6d
SHA256

2715f779e8e67f04a8de49e5a0f29b667cec8a614cb03a24a9c6cac6e9d88505
SHA512

4061217a53241c73f913edbae16135b3b1d290865b0e77e797d3d4b6c985187a8491cd3392e75034db8397970263fc8662140b066efd0fbc97985a197c0c7cc4

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d6371fe3d7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4240A261-43D6-11EC-8EC9-6E0E796DF1A1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb1936000000000200000000001066000000010000200000005810faf87050ed06fcd58f0aade89fcce871ca7cf83bd6fff1bf8069011f4896000000000e800000000200002000000076ed68692bb7b9b49d2e6ea904079f829d5bd1b802bbc8164321dd043eae42b690000000c67f45639fddc5feb727a0caa88fe3b6d8ac863098d96f948f59f121b476629c9bdc083287c96a5d4a4d7228e4c064e9ebc8a7a255590fc3d1c13d14dafbb1c721366d9e1675daca25766ae7cb93c2348cd760981813c9853af934ecf31acc49173f9941a152c258da7a56a1e664aaa421b5f0a5f0004d5333b2d686e9b482724eed2ee044b30d7f388a547d7df4ec854000000048b35d9d79380ccca2f0a3ee19a37e466d1de1da807811c7b0b0aacf08e3b6a1c8945ff85e4f226e893a656ef0ffba6f4e543d7582326fb7a5371cbbcdd1526c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343499782"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000a7077c3e4fad5761edb47c44b3caeb42c63f3337a493369052092fc1fcaedabc000000000e80000000020000200000004cbf36a8565be4fba3732c865b12ad95d8fa585fcfc90f3c9fec475abab2536c200000005148f84e9890a1efbde0af030ccaa3ba5a7a3585714c384a7f43f3c7fab64fc9400000009a1da261695f6d93416e16297fd73cf086349ec894ca4b8bdd420a3c327e0af0d8a2c87f9797b7937ee6c5beb5183bdac6859ed18760ef4b999eaa693ed9b7a0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1700 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1700 iexplore.exe
1700 iexplore.exe
1864 IEXPLORE.EXE
1864 IEXPLORE.EXE
1864 IEXPLORE.EXE
1864 IEXPLORE.EXE

pid	process
1700	iexplore.exe

pid	process
1700	iexplore.exe
1700	iexplore.exe
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1700 wrote to memory of 1864	1700	iexplore.exe	IEXPLORE.EXE
PID 1700 wrote to memory of 1864	1700	iexplore.exe	IEXPLORE.EXE
PID 1700 wrote to memory of 1864	1700	iexplore.exe	IEXPLORE.EXE
PID 1700 wrote to memory of 1864	1700	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\🖨INV_6204216.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
acaeda60c79c6bcac925eeb3653f45e0

SHA1
2aaae490bcdaccc6172240ff1697753b37ac5578

SHA256
6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

SHA512
feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
97ed8c0b4b8315676d9a0d5e430af549

SHA1
ab66b93d8b3dde5db713ab548d8e8c8e94a40545

SHA256
02160fa9bc46e2a3c5eda74b2941476592824febe0983b7683d78b9a1b537233

SHA512
520a7fe26382ccb11a6f369101f3d8bd1187b1de737cb2a44f2cd6d9611054c98721c78908e7a95dc97960e729bc5808681e30680b68db721c810d6ccfad8b14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IQNE5WF9.txt
MD5
c86ba7d4ab08de8cafca217b24f0ffef

SHA1
bec34bc1b7d08d3ac029dceaa846c4222a416387

SHA256
c52cfb2826c74305af81b0b4ba1a8279f4a377e6714857c96bf4f014e495011f

SHA512
41c3b948d255c7bd4bf2a6fdd66ad5c56a263302626cc4f140c6b534791e318295923b5f3def40f0b802cd37d208b540b22f9cba04770ecebccc49a9afcf80f9

Download Submit
memory/1700-55-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1864-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing