hxxps://docs[.]google[.]com/document/d/0BzpRHgBmkelPeS0yUE5EMkpHem1idGdMS3JWU0pZcHlrcjJr/edit?usp=drivesdk&ouid=115018010936808814464&resourcekey=0--YCSzwT619v3YncOOzPbAA&rtpof=true&sd=true

General

Target

https://docs.google.com/document/d/0BzpRHgBmkelPeS0yUE5EMkpHem1idGdMS3JWU0pZcHlrcjJr/edit?usp=drivesdk&ouid=115018010936808814464&resourcekey=0--YCSzwT619v3YncOOzPbAA&rtpof=true&sd=true

Score

5^/10

google phishing

Malware Config

Signatures

Detected potential entity reuse from brand google.
phishing google

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0048CEDD-E10B-11EC-AD90-FEA8B733FE75} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce100000000020000000000106600000001000020000000ed1ae5595ba2277323b0f1567a8c1046525747f9ff6e6a3d48f5208ad7d15432000000000e80000000020000200000002bdaea93cf9312fe4493f2edc780bf9ce2de5e87bae9e2afff013f1ac7a108d320000000821a2f36a16914087bacc464fa5af8caf2c102dc39c542565913470eff851f4840000000f1fcfec24a7578a291acddec4dd291c704115bac497fc59437503dc6c1927cdeda7b03458e0148b83aacac4fc1ebc8c434724d3cba64d7ee5d87d4496d3865b4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3578517878"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dab2d71775d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5032c1d71775d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3567893082"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30962967"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30962967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360784766"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30962967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3567893082"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce10000000002000000000010660000000100002000000045ac3de8bdaf6f35c7d45b1a648d2d914a8a8890d784b759cb50f35a063d31cf000000000e8000000002000020000000c9e38493fd69d3c89e7a40843113f33bf65ace3b2a9ad4934742a24da6911b0e20000000b7ac7fb34e9d3991f45951749224b01f8ca384b5cc07615fb6880d5bb22ba75140000000b283ca9af522103ba5b2ea882ae36393a8525bfbf89c0ea3f915c2b683bd3d72e9e0c254d9d4e99761a8df2792743ecb1422e41351611d5f202b2e83dbf019b5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\support.google.com\ = "0"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4644 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4644 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4644 iexplore.exe
4644 iexplore.exe
3896 IEXPLORE.EXE
3896 IEXPLORE.EXE
3896 IEXPLORE.EXE
3896 IEXPLORE.EXE

pid	process
4644	iexplore.exe

pid	process
4644	iexplore.exe

pid	process
4644	iexplore.exe
4644	iexplore.exe
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE
3896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4644 wrote to memory of 3896	4644	iexplore.exe	IEXPLORE.EXE
PID 4644 wrote to memory of 3896	4644	iexplore.exe	IEXPLORE.EXE
PID 4644 wrote to memory of 3896	4644	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/document/d/0BzpRHgBmkelPeS0yUE5EMkpHem1idGdMS3JWU0pZcHlrcjJr/edit?usp=drivesdk&ouid=115018010936808814464&resourcekey=0--YCSzwT619v3YncOOzPbAA&rtpof=true&sd=true
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4644 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
5c0c2169ab43deb967d1f3a88e654579

SHA1
e8dbc5cb9da5f4ba115b0bf6a97169824c3181ee

SHA256
3e75204662a1c0b57e2db397d8164018ed47a5d451e73c40590f192adb9d0cb1

SHA512
de4350ccf4dc05617586bcf5f4006fae29663d48c931ce051bffa9c9a7b7b185ea85940933ef8b876132c3f3500681c26164e43dbfdea2277d4491dba37c683b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
5325107bfd983b8f091f1500d808a551

SHA1
7843291b3c69df883da2f9f99c42ecb7ef0135e4

SHA256
3678c2d170ccca91c4b99c5ab7fea889b5d98cb39eb31705aaa4afb19b6310a9

SHA512
8d07c0afebcb409f5156508b7d0ce2cc680c3331defb51b86e229eb6e3cebab19a16028da0c69d4de79212db8d55bccba63ab2ac107f1d06b257c53eb5ac0afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jnqp20o\imagestore.dat
Filesize
5KB

MD5
096caf81b33ad91ef32174b11ab66f4a

SHA1
90c218cc1e4d03794cf8a0374a7c24ede144cb28

SHA256
b5756020dc64d4bf3b1ee02d95a44a45193727cb78186313e62634385fe056f4

SHA512
02a886fbc7b8e7623064aff4c2384462beb2e598b22a841c528d3629e8a83c36f658aad56e31c8685add1fd564e8cf0859c086e9ba826fd321fc89ea6ec491e7

Download Submit

Analysis

Sharing