hxxp://page[.]link

General

Target

http://page.link

Score

10^/10

google phishing

Malware Config

Signatures

Detected google phishing page
phishing google

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "7"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://firebase.google.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2142aa1d1e72b45a608bcd6d9f6bad6000000000200000000001066000000010000200000007cfeacc4511f69fb284a36edf0588c318e545da185a684473b4e67907c944831000000000e80000000020000200000005560c3ea16aa55bd3969b487698a7834421cdf4ab0684321135ff577e3be487a100100001282e225019602b11d69bb6e6e71ab43a5533fa1d1aea6ab905610ba3d65cd0a17118bc244b6a50cc7fdc48c172abfc9dc140fc8d362e0f6714c9588ad8ceb75330b413858410abc363cd774dd298b6eab93e130e9570a027a524efd20d66ac1b4dad25e8b675c1c0988d13ed18a75c71483678974639587491867533ad010b625293793e6b6501f82450df677021dcba7e7e7b2a7b288e93e1ea4fa89116ad9845c9e6e0ddab2962a4eedb8637b0c6a251dc29c320c72e1890dd127cc29bbcc410cd0ee5c5c2732c5189165fb207f751f6758a1c21f06c564461442f8b03c27a80e4842b0c70abbaba6f5ce7da3a644ad2139fef9f332cb1629a9223510f90530233feb97653574fdd2c5dca28f04654000000082bd5c0544c68236ec4e6bc12909cfcc48913b1d8810e19e2f1789407ad17f57237b9a8a3e956c4f8a3540db155902612042ff0543b5f69231a14fa8a4196a80	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = f08a0971b796d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364481697"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9058a36eb796d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2142aa1d1e72b45a608bcd6d9f6bad600000000020000000000106600000001000020000000974b7a153587eac8449fb195c7a480baa190e33689ec989c8e4208a3cc84ee78000000000e8000000002000020000000cfd736daff6bb3324bebd458f66b52c3b23c3c90ae16c33127db347a30ab2209100100004eccf3c629a0259a5fe925bdb716c156018b4a4441b51debc0015682c1afbdda18cd4e0074e1ca583b0f905994a7e3c7e3d9d63a26fb3ab310dbb382c9486764f27c0164d6b60b06c8e2614c02e54b76b20e923b3b0a228bbc32788aa924e8eaaa36a2b4f3b7110c4740b5b23593ae829418a7f37fb060fa6d784d1a7023f12a6d527fd50f238b9e104ed7f3ca6116640e5dd4d3ef510f34eb69111ed2028b13098aad583475269702125c95b34036c536a80ab3a975c274a723a35d2690d5d9c3be09c5ae8c145c0cff665e8efbd4feacf07df80f34ea0acb012db5b06c92ac7ad908f58a92c7c8e522d19f0a2d177e60ab0b5b62f40761fe1bdeba8f5f4c733fe235308b2241685eebbb0d6bda045840000000245c486c6d464df5894e2025cfc7c4a7d8de19acf86b037c8e5f6b464bbc671390a7f2e20ab2614915d8e62cf88d08c802ebd68a859c61eb51aeda1fa53488e8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2142aa1d1e72b45a608bcd6d9f6bad600000000020000000000106600000001000020000000e13e2a1e385e6fff8655708eb2638f21bebe6ccf1cd142313ac1111954147a28000000000e800000000200002000000027578dabcb160a242ff5990b8983f6022261328c00bb234d7adb16fdf9b3b49e900000004ae85ccba4c96da3f6df541794fd429b03d7ec1cd62ab3a07e695edc30cfaf00034ce171217a8c8ebf1db56fadefc0ff04c1841529cae86170910feae4d256f8b24be1fc887d26a041548eacd77dbd0f24a8983f682731f5234c1d1fdda655fdd2bd8fabd1711b904bf0829d38da8c312fadad4fc58b904bc3948f8e38886237865c3c43546f2ee05a4f9d535e4eea414000000082f2bfa7e26ffd2dda6db3227463835137c99b07c3b5b958e105f8ff2a781c42fc94849d7d042ea577fe0e64b534916c2bbdbb144c9eeac9af525c0976a3532c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "7"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2142aa1d1e72b45a608bcd6d9f6bad600000000020000000000106600000001000020000000a8998538b70d0c327432c3a8639b0cfd8cd81bc05664754a64a7e31d709e724f000000000e80000000020000200000002bfefcf051a9fb448aa279aa5fbc87b40e18dda0a6ae8e0f1d43e19233f9fa252000000090ed52ae9eba69cc7caafa6f9e7fcae6c897be5662e6fe2673554b80bb0c69334000000071a65764f1119efaa577c69563f022fc2da32a3b8d6a8fba13505b914f6aa80c1f0103273d49a9c3ce5c3ae4c3c74d958b3a03bb0be5d17d297192b4c28b2e9f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "7"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1864 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1864 iexplore.exe
1864 iexplore.exe
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE

pid	process
1864	iexplore.exe

pid	process
1864	iexplore.exe
1864	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1864 wrote to memory of 1588	1864	iexplore.exe	IEXPLORE.EXE
PID 1864 wrote to memory of 1588	1864	iexplore.exe	IEXPLORE.EXE
PID 1864 wrote to memory of 1588	1864	iexplore.exe	IEXPLORE.EXE
PID 1864 wrote to memory of 1588	1864	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://page.link
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e2be77e220403fbefeec9cbde761ffdb

SHA1
c777af2f0fa4b6f8710eb392353200d6118be0d3

SHA256
37af53a0c69f4e16fefbddd66717702443d0f95c07d7a652251a6afa2aabd376

SHA512
6bab3cb1f9f1df0db1560fab0766e164ada89204ec6115ce7dc8309ea0c5218322efeca312ab7ea3371ebbabc6212bd963209329fce47bc76090afb290e159b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
Filesize
5KB

MD5
91f55aee14f88a5ea4e56e863687723d

SHA1
276cec35b73953ddc10d3c58abc50ab33dcd5fd0

SHA256
c29b5210253b88cd848b10979036dccd977dc51e937189d44a0c62ad1f133b9a

SHA512
c1ef850d7b62fc1ca032fd231d51d08078921103776968507fc8f73374170b78c2478ab81dd7b71649d8b702247553f332182f0a5831e1fd88fbd200a5018389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
Filesize
10KB

MD5
f809bc437f5a96bac20f017c14fefe1c

SHA1
fd3fc0f9d068c1642653484f5d7f13ac37360f5e

SHA256
a6fe899bdf30f81624a8155169b0efac957fd627b87af23b20de86a25b4ea80d

SHA512
d880187f5fa0ac384493d49772a27e4d94bf6719c02b80932d9a8b2276f35843be4a96b9bc5806cca68eeb8ac456655305201c20bfbcb7c3ebf63fa585307d2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WZ8W4E5Z.txt
Filesize
604B

MD5
c1bc395ca3c95265718f8a44967b46cd

SHA1
0d47ff4ed329385bb9513fa3a94bf8e117ee5e2c

SHA256
d1f7b9b64eabc6a13b199199880b1d58a0a14fc7f14023233983f70b67d90921

SHA512
66966f16960eddd27acfb1e75281ea2441069bd18d0522668f2161a7a707b1ef2009f1dba801844da501f4f1319b659c2382049142707770110e86d0f3090633

Download Submit

Analysis

Sharing