hxxps://content[.]mileskimball[.]com/?FFjsyR1SJ95xn9f21v9fMuqSokdbEKsUF&hxxp://waXHSfu[.]8ECbFsR[.]postmail[.]co[.]za/?=andrew[.]weil@smith-nephew[.]com

General

Target

https://content.mileskimball.com/?FFjsyR1SJ95xn9f21v9fMuqSokdbEKsUF&http://waXHSfu.8ECbFsR.postmail.co.za/?=andrew.weil@smith-nephew.com

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906ec0dfb1a7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f00000000020000000000106600000001000020000000819ad214b8bbdaa496806e92c4511ed34283c404cae7dade678ea4e57138361f000000000e8000000002000020000000b3dc6b248ae5e9a3edf13c5eab69162f0baccde1c9fda2101c5be308c52a34ce20000000a5ea2ec594ec9b167661e77a70d43adedab44112a7809704f2ae8806983bc8a64000000001d6a69386a374392e4dd0dac4a6ee79d7d6fdb7457668611373911ff9195c0ac064612f61ad0cbba76996f988fefafc38bebd4fd5eb460abb3463846b2478d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366348503"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16941B11-13A5-11ED-991E-CE70B6A6E460} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f000000000200000000001066000000010000200000009059d753bed45b220376db906c33477408979b2f6335623fdc6b3a900d15deea000000000e8000000002000020000000bdca723ad500500a0072fd56532fb95802b4b82b8453011e2b1f7b7866a3658290000000d147a7bb9faf1456327a23471a370b0c6112ab7a2029d60680779652ca0887ee5a81ba32944f6f7b19dffda37c402fafb7d851bd1959057ebe2138529b948c9f40df4b21e4ab1ded53c5befee13f03f17bc77b2d8870bb668cc71825ca178a4dade006a5cb4322c2ce68701a02c477f7b4acfa5f6bf316ab59f7bb75c84da4f4cb25fc8eec18134990040b5f4b54e87640000000e5e3710426a8b4e0f63fed26bf071e58e1c2b71a8bb2b385233d0bd38186b0e528cb478b0edfb235c29dc2e12b1d4451b3042fcf0099f336d342a8a674f9c135	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1264 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1264 iexplore.exe
1264 iexplore.exe
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE
1704 IEXPLORE.EXE

pid	process
1264	iexplore.exe

pid	process
1264	iexplore.exe
1264	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1264 wrote to memory of 1704	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1704	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1704	1264	iexplore.exe	IEXPLORE.EXE
PID 1264 wrote to memory of 1704	1264	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://content.mileskimball.com/?FFjsyR1SJ95xn9f21v9fMuqSokdbEKsUF&http://waXHSfu.8ECbFsR.postmail.co.za/?=andrew.weil@smith-nephew.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
8a5dcb7849f5b797e5c5f5ea8ee621eb

SHA1
3abefa570e0002089b0b791e0420c34bad0babe9

SHA256
9e8e3c67159e1208064c270d512c601a92303184ea5afb0b618c013dd56abd8a

SHA512
2aa0fb314d2a9a6ab189706688d38c6ba93e2b5a0cebb0fab3dd3106fc61c42ac833eacdc838983a328787484f014aadfccc602b6c2c3a133ca25aeed3663976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H2VTLSVD.txt
Filesize
593B

MD5
666dc60a838c94922fbb2dcc049b4fee

SHA1
d858b70f80a1378840240855ef8f467036c970ba

SHA256
57027f6584609511b4567b2f9d88f184afa68c880eb3f924b0949559310db65c

SHA512
7d3a1eaef18e113cac2144be2f607e65c11601f37c0c98db573b70cd52c58fcdde8be426f1f6de482a823c88a40722d990e461d495f90d54a0be30b1b1478f53

Download Submit

Analysis

Sharing