hxxps://goodyear[.]petchseeg[.]com/?e=bmlra2lfdmVybWVsaXNAZ29vZHllYXIuY29t

General

Target

https://goodyear.petchseeg.com/?e=bmlra2lfdmVybWVsaXNAZ29vZHllYXIuY29t

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4680 3848 WerFault.exe

pid	pid_target	process	target process
4680	3848	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094c858eae3d57f4bbeeb69290716aab400000000020000000000106600000001000020000000942e90d83fb8ade06ea07f347d919bef1f0bec3e321b82d0099d42e1303ef244000000000e8000000002000020000000d424df2a9e40bf9812a5b735ae8ece2212c70e9e90853bb0646b9fa373ace90f20000000c921598358a7d2f30d3b7831c00b9244c25f5f85d030dbeb67c041aa3ed88c83400000001c433a381c5178fbab395bf53fc6305cc36c5ebf4050657cc4de9a4be7a1700deeb08903432c24c4b665baa4d442165f557854bfb36b174b0d321967572f269c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "228"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "64"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094c858eae3d57f4bbeeb69290716aab400000000020000000000106600000001000020000000f2cdd520f7c1febf0b501b65dfaea5bb19fb13e65032bcb8b530cdb0235d76b9000000000e80000000020000200000006ded7826bd7b644cf0744c8095e55f2e1133b9cb733ebdc4ccb01ef04421b13f20000000ba9ae531477dd02221b5e921e5ebe2c794f5ea8be8c30c22d5955b289b412dee4000000004d362b1a96abb6c15d6298cb3396a87140d8116c758b9401c8202b0b6559a3519c5d08016043b51fe86e215bbd7ff36252220af9e33616ee492e9c8e9f39fa4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094c858eae3d57f4bbeeb69290716aab400000000020000000000106600000001000020000000c1e8ff7567fe2598f8074f83d24511a5a71549484a43560d5a841cd44489ad30000000000e8000000002000020000000f2af4d804d1235d5bbf5a07b765aee8c919b076ab8900dae92c5bab0329b9faf20000000cf2ea3c03e91221555b321de27c994cde6e18c9f8e391e0770bd50ad421f1ead40000000f6aa0d4308c89eb8686a03ba49ae71464ec134e2523f6792bbe4525b81aa668157e6b3027e1d06830b694bdc8997c606b7ebe17c96a8b43f1fe857eae73dd676	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30975965"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30975965"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "128"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\petchseeg.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0739a62dda7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366367154"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{82897E1B-13D0-11ED-B78D-6216A2D711EB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\petchseeg.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05aa662dda7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1473236924"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "64"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodyear.petchseeg.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\petchseeg.com\Total = "103"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1459641954"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1459641954"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\goodyear.petchseeg.com\ = "103"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40077a6bdda7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30975965"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "228"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

816 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

816 iexplore.exe
816 iexplore.exe
2540 IEXPLORE.EXE
2540 IEXPLORE.EXE
2540 IEXPLORE.EXE
2540 IEXPLORE.EXE

pid	process
816	iexplore.exe

pid	process
816	iexplore.exe
816	iexplore.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 816 wrote to memory of 2540	816	iexplore.exe	IEXPLORE.EXE
PID 816 wrote to memory of 2540	816	iexplore.exe	IEXPLORE.EXE
PID 816 wrote to memory of 2540	816	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://goodyear.petchseeg.com/?e=bmlra2lfdmVybWVsaXNAZ29vZHllYXIuY29t
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3848 -ip 3848
1⤵
PID:4160

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3848 -s 840
1⤵
- Program crash
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
Filesize
7KB

MD5
6d339a3220150e29ed72f0571a55386f

SHA1
bf30946cc25eeef3ad6de44827eacf443104cab7

SHA256
7f827a9894162af9187f32ffcbdf4c7accb769427523b056909b3a9c2e483933

SHA512
aef317187d300d8842826964ef893441870d20d6726004c235eed3c5f1fa0bbe5b8738e461a263459924216f6af31c46cca87d7adaff4feaae95a6dcea5c5c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
Filesize
224B

MD5
56b96c355dc3b5de43071f80c6466dd1

SHA1
9aa51316d7012621e9bce19d5a913ab06f45e218

SHA256
47f188c9bfbe055547f8b900b27a19467f336a124dafd33a9b41a4bc4e98a393

SHA512
42d37475514d6c8c7f6545a21a69254cbcec7c68aed2f5b32c883eddd6cdcb65d449e708149de0bdc892715f7db76d244864968dbf6fa9916359af7e4eabd63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\kt9o6s3\imagestore.dat
Filesize
17KB

MD5
9c15267b037f7989fea898041f57b727

SHA1
94dce38f497464e1d02f2209ec1ad6a92123dfc7

SHA256
bd3959094d08f00ae0a7293de0c901658c92dbf8e45c0a8df864eef2e0ce6521

SHA512
998beb1bb2a65461ce38b10c01d2064d9913187c81ab247dfc3e18109a754e058baa2800546cd5e5fa0e4d9f3240a3e6bb1bf4fa8fb4719759f9cf1597f0c649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\kt9o6s3\imagestore.dat
Filesize
35KB

MD5
d39d3bb9b7d3e01e3f3faae76c2e5f2c

SHA1
cae03742a43eea618794fc0c36ed09b8f7df5e5c

SHA256
91ec1ccef56f037a049e3248505f33d6324d7003c82ea870577241a1a9d071a2

SHA512
3d851608391476c8df3304eeaaa4ee3d63f81472d983d161c3e00e1253d909fa01452be4d62bd4f267e957f90be9e36697cc7b1a57df6b4fc978500c6d6d34d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9SV8L49D\favicon[1].ico
Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit

Analysis

Sharing