e9c469468bef11eed2988a317d4dfbb00007a73d86151f5447f65482223deec2

General

Target

sample.html
Size

14KB
MD5

ce97f93d0f38e4bfb31585091ecd6953
SHA1

0cb0cd7ceab7531244a5c3b4a3ed1afb92822aeb
SHA256

e9c469468bef11eed2988a317d4dfbb00007a73d86151f5447f65482223deec2
SHA512

0b09fa731db782cb609d499b27a2e416abaac4510ab6a8aa8b5a01f7e397a417a117594f918736de93ef65b792c9de813f6ef6b8029a69ee43f7616bcc57e3b1

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f00000000020000000000106600000001000020000000a7cfe9b6d25db72792542720f7e49b3f53a7306d5ddffdc0fd60f85ae5fe6d14000000000e8000000002000020000000379a47a2de70ffd85c54b7f094efa308a0070d9be92850c0946e139b0b1bbb8b2000000007d7e60cdd9e793f2fd8179a848256098b6c30560d88162c82a5865762c8fcb1400000008e0a86d907e671bacaf176ae36a9ff2e8aa626d6a81288915faaa2dc05e896c2f35c61cb9d7fb990dc164123c86453503185c4ee02fb67b4e4091c5b79f3abeb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f000000000200000000001066000000010000200000000c7500dbaeecc9b337dfc309a29d01b4cc62a80845e364db81f155eefd7b6d64000000000e80000000020000200000009a417360c6719bf1b8efa071d5e360f7bf613bf37ab209625450e93db7d4453b900000001faf109bd16656866b2f5f86f1aa695e6952be056e8dc57a74dd9ae910771a6e9794fe2ef9ba3460ff32f59b9128f1923c8800e143fc537bba16fb0ddebc74acc6a23216029ac0c5e370fc29cbe861bee847cdf07be18b832c6aea13d311a2f61e292e35387668903582da3aedc7a75378feedd180a0148b62675bf7a376254e02eae9c0d98c03855691c251fd174178400000004310551713289bff7fd2326978b9320156fe39f1982d1fc6a9eeee1cf22da611f0a2fcb7352f10ba8258c60fb1da092b12f31d851f82dccc8a8e615aed3bc58a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e6af0b45abd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4082BA31-1738-11ED-A83F-FA60716779A0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366741563"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1420 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1420 iexplore.exe
1420 iexplore.exe
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE
1104 IEXPLORE.EXE

pid	process
1420	iexplore.exe

pid	process
1420	iexplore.exe
1420	iexplore.exe
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE
1104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1420 wrote to memory of 1104	1420	iexplore.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 1104	1420	iexplore.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 1104	1420	iexplore.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 1104	1420	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
e42c88821eccb35056f66aff9c34b62c

SHA1
91a726e68ffa9442130149eaac72fbe195c4b8e0

SHA256
8f3bbcfa3e652966c5c3e78977f0ffba46a857bbf37300aee765d9d53f645c66

SHA512
49f35e0155da378b439b93846ca2436011516cd2bfb1049b5e85ae0e0054d6a1d4b5943f9141c9a93719d60c01b6dcba817a19580f14b60b66c8c4796debcf2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lvx0ibj\imagestore.dat
Filesize
22KB

MD5
376901389179f94357fc8c3e92f3451b

SHA1
c7c34303ff29b68c894e799b9ab35a1b53e2bb78

SHA256
2daa7b08d2c2f635cc9486421ea101803963ec437edb5efb4b14e934d01865d0

SHA512
707e9e89b46eb6db71eb264e0b8535d0313056432399ac4f99a5df3614e1157484c4c3cabd4b627aa7da8f6815d177849fbddda184bf9dfe55841895543bae8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\099AZ0UK.txt
Filesize
601B

MD5
8d2da1fc148923a406eba926e9bea61a

SHA1
c3ffd77d55bafadd3c6d97ff9811170ca0101511

SHA256
172710e99f410652faa2ecb0ff039c5994ce427619207bdf02197b9da42b82da

SHA512
409dfca142ad5bf766d795170d8459bfaccfd790fce3e6e457dfd809413e68cbe8fba2514904106104cb28b11c28ddf2ed30ec06f6f6e4dfaae5e31626bfd07b

Download Submit

Analysis

Sharing