hxxp://google[.]com

General

Target

http://google.com

Score

5^/10

google phishing

Malware Config

Signatures

Detected potential entity reuse from brand google.
phishing google

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "344"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "105"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fbcd10b409412459e4a7846285141250000000002000000000010660000000100002000000090a83bba90ae71e478623e1c9ade1afdc5ab6d15b6ad44df4309ebbdb551d993000000000e80000000020000200000005f4858ef905bb59e0718fc432d2a2694bd80bc5f2acbe4558e1b8f4a3f3d458720000000d24beccc16db7a8c66eb9bc9ae01d06c6ff4229f17fc434917f17de568af16a840000000c9480b6ac2f81735e6390675e35cd800035ba107ca8fe55a3d7f029a92429b17a90b8802958aa856859872d6a240b56d1676dfc66a50755763e1024d2b24e8b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "105"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50296e0c98add801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366997093"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005fbcd10b409412459e4a7846285141250000000002000000000010660000000100002000000084251201ce0a2f9cf57300702e904f71b14d0decadb2fb08322517596c85fac6000000000e80000000020000200000000260a20da928f63d1662ffec381927ee45f49910ce7d600cc3c4d0086d1794c19000000085cb0cefe5d170d998de4f8f36babb0f2aeb9aad156d82baac3890b1e114483756fd77c6cb1498a0f243fb6cbb6d02862f2fa83cab073d8747e9edc69fea299c567fa479cdae932c3532c913fe5bd7d5fa1effc930816b006ca9d08a346341224b6ce2c78a2f1eec5e79ef5fa8b233edee9270dc2c71ff27880383d2e718b4a41000237d2e58464dcb6154ccf73788484000000060b68b951164d8aad574d75e9103207fe8396b5646f0e588f565722d3d8f389f9ccbe519c828b6588b7b470a7601fe16bab48cbb8563d4b6c6522056cf9aecff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "105"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "64"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "344"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "64"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{330BE701-198B-11ED-84CF-D6DF7CC9512F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "344"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1724 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2020 iexplore.exe
2020 iexplore.exe
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE

pid	process
1724	IEXPLORE.EXE

pid	process
2020	iexplore.exe

pid	process
2020	iexplore.exe
2020	iexplore.exe
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2020 wrote to memory of 1724	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1724	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1724	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1724	2020	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://google.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
e13c752a3563f77a809a5a1825d5bbcf

SHA1
cc912b60e08862b6ca31d3069c7fa3bff5fc6e96

SHA256
91db15b7a4676345b56a21100cd3d52a35039da72095c737df832136255043ea

SHA512
4fb39de83ef47665ac0a388159ce092f47724687a3881b00c3b2b75ac381df4552b654fe3be7a5f1a13f9ff1c830c38bf0b1f3aae7bb9d91cab2ad268e2df01b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\78o90ak\imagestore.dat
Filesize
9KB

MD5
d6161ab79fe57e297fb39aa2421d2ae4

SHA1
b5c06bc799743a6333e9430480154acfda8d1a27

SHA256
9a7fa75f4f34015e4c72f4e449a2761b182919606b546417ed638ad44a4897c8

SHA512
2a72f7a2cae153d9e4590d4485d7ce2ebaf6b6da7ba16708f5c9718f5a7939ab5c6d9d9c601d4b5467edde4cf73e2d5b491bba6291af4fc86711bf3c8f3feb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\78o90ak\imagestore.dat
Filesize
15KB

MD5
971c57d5f0c812a7d0707244aff69efd

SHA1
4f9bb99477f8abf6d375dc36a670d84e1e8781fb

SHA256
6b9b81092455117ac89e75124dccaa2b1019e3d8c61671a92ae56efd9bcac394

SHA512
bac5fc26ffccec32cc21bea652dd6ea44aa91d47deca1528e2531a4b5d9135ff44c7869f00f1b636adc9a8eee4eb291a7a36d24f5c8fd4bdaa6eb42708d3eaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FV2I9014.txt
Filesize
603B

MD5
cf7252bd70a457592dfdbf82ce46891a

SHA1
5111f345da8d15e73d5ff43e6107ee6876d8acd4

SHA256
6a981fc61b997df3b52db7b0b4df2cdec057ded0fcf89c2b3526b170fc66b36e

SHA512
2fb38599c652c52029f9f96102499dbbbcccfcc53666924079d4a54039d26f12be704633ecd002ed93317bcbd22377f7fe865ed2668ec99a17e6a0e3b69603a0

Download Submit

Analysis

Sharing