hxxp://profício[.]com/login[.]php?u=cG9wYW5hc2Vua29AcHJvZmljaW8uY29t

General

Target

http://profício.com/login.php?u=cG9wYW5hc2Vua29AcHJvZmljaW8uY29t

Score

10^/10

google phishing

Malware Config

Signatures

Detected google phishing page
phishing google
Detected potential entity reuse from brand google.
phishing google

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6416D461-1D8F-11ED-808D-42A98B637845} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0381b409cb1d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000021c28271c2ea2e4921bb6ff92791f1add2c0c00cb7e816d1d4c01c0a451e5284000000000e80000000020000200000006790ec07a4f7af4d2d01a5d62eaed57be6567f7d84832038c1ed602deb7ded7690000000aefa9e434387f1c8da3e74dd9249beb0c62789b039fd209114b656672b9c9c433e91e570fd1caf2ae932a7b973239e6974a196a8ee83a07a22eb78903b073e53d29c3c8a7e9510cf3dbd71b09dcb35ff682c05be3e75125f55cd7658ef73b73402c475c5558ca7a66593e4698479e101a2665f9f58d2cd347e2353d1d19adac6d5b5b171ec0eeb144a232390ff73a82e40000000a20a995f48e74369783099701350904452f948b38726910e123c6dc64a78dabe08c317f142250f479f35b10ea4fb2b024ff4e1f391c4af5f74252c6803e6c603	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000007857a6afa9ea1338c489c1d04b856ac56275c24d529a4d7e439820726435c041000000000e80000000020000200000007a1db64ff6bce94254e3202e11caabdb370a82115a34ec2baf98408a614bbc922000000035c1e4bc1b78942637429d8eb1e72321a99c341e7c2db4955999ac3d18a9fc08400000009f5dcb03fe1ea8d1da285be9577ccb1f0aeb9cac38d833a535d821e6456680373657c5cfc65dfa481c3cc94c0daccaf6e4254ccc0fe8a11a3a47f3f062ea68c3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367438696"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1980 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1980 iexplore.exe
1980 iexplore.exe
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE

pid	process
1980	iexplore.exe

pid	process
1980	iexplore.exe
1980	iexplore.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1980 wrote to memory of 2036	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 2036	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 2036	1980	iexplore.exe	IEXPLORE.EXE
PID 1980 wrote to memory of 2036	1980	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://profício.com/login.php?u=cG9wYW5hc2Vua29AcHJvZmljaW8uY29t
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
4cac25410c4cd4af547a5a3218d7e939

SHA1
43d1c09f60910430944bbbd73f0b547c54a039e7

SHA256
1a9736420517589297181c54158e87c44c829b380c7562ffa46f37cddb555087

SHA512
1464b13b85f9b6b095e2cea827fe8a0ea68162cb89e5c89590f9ce33dedc2014842d6f95f83df76902e38ea72ba63a34663965ebd387a11d1111d58714e8c48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
Filesize
9KB

MD5
aa78cddc20644389305e830d16b07006

SHA1
17f0178bb88c36a4e494c27e9bbc0d539028f1af

SHA256
8619ca630077f2dfc8004c827d64a629b725345370552b3dc0272250d92eada0

SHA512
0d55833b680aa5985947de1a8b963f167ece8660e8ff43dedbd6dba9487ccb6857fa7c17dd95ccb1859f362014e06f558a6ffb9cf08f4fa293ef9d60a08a9846

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CYL4OU6U.txt
Filesize
604B

MD5
0b90795a29e8ee2761ffd9c2d63fee50

SHA1
85fa91ad8f6ceb9e9f0de53b88092f10153a063f

SHA256
d772fab870ffe45a042f2281f3ce3a1337c96757595eb0c7ccfb1a8f3fe82f39

SHA512
c13969ddddbc55224edd70a97518a9be072211cfceaa526a2161767f6d3e48b13db7c5f696818650f0178c390714b0e327eb297e0a1ddde78d86d4561fd04028

Download Submit

Resubmissions

Analysis

Sharing