hxxps://drive[.]google[.]com/file/d/1w3jms9a9-y6lnCH0v8Jfq44wNOLFWP8-/view?usp=sharing_eip_m&invite=CN3TtJUE&ts=62fd142b

General

Target

https://drive.google.com/file/d/1w3jms9a9-y6lnCH0v8Jfq44wNOLFWP8-/view?usp=sharing_eip_m&invite=CN3TtJUE&ts=62fd142b

Score

10^/10

google phishing

Malware Config

Signatures

Detected google phishing page
phishing google
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36050091-1E5E-11ED-B51C-6E705F4A26E5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000c1d0e0a2554b737f71bf0bd441d67eac252e1fc9a3dbba615b674fbf9ded66d4000000000e8000000002000020000000ad9acee0a2323cfcdb8b81393811b96d296b4da1f84e8bf310901d14270b8ab32000000081617eb8ee20e233f6f3c6ba4ae941907b0eb9bf28fac8c63ddc4435cb7e3ed34000000031b5d9da8d61da248af8bf27032908a3d3033e986286c20975b2b18b92caaefc9bfaa28050f8ccb6a367a6282d9215815fe7442995d43d45fadd60a61f2bb616	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367527526"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a8b2136bb2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000451eb91b82b9d33d3085577ec222f0e6676e52f9fa808f67d1664e336c4db697000000000e800000000200002000000035d635f5bc22fe699cd0bd4a02a4f546531dd7c67efd01392b6ab86e661cb4389000000028f2b1653888798f904442e2ad491d4804ad0685e9f9fd7512797d18701bec46317862e2b4f75932ac50220d5cc94d644967e1ced426686676cc16b2a842a2b02f42eff688d429c6b346af4eaeeefc8f9292911f4462871c717aca4951fcc0619b7251bbabe142d26523b817f4e21c9304720ce2bf261c7dd26adff1747409c1668915c14a9cdd7d03b6a5967691da05400000000681d666c0b1503ae076398271e12ef3ece74005d984b2e2d5c519860a3d0eb3681b173f865d27f893aa927967fe77629b9c9ddee46eb1804bb4f2acea3e6d8b	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1504 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1504 iexplore.exe
1504 iexplore.exe
964 IEXPLORE.EXE
964 IEXPLORE.EXE
964 IEXPLORE.EXE
964 IEXPLORE.EXE

pid	process
1504	iexplore.exe

pid	process
1504	iexplore.exe
1504	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE
964	IEXPLORE.EXE
964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1504 wrote to memory of 964	1504	iexplore.exe	IEXPLORE.EXE
PID 1504 wrote to memory of 964	1504	iexplore.exe	IEXPLORE.EXE
PID 1504 wrote to memory of 964	1504	iexplore.exe	IEXPLORE.EXE
PID 1504 wrote to memory of 964	1504	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1w3jms9a9-y6lnCH0v8Jfq44wNOLFWP8-/view?usp=sharing_eip_m&invite=CN3TtJUE&ts=62fd142b
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
037410dfd85a3b92d6499c69bb6a3cc1

SHA1
67dee9c0c88516c9df8a8fbf32f85db106952a6b

SHA256
e620acdb46850bb381ad4e7a595a1d000ff96d7c7a0eb07925af365ef55ecf2c

SHA512
355eb4fbd0077e0ec59e23118d9db97abdc9b0d4e1471330a446111c1c726329f303a089075972a95be9c1119cbcd7e3ddc84c1999e5aa1ed7c544921ac1c35c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
Filesize
5KB

MD5
fe172f093b235ff0d5ba30fe0b1e4d1d

SHA1
3039402adcb583023ce9dfee16d5dbc3ea6a5911

SHA256
053a8b91605f835f146b7b288cf1c56dd354707c6eb023f24f50a1aa058b3113

SHA512
f4a7cba9886ef2f0cb2f9bad185a3e1fd4f13d6aa106826b65a00c29f62c83d77655e2d8000b567ce9a696091a237e7526781e6521c9164879df5930cc88ef52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\87SEUQ0R.txt
Filesize
601B

MD5
5fef5b2d7f518c65c8c5d4ac519b11ed

SHA1
442f3727933f4732e266c2a2ffc945d181d7e3c5

SHA256
b21125aaf80034fa1f18fbf7944b554cc34a8a4f8ff4a65236c1a7274389f573

SHA512
7efd2d98aa647bc620d5b66bc14c61e4812049940c446bf449dc25701e8a7799b101256a240cd2f4d51c5a9509d865e926083f3accfa446abe9bfba6a59ba06f

Download Submit

Analysis

Sharing