hxxps://7kwpaw2yz7kjkt3[.]etmsearch[.]com/#dmVudS5nb3BhbGFAYXRhZC5jb20=

General

Target

https://7kwpaw2yz7kjkt3.etmsearch.com/#dmVudS5nb3BhbGFAYXRhZC5jb20=

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AEA95B50-70A6-11ED-8B83-6A6CB2F85B9F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376574655"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675f244f2bec41428643f74650f66a37000000000200000000001066000000010000200000001c4b6a4450aeb34c3ee0660b647c313167fc0ad0898f806da5f9ae4fd5165392000000000e80000000020000200000004a90827a1337646154722bb5a4b75b9b2a82cd0915eac67460c0c9ebc2eff7a7900000001fe8cff51e1ddd2b2eea9726ef517207cbeca3100958db7cc35e4d9669d4e3297fa987ce28d45239c55fe17e756ba13babc20b214bfb3ef54671d9df95c31bb06f423603df054c2922a1bd532e5ba6bad6212d1db6b0c7b3cc1de031e31ff573de4148eb198cb50394119da7842aa3e38c39302bc9b2294b15d81705d59554cecdffc57187eb4055e165b5d27918ef7f40000000cb36ada2eb68220faa8e72b394ab0f5fd9e5927244fbe4c42b3f894f8e2d57b4d22b93f116be1e68ff582ce652890ef4a44a8275341e5bcbea26369b1b1166d5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675f244f2bec41428643f74650f66a37000000000200000000001066000000010000200000007e17c7620acc99305ec8439b742fd606721a77f3cb04439db481c521a5d27668000000000e800000000200002000000000ca86bb318643567071211c0ba4eea77e9f45f41eb46373f7e6428d2caaa3d72000000034d2cb02fe0d79430ce0a76a984e60f9b02c4a222678cb789834068f23580e2e40000000df23242e89ca3db2a67f3d7fa15079e434562396a8508980316cb3e442989b61d45f1896d74c8cc7cb9f46b043cef57aa13d88bad48c5b6caa17b325a992765c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0052089fb304d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1612 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1612 iexplore.exe
1612 iexplore.exe
1936 IEXPLORE.EXE
1936 IEXPLORE.EXE
1936 IEXPLORE.EXE
1936 IEXPLORE.EXE

pid	process
1612	iexplore.exe

pid	process
1612	iexplore.exe
1612	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1612 wrote to memory of 1936	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1936	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1936	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1936	1612	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://7kwpaw2yz7kjkt3.etmsearch.com/#dmVudS5nb3BhbGFAYXRhZC5jb20=
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
0382a898435a963e4ef9f985dd7c94ea

SHA1
40c0fae2aade028b5b53fff3eb11f18a98c0e3a4

SHA256
7875f50e74a16b732768c7a711d38de946ebe61b6b1d4e181491acd7cc1cb96a

SHA512
b0b0e16991581a306a57c71aac0da79ae556acab92326b1343d1ad04c70042e35a4c2ec49059d71c6de4372c2540d59105f919536506ac39d2b9783d876ef4ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WTETBTXM.txt
Filesize
606B

MD5
6fde21ef1ca69510f1f7654d79e73aaa

SHA1
be50310387a9636c5b63d5dfcc0775aaf1245044

SHA256
b86ac6fd12e66980ba12c6aae2df48600e77aa80a4db5e2177e58c2b471bbb17

SHA512
459dd6205fa1a260ffc1e33346d2e2eab4797210fda9d5b7c113b1cb5f65aeb55ad8b746d476ae91565594b410f5cef8496794079913b9f20a20b01d265bd1ef

Download Submit

Analysis

Sharing