Analysis
-
max time kernel
262s -
max time network
358s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 16:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://outlook.office365.com/owa/?path=/group/CCTSFY23@dir.texas.gov/calendar
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
https://outlook.office365.com/owa/?path=/group/CCTSFY23@dir.texas.gov/calendar
Resource
win10v2004-20221111-en
General
-
Target
https://outlook.office365.com/owa/?path=/group/CCTSFY23@dir.texas.gov/calendar
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376679533" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3533591-719A-11ED-9301-5E5304B417C2} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 828 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 828 iexplore.exe 828 iexplore.exe 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE 1936 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid process target process PID 828 wrote to memory of 1936 828 iexplore.exe IEXPLORE.EXE PID 828 wrote to memory of 1936 828 iexplore.exe IEXPLORE.EXE PID 828 wrote to memory of 1936 828 iexplore.exe IEXPLORE.EXE PID 828 wrote to memory of 1936 828 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://outlook.office365.com/owa/?path=/group/CCTSFY23@dir.texas.gov/calendar1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD526a11da25c396476bf216c94bd9e87f1
SHA1c3b40095576a8f2e842e7aa3966630319094ad8d
SHA256145db137d983c20f147df9514e863b90c3b7f9a83581503d62c89349821de27a
SHA51294ce96134cf417e020fdfe296e1dc72a6a79e0146da97ddcee68186c448d46409f626de0cbd62ceafb1f0314f97e3b54da7ee7500dfcda17fa4eb79937facb53
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.datFilesize
18KB
MD52645c62b63a279e4a3e9278b18bd8725
SHA191482475c529a7d16d647d7ffb515cf41bfee656
SHA2568daf8fb0f7b697145585899e59d06d1312087ce520b0af44ce16f6038a9df986
SHA512e49ac3cd9cf2a0b1de0effb9c92eaca4520b492c0b834e6fe8e4ca24e4c7f9d223acde83162de3bca6521574abf1ec5f897f3bce8a6456d325fccedcc13bbbc3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LNF0X54A.txtFilesize
533B
MD58f610f24e43c2431b5563ae94454ac2b
SHA1ca02403e739a91fec5027a5ed37a9f287d38e4d7
SHA256d74b112543521eba6582e59b2ede9fed39244ac95c2be63d32d889319bb5df23
SHA5125277c05afbbcab716d88f076ef524a55e5df30ebb902efcdc894b8e4c6a8e8089f3dab9ee5c5c978fe15e5d819b0db9b0c2d2c41768dea556608d9c59647d333