hxxps://login[.]microsoftonline[.]com/af73baa8-f594-4eb2-a39d-93e96cad61fc/oauth2/authorize?client_id=48001eab-ba41-4083-ba08-d923c91b17b5&redirect_uri=https%3A%2F%2Fmyasml-staging[.]unily[.]com%2F&response_type=code%20id_token&scope=openid%20profile%20email&state=OpenIdConnect[.]AuthenticationProperties%3DPURhS8pKLLlJLqkBeiIhO9xBQOXErSiW_AGvWMnd-FAILBmVVxRZcxDT2z-74lqghCdZwOYr-gjsWGmWbHSAHujKb91JQiQB1_SXqboX2PA_EwsLPtxDMFxXfBCXcqxzSklRcT_T6NY7nJZ5gomES3s-3lZkc9lGnTqt9EYecI2Aj4GFjFNGBjnvd5sp_Ss75DV3oPxZG6-gGr0zz2rs0y5l1nGCXuA1oFhcOxCAI7V2XfL6X1PJgYDt2VfzkYBFFC9Ir7vbYjBA7Mfqqh-6WQ&response_mode=form_post&nonce=638055971673188089[.]NTVmZjJjYjItY2Q2YS00N2QwLTgzMzctNDM3Mzk5NzU3MWY1MWQ2NzAyN2EtNmQyYS00NGMzLWI5MWQtMDIyYTkzODU4YjNj&x-client-SKU=ID_NET461&x-client-ver=5[.]6[.]0[.]0

General

Target

https://login.microsoftonline.com/af73baa8-f594-4eb2-a39d-93e96cad61fc/oauth2/authorize?client_id=48001eab-ba41-4083-ba08-d923c91b17b5&redirect_uri=https%3A%2F%2Fmyasml-staging.unily.com%2F&response_type=code%20id_token&scope=openid%20profile%20email&state=OpenIdConnect.AuthenticationProperties%3DPURhS8pKLLlJLqkBeiIhO9xBQOXErSiW_AGvWMnd-FAILBmVVxRZcxDT2z-74lqghCdZwOYr-gjsWGmWbHSAHujKb91JQiQB1_SXqboX2PA_EwsLPtxDMFxXfBCXcqxzSklRcT_T6NY7nJZ5gomES3s-3lZkc9lGnTqt9EYecI2Aj4GFjFNGBjnvd5sp_Ss75DV3oPxZG6-gGr0zz2rs0y5l1nGCXuA1oFhcOxCAI7V2XfL6X1PJgYDt2VfzkYBFFC9Ir7vbYjBA7Mfqqh-6WQ&response_mode=form_post&nonce=638055971673188089.NTVmZjJjYjItY2Q2YS00N2QwLTgzMzctNDM3Mzk5NzU3MWY1MWQ2NzAyN2EtNmQyYS00NGMzLWI5MWQtMDIyYTkzODU4YjNj&x-client-SKU=ID_NET461&x-client-ver=5.6.0.0

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB62FF7E-726C-11ED-9424-F2ECB67C8E21} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "376818299"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000185"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2965434821"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000edfa597c16aa1940b5e388d2ebb244f400000000020000000000106600000001000020000000574236ab93cf18d263c8dcdd0c4239b996e1350570243394e14a422ebc145cdc000000000e8000000002000020000000d70150d0d46f13360dc92bbb1d699a9824df921e4f9f276b0fd5e49be7d45e0b20000000e7634754ad00511d00efe92879b030466539978c7eb163f24e452bcc9faa947940000000ab55bc532015a15349446bf20fdb955e01f46ceb4c0fd0600c18d8c9acd6ad0d9e6b33f4cbde4bce906cfa5ad65eb1d1a36b3528d87dda692be74e048607cec6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06a51b27906d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950121302"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000185"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000185"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ce47b27906d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376769714"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950121302"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000edfa597c16aa1940b5e388d2ebb244f40000000002000000000010660000000100002000000042f2a752fb86cb0fbda25b5731ab4f1c2857697914efbf6c5e76c103c64f2956000000000e80000000020000200000000643c7f38ecd16c061df20e64e64ede65a041a8b6fbf8414341956036e041fde200000000ce922ce7ada86547511691af5cbe268f17ac768396d68556399dc97863a0d3a40000000aeee14969284897f6a76dc6462a6b31b4d1683498903126d6af12da7bac95605810ce357ca2bf06dfe69944986b47bf8ffd4671872a3039e3db715eeaa6aa16c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "376786307"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3512 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3512 iexplore.exe
3512 iexplore.exe
4940 IEXPLORE.EXE
4940 IEXPLORE.EXE
4940 IEXPLORE.EXE
4940 IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	iexplore.exe

pid	process
3512	iexplore.exe

pid	process
3512	iexplore.exe
3512	iexplore.exe
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3512 wrote to memory of 4940	3512	iexplore.exe	IEXPLORE.EXE
PID 3512 wrote to memory of 4940	3512	iexplore.exe	IEXPLORE.EXE
PID 3512 wrote to memory of 4940	3512	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://login.microsoftonline.com/af73baa8-f594-4eb2-a39d-93e96cad61fc/oauth2/authorize?client_id=48001eab-ba41-4083-ba08-d923c91b17b5&redirect_uri=https%3A%2F%2Fmyasml-staging.unily.com%2F&response_type=code%20id_token&scope=openid%20profile%20email&state=OpenIdConnect.AuthenticationProperties%3DPURhS8pKLLlJLqkBeiIhO9xBQOXErSiW_AGvWMnd-FAILBmVVxRZcxDT2z-74lqghCdZwOYr-gjsWGmWbHSAHujKb91JQiQB1_SXqboX2PA_EwsLPtxDMFxXfBCXcqxzSklRcT_T6NY7nJZ5gomES3s-3lZkc9lGnTqt9EYecI2Aj4GFjFNGBjnvd5sp_Ss75DV3oPxZG6-gGr0zz2rs0y5l1nGCXuA1oFhcOxCAI7V2XfL6X1PJgYDt2VfzkYBFFC9Ir7vbYjBA7Mfqqh-6WQ&response_mode=form_post&nonce=638055971673188089.NTVmZjJjYjItY2Q2YS00N2QwLTgzMzctNDM3Mzk5NzU3MWY1MWQ2NzAyN2EtNmQyYS00NGMzLWI5MWQtMDIyYTkzODU4YjNj&x-client-SKU=ID_NET461&x-client-ver=5.6.0.0
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3512 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
4132c54f59c529167c112e7f519120fa

SHA1
94cc9036fa031258aa744c7ee88e3c0b6c7a73da

SHA256
e9f456cf8bb8cc4a683d1c2f792feeb4c83fff24a86e6bcb260eff8fbff126fb

SHA512
e8efb8e81a90ffbe177301fbba4470ded104fc6d12cfa0123938b981d612eb2c4a66bb47b585cd43ed6ed4940e0ad5a1e3a5d9d18f8cb643e741aae694c4baee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
0ceb959707bc4a9a9a94e3881584aab0

SHA1
80f8154bab75b5c54a116dcd25e2d8b20e187ce0

SHA256
34e300ba0c264a6dc331be37fa3874a0f793b86dfcb6fb7ad4b184cd246318cb

SHA512
26b482b5e4a489f080ebff21f6f267cf01938549ea8f413786f58b5fc5cb66f79fcca3c5e5ee89c6e49b34fd752b66f8f3c3ac790ecd7c8bbe2d608694248458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
0cf6b6430460434a4a26b7f9600142e7

SHA1
5db2b6afa26c8ec45a238897ead536dc5aab26ff

SHA256
6e3721827fa82e5a586528dab1abb8c5374ebf69ed0d8bfac70c6163ac508e7c

SHA512
dfa671dd9b4a0de0660cd3672cded8e2a396de9c90cd0c99e685ed894e1c1ef57547c4b8858d64dcae20722fd1cf1b49aaaaf4be19f76eaa9afd1f3982656180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
c5e6bf07469ab056e1bf73bbd01c4025

SHA1
beebde390549434e53b79f25375bfafacc572f3a

SHA256
eb02b68dd890f83f31958acab9e55839594fc0f48d690e4bc2fea1d5cdbab2cc

SHA512
96a60ddddfdf120ef0864eebad5b25ea55bf4c3758498a29742445d78327029490b3dd76a933b96cdb0cb7cee8359001b06985f7d6a5719de1ba8f63d2e3f050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YW9J2CL1.cookie
Filesize
615B

MD5
5e1a76a4554e629748c93ce7acd1e237

SHA1
6e9b270d8ad28c7047722ca1370334a6a2901f4a

SHA256
59ea71b5cc312b35b100412c1f5298ffd5fcf924761088de89d98c8e2d865e84

SHA512
88a66adaa210f7624e5e818a84df918f421f06d2e84ce0b85d2d1e95a59c146167719d619453d7d4c13b89a8fe84a5eba177fb77d66ac89f05cea8219fe98f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Z4W4VRHW.cookie
Filesize
615B

MD5
d605f2554ca465c5a42d27214dad4ece

SHA1
fc0c17055565dd945a38f33979ada010011fb1ec

SHA256
7b1986eb0c5f9ebe497da1f9d263bf42aa567f492d5a0f98423e58d547d2aeeb

SHA512
48251f4466a90ff641db375b0673746bd90b80fbf48794539ab0c92bb3c6d3163ae5e6ceab79ff621f108f379aff0252cf483379690f1390f092bac73c0af0aa

Download Submit

Analysis

Sharing