Behavioral Report

General

Target

https://www.office.com/?auth=2&login_hint=nikita.chroesjtsjov@triaxknm.nl&from=AdminCenterEmail

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings ⋅ 1 TTPs 39 IoCs

adware spyware

TTPs:

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31010987"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381409100"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000509a7ec2e499b44a28e8020d50c534600000000020000000000106600000001000020000000483ca25a9be9f720c3cd6ef60b2041ca853b1e5075f610df18fec97bb83e3ad2000000000e8000000002000020000000f70d9f261fbccf7a866b50c858023f821c3aca2f08c3cd7308be4fa2d53aca2c20000000478016cb5d0de17e7e454d1f278cadfdbe7e98a5d6cdf6330237eb466d24773d40000000a9055d8cfd8abdcf6d76cf5f0adc3d44c90ee394dd262560ad5b7949941a8c7a34802d87594cbe3a8d968a916f476efaed9d71a1010a53db746276fbea1a30c5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6076e09bab30d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31010987"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2596744406"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a037c69bab30d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C5563C52-9C9E-11ED-A0EE-4E6695810362} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2581118966"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2581118966"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31010987"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000509a7ec2e499b44a28e8020d50c5346000000000200000000001066000000010000200000008f9aba408f632330fcf15310585babef5538c005c85aa42417b5674dfee5ea1e000000000e80000000020000200000002ca5e8f2c6015e32ac775f366fe6e3cd5331609cafa5f71306d9878e0a26e7a8200000006d62654b3b6a8511c12ee677c11aa35344f069cc85c71b72c9f594af4dd24fe2400000006369dadea2c4b51193cb2bdb1676cee5483f0322e4973b979cf9b6de6eb6d28788276fbc64b171b0877f30fcfe4eaf9bfd1d3ca46f284a199683680dc0254a82	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class ⋅ 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings iexplore.exe
Suspicious use of FindShellTrayWindow ⋅ 1 IoCs

Processes:

iexplore.exe

pid process

1528 iexplore.exe
Suspicious use of SetWindowsHookEx ⋅ 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1528 iexplore.exe
1528 iexplore.exe
3792 IEXPLORE.EXE
3792 IEXPLORE.EXE
3792 IEXPLORE.EXE
3792 IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	iexplore.exe

pid	process
1528	iexplore.exe

pid	process
1528	iexplore.exe
1528	iexplore.exe
3792	IEXPLORE.EXE
3792	IEXPLORE.EXE
3792	IEXPLORE.EXE
3792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1528 wrote to memory of 3792	1528	iexplore.exe	IEXPLORE.EXE
PID 1528 wrote to memory of 3792	1528	iexplore.exe	IEXPLORE.EXE
PID 1528 wrote to memory of 3792	1528	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.office.com/?auth=2&login_hint=nikita.chroesjtsjov@triaxknm.nl&from=AdminCenterEmail

Modifies Internet Explorer settings
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:17410 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:3792

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
b011d2725e33c0bae4cc6110f1228caa

SHA1
98595cb1500ab32b457063d29a60a8ae5496b49b

SHA256
cfb146a5a70caac0842df76ab5cffbb524b9964c4a4250473189d053f24ea9ae

SHA512
60e98f54414f8e14185dd66570b6f4e1cee6471648b700391e59042249e9546d9baa19a6dd0c0b6b8ea17e1eb4059303b7a584507624d0634a50d957af21bfc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
5d9dd4af1aa7a040643d3200fc0c5c03

SHA1
747a0d733fb23ed3053a7b9e43d3f31ffbbc7605

SHA256
b6e0a7322b9c95a177d863f994a1d498ef9a477823d60db36543834eac16261a

SHA512
d33fc0ec02c94a2e2fe2dc2967df8bf99ee9586b979d9e79e1f6932711fcd4eab46e92de528d22a56bb5aa32514832f81de7092fbec8ca4fcb13d8faf743aff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ckj4gk4\imagestore.dat
Filesize
18KB

MD5
4ffd1554455a72b7973fceb22f0f5be9

SHA1
c9cb1bc4927177b6a1be372c96bc7633bb037d5f

SHA256
61f8da7c4d8e2895ea7a346f8624791ab22693e90862711af2ae00f12f9a2531

SHA512
1186157923891e18f1da29a7a7becc2ff0e0426e17267fd78dd93c33eba8e99cb809ca1cbd4095a183f9be199ece68f06edd47d58ed688f8eed6f35e7c09f9ee

Download Submit

Analysis

Sharing