hxxps://outlook[.]office365[.]com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cSJ1PR19MB6355D33DD4080C966F57CB6CB4CF9%40SJ1PR19MB6355[.]namprd19[.]prod[.]outlook[.]com%3e

General

Target

https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cSJ1PR19MB6355D33DD4080C966F57CB6CB4CF9%40SJ1PR19MB6355.namprd19.prod.outlook.com%3e

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "121940668"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "121940668"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20084416e634d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381873998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{323C6D9E-A0D9-11ED-BF5F-5695DBFAB5D8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012070"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ef4f16e634d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012070"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb00000000020000000000106600000001000020000000f3c7f70a0ea53b8a5331a580469f4ca13c9b02ea094b925b2c7d228cdadeb482000000000e800000000200002000000093f2ffc10b13b31f08a76e28c9a4619a1fc3fa52f459f3c87aa38d05d1d7e4c62000000032b2c4e7d404361f74c83646ad4c969d1361908347e5d6be4913ef905edb46fe400000007346c77b61bdb906e71c3d611d529b97c2370d3d0a831996be8298cdb732b7ebec01a5a6f394bdc240704288f380d3ad8038b8272d6286e1e53b343a08f8ab15	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb000000000200000000001066000000010000200000006cb4fe1c8df6717f214a79234e26d29e08d2887c47dca8087df7a1ca5d28d935000000000e8000000002000020000000301699fdd797713c2c419d381414274f3323c06cfff18441697bb2b7206e1d4d20000000a51f7c67feaa5f65d37644b60891a3c5fc02aceca9b433d80c1bd51b1cb05eca40000000028d2f2c92b6d85d3beb5d33bc4df62f53a117633f5e2622530dce9c904e1ceb80c98c20cb97794af1376de980c43528d26d087c714111e40bd3ce388a38edb2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings iexplore.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4988 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4988 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4988 iexplore.exe
4988 iexplore.exe
1288 IEXPLORE.EXE
1288 IEXPLORE.EXE
1288 IEXPLORE.EXE
1288 IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	iexplore.exe

pid	process
4988	iexplore.exe

pid	process
4988	iexplore.exe

pid	process
4988	iexplore.exe
4988	iexplore.exe
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4988 wrote to memory of 1288	4988	iexplore.exe	IEXPLORE.EXE
PID 4988 wrote to memory of 1288	4988	iexplore.exe	IEXPLORE.EXE
PID 4988 wrote to memory of 1288	4988	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cSJ1PR19MB6355D33DD4080C966F57CB6CB4CF9%40SJ1PR19MB6355.namprd19.prod.outlook.com%3e
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4988 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
Filesize
779B

MD5
da6a32b46f7dd93455271b8ba5f6958c

SHA1
60113cc5a648a5659e5fe044e7224eee3ad6afe7

SHA256
5599ce82fbe165aca36b5135ad490b16c8891017caefc874f93146b9170cfdcc

SHA512
6d31ada0e633658e6c13379dca3e15a04794e6522d66309db852cedccf69b9857549d6424c625640b35daf2309ee07acacdc28c4a8f5d4e3d46092d91fd36db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize
246B

MD5
554bb1bf23e7225a56a5dd1d87756b83

SHA1
18815fc13d141e4426ed0b4480def6818a821257

SHA256
c5e9582b99b02c261afc9297106904f374d7529b79fe22835462053a16e37047

SHA512
983ea6ad214023f2960761f71cd4cbcca108a41aa4a8845b802e997431598fd9095781a41ad568ee82bbe5d59e7fc3bfd5cd06a4582d2bb96bacdbb02eb2fed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zpu22o1\imagestore.dat
Filesize
18KB

MD5
8c19c65deeba21b640b30c74dca66a4b

SHA1
be62182c8136349eaa8b46086f28995bcae6ac0b

SHA256
105c480ece75a5a6907b891b77f3e5590f7525bd2943453b3d578837dfade95d

SHA512
29bb64d391d8d5b7541adc6ebfc8fb9b2cc9183cf28239bea2be68a51c779fa09587f727f8f6dff0723033967fc20873be46d095d9d35da4828fd774fee26f6d

Download Submit

Analysis

Sharing