hxxps://security[.]microsoft[.]com/url?url=https%3A%2F%2Fvsnyproduction[.]mypixieset[.]com%2Fevent%2F%3Ffbclid%3DIwAR3Iv29yQaR0UWAm33Jfv04XbjC17XnmHQlEPmMXzzS9WX9RFlYWtiXcUUE

General

Target

https://security.microsoft.com/url?url=https%3A%2F%2Fvsnyproduction.mypixieset.com%2Fevent%2F%3Ffbclid%3DIwAR3Iv29yQaR0UWAm33Jfv04XbjC17XnmHQlEPmMXzzS9WX9RFlYWtiXcUUE

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{848A5DA1-A22A-11ED-8B2C-72E6D75F6BEB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200bdd593736d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382018877"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000008d7a095bbab8d4c879b50288f39e628000000000200000000001066000000010000200000008089405ad3035cfb5827c2aff2f06c6dcfa1780e276c59446208b3e247b353d6000000000e80000000020000200000007105db7cf753e480eb7826659a178ec74aca735ff24fd7f921e96a0f58debd47900000006afe6e9a2a99e9218607724eecee31c73a5d63c2aa62e2c68610328cd6a9a672a678008842e4fa57fdb7721e841228f61532fa1a49928d07d6434265ed554f5c071bd7528d14e8d27f18250d1a31d42fa5e676e0145e528bc4bd2212c31d605c237ef1ca70c9d597142eefcc3589f9f03623e33580217fc375a5eb59f89d4cececd026ea7238855d94414e3e1c10745240000000e00ddac43ed2ef9bf82fa23019f99b40493bdeb6ab5cd22ea17068eda10007fd634fdd1b846a4aee864128f229a7621390688bbe70c3ddd95b6c04291afa0252	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000008d7a095bbab8d4c879b50288f39e6280000000002000000000010660000000100002000000041aa5bf8030a06f17c10162b686242035644540dcf12e8aaf4d40f427eaf783f000000000e8000000002000020000000fd6bd0cab38ec30ae4ecde4c9a34f0e60a2cf1781f5463763767fdc021a26720200000001f47e0126090e8267d758c0633ecb030f303715895d33924aeb3670b2850cf2c400000008a50388acd8e4f30f0435736aef413cbcfaf852e9c0cfd7a7dca8b5548febc3f3478b10028fccafad001c09adbb7285e9826e04e30bdaedfce17e7f0f88dabe1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

872 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

872 iexplore.exe
872 iexplore.exe
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE
872 iexplore.exe

pid	process
872	iexplore.exe

pid	process
872	iexplore.exe
872	iexplore.exe
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
872	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 872 wrote to memory of 1324	872	iexplore.exe	IEXPLORE.EXE
PID 872 wrote to memory of 1324	872	iexplore.exe	IEXPLORE.EXE
PID 872 wrote to memory of 1324	872	iexplore.exe	IEXPLORE.EXE
PID 872 wrote to memory of 1324	872	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://security.microsoft.com/url?url=https%3A%2F%2Fvsnyproduction.mypixieset.com%2Fevent%2F%3Ffbclid%3DIwAR3Iv29yQaR0UWAm33Jfv04XbjC17XnmHQlEPmMXzzS9WX9RFlYWtiXcUUE
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:872 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e44eb7abed9f4f060442012eda304541

SHA1
43f15ef04e93eb27ce44312c61553b9282d720ae

SHA256
70bb86d8eceb6ab4f6785210962f7218b68edc0ab0da062a7b011bf407d0cec8

SHA512
e79d974828a85d5861b3e111f942bc6737c2b53dc07f856518ae653e14801f12a152ccc6d8880089656cea2ff02dfb012c95b02912739419e771e3924e925a0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
9b6bfa1f92cb83009e95f060e670bae0

SHA1
3cacbb7114a84cfb934a84c31d925a01d5c4e52a

SHA256
0290d3463424c7ffd1b64685c05acdfee11fc718cf752f59108e4bae9e383945

SHA512
cb7926813243093cb3e45bbc26e20c0fb99cb124e8c3dbdb9feee432a3b1ec462564fe596754f6bde441630e62c3b8ad61c5b29e8c1dc036c96f618987483752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
22KB

MD5
526f6e80218834890e6c905a7bbc0355

SHA1
9ea53ad40fb0df1e1ec836b2e1c52ebec7f905aa

SHA256
ee198564ca45936502456d55b8551767ea0de8d471d502ab7b2d9074e66aaede

SHA512
2fe640b481c7c148cee39a3e74238267dc59f90154536e2566458378f26bb5381e10a2d95d12379d65295a01359ef6e8ef2dccbc0151e0110899633b0f8fe5a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0DHCHMKO.txt
Filesize
604B

MD5
8288fd6e5bb775429716147efefffe0e

SHA1
fb7a100b7a67ce8ab13a8b5e30480ec622ce3a5f

SHA256
220276432138d3667989dc8a2dac44008e06b670bd2962a77949a9f08e8d6534

SHA512
fe7ebd22323b20423eb3cdbc9851e77f34fd43349737b399bc1b55be524d5f236c7ced8e873190cebff8f5794f1826f71e4a71e8541decd804bf33cb533f3f13

Download Submit

Analysis

Sharing