hxxp://login[.]microsoftonline[.]com

General

Target

http://login.microsoftonline.com

Score

5^/10

microsoft phishing

Malware Config

Signatures

Detected potential entity reuse from brand microsoft.
phishing microsoft

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06c3d630e37d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1636381852"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000f08c509a3cf92e651a16c442a6fc7c14396cf5e37dc35cb7a1d5c33b94ac4579000000000e8000000002000020000000a961883dfbb943b38de9e1004fd4b6798b943911ce4723913979229523ac609120000000f114a2aa2bf341522886a4f9a03a910efc6669be4ba8bf546683a353dec382c740000000311e1c1cc781be78ce1e72cc3e367fba4eb468d55f1c022c75000f4a1223f997ed0757be7bf60a2df5cd68b13e172f98d06790cea3a4958d462b209e30a717f4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31012622"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31012622"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302f6d630e37d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C98887E-A301-11ED-919F-66300FA194E6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1636381852"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000b190912d43ecebaf72a1e5fec8f44a0c110d24c48cbadefa9d55d7e831f7c702000000000e80000000020000200000001431de1bd7174d693d88e972cae8a35b84a5cee9c14ac008457ae39837336e832000000008b5eebdfbe8dbd9e84097191e31170f22aadf101c5ead6393569d28ab8979fd400000000b0019fd28803d194bb9fc5c2e8294c1a565ec2bbda6e32a227485adeab52276ce83793fc4151ec895ea481ca2b65acc9f8873e39fc1e2a7412f60138d01f47a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382111233"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings iexplore.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

752 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

752 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

752 iexplore.exe
752 iexplore.exe
1368 IEXPLORE.EXE
1368 IEXPLORE.EXE
1368 IEXPLORE.EXE
1368 IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	iexplore.exe

pid	process
752	iexplore.exe

pid	process
752	iexplore.exe

pid	process
752	iexplore.exe
752	iexplore.exe
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 752 wrote to memory of 1368	752	iexplore.exe	IEXPLORE.EXE
PID 752 wrote to memory of 1368	752	iexplore.exe	IEXPLORE.EXE
PID 752 wrote to memory of 1368	752	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://login.microsoftonline.com
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
8795643bd9448f355f1e817b1beb8f13

SHA1
fc5afcd5dc1c57ec501109cb987bec2e7b628514

SHA256
c9a53a6962ee0ada77bad358699a886e9d54243a3ae24cc182acfeaef4dba134

SHA512
4a8bc9001359c55a68bb329ef000ea7506c003ef6a98d57d769ca020758bcde63d52b03add74e39294b7b0c52abb9a07ff6ec3bd1e66f9eca0e0675b2b9cd2f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
eb8f10100176bc725b05868efbe44494

SHA1
b44ee43211890abe193a2b28cb90da3e47b01009

SHA256
cbd568a3cdb752fc529e760b44a7801d3e79ef00452916d8d818a7fc108f02fa

SHA512
a08ce26b55888b6aaa60b6a18ab911ec80bf0232030db94df702b4fd091b9a27c8d629dfe618421523c3eeb9bf91ded5da2696a414152b155bb4e270b6afa783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xyoggsx\imagestore.dat
Filesize
18KB

MD5
990e10d12be4838691b0267065c4c8a0

SHA1
6657acd53fbc6c353d41f0743a271a9ed06817c0

SHA256
cec8fbc6c755070032f32632e86d8402662937f8dc5703d32d2a8bacc560d753

SHA512
2510df165ec315e7114aef0d59a9a62b9aa1edd14e875d8e940e73fc19a45c4e9ca858c06f06414a7502aaabc9bfd3cbc6a380e68b53ec89c3f7b248b8da1fab

Download Submit

Analysis

Sharing