hxxps://calendar[.]google[.]com/calendar/event?action=RESPOND&eid=eW40ZXI3MG42azlyaDA5ZjM2ZTlscDN1cmMgZW1pbGUud2lydHpAcHQubHU&rst=3&tok=MjEjYWxzYWxhbTUwMDZAZ21haWwuY29tYmZiNjYyODQ1NjNkOGNkNTk1MzJmNGQxY2I2OTY2ZGMzMDllNGU0Mg&ctz=Asia/Kolkata&hl=ar&es=0

General

Target

https://calendar.google.com/calendar/event?action=RESPOND&eid=eW40ZXI3MG42azlyaDA5ZjM2ZTlscDN1cmMgZW1pbGUud2lydHpAcHQubHU&rst=3&tok=MjEjYWxzYWxhbTUwMDZAZ21haWwuY29tYmZiNjYyODQ1NjNkOGNkNTk1MzJmNGQxY2I2OTY2ZGMzMDllNGU0Mg&ctz=Asia/Kolkata&hl=ar&es=0

Score

5^/10

google phishing

Malware Config

Signatures

Detected potential entity reuse from brand google.
phishing google

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000c2632f73e4ddf97f2e78d57172abf6f4f7d58be769f78d729bd35bd50d002162000000000e800000000200002000000008f8f11aad57ba9020b34b141fdd9e1713204aa8209f8271ed29af7cd99e1dd920000000e02f5ac27288cf1bb38dbe67ef0e94c91f4ac696dace3c8ae4a2525f5d8cd2e0400000007dd338cd3dfd7871a9778c4253163f3890359bba9f495482800ba83758461d8ff70f5f7142935376fdef6546336561146874329e8ebb93f3300737069b3e8509	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021822"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2415864758"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386062680"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000000c3de97bb44a632392b47f7495f0b2b003003a516d2997475ce3074671ab37f7000000000e8000000002000020000000177b067ee51cea8c1af841f02f9f6771abea3782e52ba185d7577e9246b5d78a20000000b78c756a27940530bf0839572d0676a9aa271a9a85b27c606e9d7971d7e684e94000000088f2d639a10b1feb603c367331f505e48f46375bc9146ccf7a62e1758c0753136b40d4ff05703e3357de36fc9036a98ba92003897a193b382dec4b4e01352924	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31021822"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09f5493fe5ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2415864758"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90de6e93fe5ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BAC40146-C6F1-11ED-8FFF-FA48AF8140A7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3744 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3744 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3744 iexplore.exe
3744 iexplore.exe
2232 IEXPLORE.EXE
2232 IEXPLORE.EXE
2232 IEXPLORE.EXE
2232 IEXPLORE.EXE

pid	process
3744	iexplore.exe

pid	process
3744	iexplore.exe

pid	process
3744	iexplore.exe
3744	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3744 wrote to memory of 2232	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 2232	3744	iexplore.exe	IEXPLORE.EXE
PID 3744 wrote to memory of 2232	3744	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://calendar.google.com/calendar/event?action=RESPOND&eid=eW40ZXI3MG42azlyaDA5ZjM2ZTlscDN1cmMgZW1pbGUud2lydHpAcHQubHU&rst=3&tok=MjEjYWxzYWxhbTUwMDZAZ21haWwuY29tYmZiNjYyODQ1NjNkOGNkNTk1MzJmNGQxY2I2OTY2ZGMzMDllNGU0Mg&ctz=Asia/Kolkata&hl=ar&es=0
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
0f5b538d5aea8c0353e33439ea374707

SHA1
bb73d5dfcf6228376de2f5fbf01a8d93732a22f4

SHA256
0ecd5e7e82eaaac6a194121a40accdbc7e352365ac3db724da85337a3bd62648

SHA512
512f2c2fcdf2cd7be20511a041340b0a0c5cfd698453aec9b7da4e6f8786a11b6df8bc80b10a65290bcbcdcce549936b80b3773725e79eb045f43fcf56908800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
4f7a964acde8f09e8f1904dffdf6d544

SHA1
8b0a3b554391263dd697960e7c6369af32f5f608

SHA256
c8ba613c61d6c4d89b9b7af2e16860af6a783fdbce2c49164490d9502fa3a115

SHA512
2819008806bc132d7e015a4ec469b17c11544b399599ebec99890f177603ce965d4c1a875d6143c95063cc49e759b9a4ded0eb9a59c41107fd9bd4a92a1f870f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1F40.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat
Filesize
5KB

MD5
be60e290610345db2b3e880ce3eb1de6

SHA1
57eb25c9e986ece0817362b303e46180dfd9a855

SHA256
d00bce18f1759949df7b79b3673537cf93d05e5c411655e7c90ac96179ab8c27

SHA512
d66bf7c899e60704bbd3039f49b552b248d32467ee969e208de894951a361ccb266b77a5b83be5fa8c99dd43742902387405d9b84542571015b5e8c5d3a80e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\analytics[1].js
Filesize
49KB

MD5
54e51056211dda674100cc5b323a58ad

SHA1
26dc5034cb6c7f3bbe061edd37c7fc6006cb835b

SHA256
5971b095cff574a66d35ada016d4c077c86e2dea62e9c0f14cf7c94b258619de

SHA512
e305d190287c28ca0cc2e45b909a304194175bb08351ad3f22825b1d632b1a217fb4b90dfd395637932307a8e0cc01da2f47831fa4eda91a18e49efe6685b74b

Download Submit

Analysis

Sharing