hxxps://notifications[.]google[.]com/g/p/APHC3cq94VkKBlgcUrcaV9AhpsPD0uu4Mct-0tALZtsJ3qdcLSczZBr1SdhRclCadPkXR7b7rudU4uYz7_-QHOYYaW_rf8shBiXg9wAmxGIrt9nKueB5Fk1vO4FDDY4jb_xQrCRzEuiIwSjs4kQ9RLxT90w2Ml0JyCy4ODOuoAzLdWgBVsT69ZAQDoYqgPVKwicWhUYD7B_oTT9pOEypg8xG0tiQ30TS36plhw5MDLrQde6qS57fKZlYEiiK6tu2OFzI5vFJipKykMt3seqg_GH3YSxHVZH3WpNmyn5c75YYFqyUZ0gpj1F8SM17xMR5i-9rfB6stJcPbA

General

Target

https://notifications.google.com/g/p/APHC3cq94VkKBlgcUrcaV9AhpsPD0uu4Mct-0tALZtsJ3qdcLSczZBr1SdhRclCadPkXR7b7rudU4uYz7_-QHOYYaW_rf8shBiXg9wAmxGIrt9nKueB5Fk1vO4FDDY4jb_xQrCRzEuiIwSjs4kQ9RLxT90w2Ml0JyCy4ODOuoAzLdWgBVsT69ZAQDoYqgPVKwicWhUYD7B_oTT9pOEypg8xG0tiQ30TS36plhw5MDLrQde6qS57fKZlYEiiK6tu2OFzI5vFJipKykMt3seqg_GH3YSxHVZH3WpNmyn5c75YYFqyUZ0gpj1F8SM17xMR5i-9rfB6stJcPbA

Score

10^/10

google phishing

Malware Config

Signatures

Detected google phishing page
phishing google

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31023669"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023669"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b000000000200000000001066000000010000200000003dc9e3e54e5152d237f514f5cde9f62e99963f20f3d0ef4fb63c382334f19c71000000000e80000000020000200000000178023689456eab2f69f15d19c1a87a0677f73110ad23b069b5f5967f3e4a52200000002b793c4e8494b6755df1bf97a418c75858a572d858c616b247671681f8547214400000006c81adc895392c378e91db33385515b59941ddb9b6252776e70510cbeb9adcfb5b9372430b414573788b2b241954f63324ea5f1e8c9b2bb757f05e9a596d48d7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40dcbcbd3562d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386856033"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31023669"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3131885574"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3131885574"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7005a0bd3562d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b0000000002000000000010660000000100002000000084ca50e8aa4d538168329f91876cc725c99f02dbcc4462e69e5cd8ebe2a357c5000000000e80000000020000200000002b464e28d898e2e029267a42376895ed381398a236c806beaad38ae94271b9f020000000980236410e67828544286c60ea6ebb56e06682d05d96f07d4a88743207e450e840000000b1b36424811898c904708ec6de7bfda24c761cb2347bb1bf2bb86c57620eb59b51d68c8b2b8493e8574f3049c0d10b489e00a5e69adfa91562077aa7cbc5cbb9	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E63FF050-CE28-11ED-8FFF-6E21A4042E2D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3145106122"	IEXPLORE.EXE

Modifies registry class 1 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-144354903-2550862337-1367551827-1000\{8178F597-7E41-46A9-ABD4-A2DCFCA78BC5}	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4924 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4924 iexplore.exe
4924 iexplore.exe
1528 IEXPLORE.EXE
1528 IEXPLORE.EXE
1528 IEXPLORE.EXE
1528 IEXPLORE.EXE

pid	process
4924	iexplore.exe

pid	process
4924	iexplore.exe
4924	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4924 wrote to memory of 1528	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 1528	4924	iexplore.exe	IEXPLORE.EXE
PID 4924 wrote to memory of 1528	4924	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://notifications.google.com/g/p/APHC3cq94VkKBlgcUrcaV9AhpsPD0uu4Mct-0tALZtsJ3qdcLSczZBr1SdhRclCadPkXR7b7rudU4uYz7_-QHOYYaW_rf8shBiXg9wAmxGIrt9nKueB5Fk1vO4FDDY4jb_xQrCRzEuiIwSjs4kQ9RLxT90w2Ml0JyCy4ODOuoAzLdWgBVsT69ZAQDoYqgPVKwicWhUYD7B_oTT9pOEypg8xG0tiQ30TS36plhw5MDLrQde6qS57fKZlYEiiK6tu2OFzI5vFJipKykMt3seqg_GH3YSxHVZH3WpNmyn5c75YYFqyUZ0gpj1F8SM17xMR5i-9rfB6stJcPbA
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
27eeb470ea47791b773b0c543d47d7c0

SHA1
cf692b6241651b506a7639c0c02f4ab582b728bb

SHA256
887291e1eaf9e037071221908bc110ee40235c5d9c6dd4001699cdbfd55c9cd4

SHA512
23f1b1f25ca82aa1b9a235921ba87b86f61e58a1d19b031547144a6035144b14c0ca1f7a9391c00eca50c0be4f35a161d0b4402cdff37f1c9350a368ce3f1321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
f134f21e079e6be105c764c30dcee1fa

SHA1
e2e3bb77e587d611e968123bec16f7b27a055267

SHA256
4695b00ac3ca8c079fdf08506ff5cba4ffc5fcc930e7cc29b8067b009100ab08

SHA512
9bc02df6e60c294100a8432bd1655817b8c62e5c6c6b04bf1a4283add2e075d3c87e1172b08c02467062e94fcee8d04859da1b868029a34fa53dd8e9c64c11ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat

Filesize
5KB

MD5
caf885b425be2281b8f256220312df80

SHA1
6237ace0d0d6ffd5fc0208074a6aec584bbee877

SHA256
b0d88f4631b3f51e0d532edb01a3e215ab14f5faf90a1726ac94631c93d2b6c3

SHA512
fcd6821f3d15228eba5e98df69996cf74ac07246219eb4d2392337a834d67b24bef8562a6f33c1a08cd22e5a7db6852e631120e5fad8f5c265904dafe59896b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4VT6R2QM\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EY3KXMB3\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads