hxxps://login[.]outlook365drawdown[.]com

General

Target

https://login.outlook365drawdown.com

Score

10^/10

microsoft phishing product:outlook

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30041b907c6ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0dc4b947c6ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\AskUser = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe30000000002000000000010660000000100002000000083c99a1452fea81d37c808ec8b2b79a105ea260c61a5cd1deb7cb80c0c7f4eb4000000000e8000000002000020000000b5a109fbbe7d70ba2b6b0e36d90730a2671844ae9ea65d4fe640bb7a349692af200000007a0ccd7a4d79c435604f22c4d9369488e5595dda25c788634742cd246f260a104000000066c1caba1f9143c242964ec56df4f2be8e22a754362930fe54727b37a0974f41a6c7386d2b2a933a1b760be6bd42114a09b900e06d5975adc3826bccafb9cf54	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C3B18369-DA6F-11ED-9EF6-62080863D4B5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\AskUser = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000edaaf49ad273d63ac2a4483fa096b3439f21bafa022bc45b6f65a024c661a226000000000e80000000020000200000008da9854377e70bb0f06caf1c7616621ce45f89c1306e5574078f02ded97bd204400100006e8c18f0cc770649b9bcf55fed09975639612ccc9f070f4448c0ce0204806be8e90d5b57c6fa53ce4b5056cce47ae3de5906594e89b6717c682ebb16acde660d7797042667fc45b87553762bfb3243e50b3f3659098bf25de73d691306b96fdebc9f0658ef56f71feb9263884308e956f21e3d0bb19dff3d262d7bae00a36307c923939d30dce8f234044391d9adf028ee8a6db21892761b93fdf150cefe0c0cc396a11031a2e852bdcffce3d074293e010ae95cc1e8ea9bb24b379e6a06e370eec6e1333c79a302760f885b90ae18f51b8512ad1722a7d6c863d316fcc1ebecbc955f3c0bc7f40b1c8908d5fc6ad016c3c7cc14e81e4b8c160ba2029c779a4d9a750eb5ce88bbcfb9788d8b55753affdded7cc98aa4561071c701f48f4315228914a97a3bb91b6ed6756b881ced0ec6f38428d04056bc91c67a72af804720f8400000009bf15e67d9e05ae6276452ec33d1c0ed0c2705bfda6c4224f301b90228e891722abf7210928797c74be1a3550efc3336663346bca13cbff9e58656b9a68470c9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2560195220"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026812"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026812"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2560195220"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026812"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe300000000020000000000106600000001000020000000a48c37385feeabd901671235d44782b2fae84385d2af88f1113336c995d6c240000000000e80000000020000200000003c79de9d66bb505ab772e945de87b88fdb81ec708f9aa8939494db2c9fee23d520000000221825512dc0912fc4a24eb0434e7676d5d1a8816ea53a530b7c3d4eeba4db38400000003599c8b3bc8128f1fe2eef92c8a2438cd6e27447a69d0fbd11782d1c07e57b2d4f0a24399875ed5473296932ad590ed6352d86a57f2b2e581c7b757ea364f3cd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2571291102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388205884"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a025b4927c6ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe3000000000200000000001066000000010000200000001e5ffa9800a5e6cb6e075cd76c9c2c629ffa64ed3969d60796f130507a6aad64000000000e80000000020000200000001e7c78ca99968a28b2ad43e973cd1ed811249a1e064f8acc8603591f308031e1200000001b5656fd84e13405ddf504a83c08b68b6b50495447eab0461197aebacbfb042840000000b69724af56ad00c8a4a66a1da169fe28db4ec7de7de8dbfd13013e79acfb40f075b18742a2585d3fb8d0ad60027398ea0fbc4dbda909a042d2c3bbcd9edfa182	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1624 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	process
1624	iexplore.exe
1624	iexplore.exe
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1624 wrote to memory of 4884	1624	iexplore.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 4884	1624	iexplore.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 4884	1624	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://login.outlook365drawdown.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat
Filesize
17KB

MD5
787044f3562b775cc14a282d0941a000

SHA1
19499ddcf9e05ac128b9d8c0b53d2bc1c7425bc3

SHA256
4b747cc87812cad752bdde1313a9a7ec273dca03b0acdfce74440974ad429aa9

SHA512
4bfeecc6b46b81daee5ee3d48f8c78f0ff963fd37b80a87daeb60a38fd56865515a4c59e2d26f05035c088efff27efcb125bf1e1d879ea5c35df2fc1e99871d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\feo4h2u\imagestore.dat
Filesize
17KB

MD5
787044f3562b775cc14a282d0941a000

SHA1
19499ddcf9e05ac128b9d8c0b53d2bc1c7425bc3

SHA256
4b747cc87812cad752bdde1313a9a7ec273dca03b0acdfce74440974ad429aa9

SHA512
4bfeecc6b46b81daee5ee3d48f8c78f0ff963fd37b80a87daeb60a38fd56865515a4c59e2d26f05035c088efff27efcb125bf1e1d879ea5c35df2fc1e99871d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\logo2[1].svg
Filesize
3KB

MD5
ee5c8d9fb6248c938fd0dc19370e90bd

SHA1
d01a22720918b781338b5bbf9202b241a5f99ee4

SHA256
04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a

SHA512
c77215b729d0e60c97f075998e88775cd0f813b4d094dc2fdd13e5711d16f4e5993d4521d0fbd5bf7150b0dbe253d88b1b1ff60901f053113c5d7c1919852d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\signin[2].htm
Filesize
4KB

MD5
2c6c5b88494216fdc0f3976fef66b06c

SHA1
692f6fdb048a1ca04e9582a29a38583b3c69690f

SHA256
70fbb40c8be648104c54b6b320958465a01e88ce3ec0c43b3a59b26d6b35bcf0

SHA512
c28db84964a010aa483354bdda6fe0fd1fb3ab0db6cc78ab87f1fd24a4237b8f03a19b7cfe2160f790469201dd9284e6b84a5bf894e27682c97fc27185f238bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\favicon[1].ico
Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\white_ellipsis[1].svg
Filesize
915B

MD5
5ac590ee72bfe06a7cecfd75b588ad73

SHA1
dda2cb89a241bc424746d8cf2a22a35535094611

SHA256
6075736ea9c281d69c4a3d78ff97bb61b9416a5809919babe5a0c5596f99aaea

SHA512
b9135d934b9ea50b51bb0316e383b114c8f24dfe75fef11dcbd1c96170ea59202f6bafe11aaf534cc2f4ed334a8ea4dbe96af2504130896d6203bfd2da69138f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPCK8CWE\login[1].css
Filesize
99KB

MD5
4db4a299ae7e73b3cb53351867416d0c

SHA1
36c0dff7a6742ead3229e476f05c559069c3080f

SHA256
10c50b88ebf99fdf813a4cce86ba218a6e2ea3d266146520529f1e1bddc5ebd3

SHA512
8eb086fc241c314ddd4b15ac6f34dbd61b838e2d7c2b535a02af2a83a92294ab1c79eb122efca8ff648346f4515b35edeeb13dc5e79ebc2c7e9accc4ac5baa76

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads