Play interactive tourEdit tour

# Analysis Report http://haslundalsted.dk/khflc.html

## Overview

### General Information

 Sample URL: http://haslundalsted.dk/khflc.html Most interesting Screenshot:

### Detection

Phisher
 Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Yara detected Phisher
Potential browser exploit detected (process start blacklist hit)

### Classification

 System is w10x64iexplore.exe (PID: 5472 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 5520 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5472 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)EXCEL.EXE (PID: 4380 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\587_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' MD5: D672D26C85AEB9536B9736BF04054969)EXCEL.EXE (PID: 3276 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\994_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' MD5: D672D26C85AEB9536B9736BF04054969)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\khflc[1].htmJoeSecurity_Phisher_2Yara detected PhisherJoe Security

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### Phishing:

 Yara detected Phisher Show sources
 Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\khflc[1].htm, type: DROPPED

 Potential browser exploit detected (process start blacklist hit) Show sources
 Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to behavior

 Source: global traffic HTTP traffic detected: GET /khflc.html HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: haslundalsted.dkConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: haslundalsted.dkConnection: Keep-Alive
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: haslundalsted.dk
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/7.0X-Powered-By: ASP.NETMicrosoftOfficeWebServer: 5.0_PubMS-Author-Via: MS-FP/4.0Date: Tue, 23 Jun 2020 18:11:46 GMTContent-Length: 5176Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 37 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 43 42 45 31 45 46 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 34 30 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 20 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 45 44 45 44 45 44 3b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 31 70 78 20 73 6f 6c 69 64 20 23 45 44 45 44 45 44 3b 62 6f
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729 Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713

 Classification label Show sources
 Source: classification engine Classification label: mal48.phis.win@7/54@4/2
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5472 CREDAT:17410 /prefetch:2 Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\587_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\994_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5472 CREDAT:17410 /prefetch:2 Jump to behavior Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\587_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Jump to behavior Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T7L7U67X\994_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Checks if Microsoft Office is installed Show sources
 Uses new MSVCR Dlls Show sources
 Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll Jump to behavior

 Disables application error messsages (SetErrorMode) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

 Queries a list of all running processes Show sources
 Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information queried: ProcessInformation Jump to behavior

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingProcess Discovery1Remote File Copy3Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy3SIM Card SwapPremium SMS Toll Fraud
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language
• Is malicious
• Internet

### Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.