Play interactive tourEdit tour

# Analysis Report http://www.perso.ch/~sauvage/w63i281.html

## Overview

### General Information

 Sample URL: http://www.perso.ch/~sauvage/w63i281.html Most interesting Screenshot:

### Detection

Phisher
 Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Yara detected Phisher
Potential browser exploit detected (process start blacklist hit)

### Classification

 System is w10x64iexplore.exe (PID: 5540 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 5604 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5540 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)EXCEL.EXE (PID: 2040 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HNHL2TDR\273_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' MD5: D672D26C85AEB9536B9736BF04054969)EXCEL.EXE (PID: 4988 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W2BICE6W\552_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' MD5: D672D26C85AEB9536B9736BF04054969)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\w63i281[1].htmJoeSecurity_Phisher_2Yara detected PhisherJoe Security

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### Phishing:

 Yara detected Phisher Show sources
 Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KGYEP10B\w63i281[1].htm, type: DROPPED

 Potential browser exploit detected (process start blacklist hit) Show sources
 Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to behavior

 Source: global traffic HTTP traffic detected: GET /~sauvage/w63i281.html HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.perso.chConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.perso.chConnection: Keep-Alive
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.perso.ch
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Jun 2020 17:20:13 GMTServer: ApacheLast-Modified: Thu, 26 Dec 2002 14:13:33 GMTETag: "e1dca36-4cb-3e0b0e8d"Accept-Ranges: bytesContent-Length: 1227Keep-Alive: timeout=15, max=98Connection: Keep-AliveContent-Type: text/htmlData Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 4d 45 54 41 20 4e 41 4d 45 3d 22 43 6f 70 79 72 69 67 68 74 22 20 56 41 4c 55 45 3d 22 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 30 2c 20 43 6f 62 61 6c 74 20 4e 65 74 77 6f 72 6b 73 2c 20 49 6e 63 2e 20 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 22 3e 0a 3c 21 2d 2d 20 6c 6f 63 61 6c 65 2d 73 65 6e 73 69 74 69 76 65 20 2d 2d 3e 0a 3c 54 49 54 4c 45 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 20 3e 0a 3c 42 4c 4f 43 4b 51 55 4f 54 45 3e 20 0a 0a 20 20 20 20 3c 50 3e 26 6e 62 73 70 3b 3c 2f 50 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 3c 44 49 56 20 41 4c 49 47 4e 3d 22 63 65 6e 74 65 72 22 3e 0a 20 0a 3c 54 41 42 4c 45 20 57 49 44 54 48 3d 22 34 30 30 22 20 42 4f 52 44 45 52 3d 22 30 22 20 43 45 4c 4c 53 50 41 43 49 4e 47 3d 22 30 22 20 43 45 4c 4c 50 41 44 44 49 4e 47 3d 22 30 22 3e 0a 09 3c 54 52 20 42 47 43 4f 4c 4f 52 3d 22 23 39 39 39 39 39 39 22 3e 0a 09 09 3c 54 44 3e 0a 09 09 09 3c 54 41 42 4c 45 20 57 49 44 54 48 3d 22 34 30 30 22 20 42 4f 52 44 45 52 3d 22 30 22 20 43 45 4c 4c 53 50 41 43 49 4e 47 3d 22 31 22 20 43 45 4c 4c 50 41 44 44 49 4e 47 3d 22 35 22 20 41 4c 49 47 4e 3d 22 63 65 6e 74 65 72 22 3e 0a 09 09 09 09 3c 54 52 20 42 47 43 4f 4c 4f 52 3d 22 23 39 39 30 30 30 30 22 3e 0a 09 09 09 09 09 3c 54 44 20 43 4f 4c 53 50 41 4e 3d 22 32 22 3e 0a 3c 21 2d 2d 20 6c 6f 63 61 6c 65 2d 73 65 6e 73 69 74 69 76 65 20 2d 2d 3e 0a 09 09 09 09 09 09 3c 44 49 56 20 41 4c 49 47 4e 3d 22 6c 65 66 74 22 3e 0a 09 09 09 09 09 09 09 3c 46 4f 4e 54 20 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 53 49 5a 45 3d 22 33 22 3e 3c 42 3e 3c 46 4f 4e 54 20 46 41 43 45 3d 22 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 22 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 46 4f 4e 54 3e 20 3c 2f 42 3e 20 3c 2f 46 4f 4e 54 3e 0a 09 09 09 09 09 09 3c 2f 44 49 56 3e 0a 09 09 09 09 09 3c 2f 54 44 3e 0a 09 09 09 09 3c 2f 54 52 3e 0a 09 09 09 09 3c 54 52 3e 0a 09 09 09 09 09 3c 54 44 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 43 4f 4c 53 50 41 4e 3d 22 32 22 20 56 41 4c 49 47 4e 3d 22 6d 69 64 64 6c 65 22 3e 0a 09 09 09 09 09 09 3c 54 41 42 4c 45 20 57 49 44 54 48 3d 22 31 30 30 25 22 20 42 4f 52 44 45 52 3d 22 30 22 3e 0a 09 09 09 09 09 09 09 3c 54 52 3e 0a 09 09 09 09 09 09 09 09 3c 54 44 3e 0a 09 09 09 09 09 09 09 09 09 3c 49 4d 47 20 53 52 43 3d 22 2f 6c 69 62 49 6d 61 67 65 2f 77 61 72 6e 69 6e 67 2e 67 69 66 22 20 57 49 44 54 48 3d 22 34 30 22 20 48 45 49 47 48 54 3d 22 34 30 22 20 41 4c 49 47 4e 3d 22 6d 69 64 64 6c 65 22 3e 0a
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722 Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734

 Classification label Show sources
 Source: classification engine Classification label: mal48.phis.win@7/54@4/2
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5540 CREDAT:17410 /prefetch:2 Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HNHL2TDR\273_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W2BICE6W\552_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5540 CREDAT:17410 /prefetch:2 Jump to behavior Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HNHL2TDR\273_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Jump to behavior Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W2BICE6W\552_The Peoples Pension (01-Oct-19 to 31-May-20) (Set 3).xls' Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Checks if Microsoft Office is installed Show sources
 Uses new MSVCR Dlls Show sources
 Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll Jump to behavior

 Disables application error messsages (SetErrorMode) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

 Queries a list of all running processes Show sources
 Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information queried: ProcessInformation Jump to behavior

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingProcess Discovery1Remote File Copy3Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy3SIM Card SwapPremium SMS Toll Fraud
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language
• Is malicious
• Internet

### Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.