Play interactive tourEdit tour

## Overview

### General Information

 Sample URL: http://romanosgroup.com/signaturebreads/ Analysis ID: 289319 Most interesting Screenshot:

### Detection

HTMLPhisher
 Score: 68 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Phishing site detected (based on shot template match)
Yara detected HtmlPhish_10
Yara detected HtmlPhish_7
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL

### Classification

 System is w10x64iexplore.exe (PID: 7036 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 7084 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_HtmlPhish_7Yara detected HtmlPhish_7Joe Security
SourceRuleDescriptionAuthorStrings

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### Phishing:

 Phishing site detected (based on shot template match) Show sources
 Source: http://romanosgroup.com/signaturebreads/ Matcher: Template: onedrive matched
 Yara detected HtmlPhish_10 Show sources
 Source: Yara match File source: 745773.pages.csv, type: HTML Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\signaturebreads[1].htm, type: DROPPED
 Yara detected HtmlPhish_7 Show sources
 Source: Yara match File source: 745773.pages.csv, type: HTML Source: Yara match File source: dump.pcap, type: PCAP Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\signaturebreads[1].htm, type: DROPPED
 Phishing site detected (based on logo template match) Show sources
 Source: http://romanosgroup.com/signaturebreads/ Matcher: Template: onedrive matched
 HTML body contains low number of good links Show sources
 HTML title does not match URL Show sources
 Source: http://romanosgroup.com/signaturebreads/ HTTP Parser: Title: OneDrive | Login does not match URL Source: http://romanosgroup.com/signaturebreads/ HTTP Parser: Title: OneDrive | Login does not match URL
 None HTTPS page querying sensitive user data (password, username or email) Show sources
 META author tag missing Show sources
 META copyright tag missing Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: romanosgroup.com
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Sep 2020 20:39:14 GMTServer: ApacheX-Powered-By: PHP/5.6.40Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: ; rel="https://api.w.org/"Strict-Transport-Security: max-age=63072000; includeSubdomains;Keep-Alive: timeout=5, max=19999Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 6d 61 6e 6f 73 67 72 6f 75 70 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 72 6f 6d 61 6e 6f 73 67 72 6f 75 70 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 7a 65 72 69 66 2d 70 72 6f 2f 6a 73 2f 68 74 6d 6c 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 6d 61 6e 6f 73 67 72 6f 75 70 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 7a 65 72 69 66 2d 70 72 6f 2f 63 73 73 2f 69 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 52 6f 6d 61 6e 6f 26 23 30 33 39 3b 73 20 52 65 73 74 61 75 72 61 6e 74 20 47 72 6f 75 70 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 52 6f 6d 61 6e 6f 26 23 30 33 39 3b 73 20 52 65 73 74 61 75 72 61 6e 74 20 47 72 6f 75 70 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 6d 61 6e 6f 73 67 72 6f 75 70 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733 Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731 Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737 Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734 Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
 Classification label Show sources
 Source: classification engine Classification label: mal68.phis.win@3/29@8/3
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2 Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2 Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Uses new MSVCR Dlls Show sources
 Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

## Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer3SIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language
• Is malicious
• Internet

### Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.