Ethernet.pdf

General
Target

Ethernet.pdf

Filesize

67KB

Completed

21-11-2020 23:26

Score
1 /10
MD5

de1c8b96735c77f64bb9653e2d7de622

SHA1

d175c99d8fa98597f28b34869c97fe5d6ac850cb

SHA256

c2847ab9568ab4aabbe936b1816e779c5624d7d3d8c4bb10e401edf3f6bba357

Malware Config
Signatures 4

Filter: none

Defense Evasion
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312766269"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{386BCE71-2C51-11EB-8CDB-D6D89EDB0C53} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    1072iexplore.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeiexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    1580AcroRd32.exe
    1580AcroRd32.exe
    1580AcroRd32.exe
    1072iexplore.exe
    1072iexplore.exe
    1516IEXPLORE.EXE
    1516IEXPLORE.EXE
    1516IEXPLORE.EXE
    1516IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    iexplore.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1072 wrote to memory of 15161072iexplore.exeIEXPLORE.EXE
    PID 1072 wrote to memory of 15161072iexplore.exeIEXPLORE.EXE
    PID 1072 wrote to memory of 15161072iexplore.exeIEXPLORE.EXE
    PID 1072 wrote to memory of 15161072iexplore.exeIEXPLORE.EXE
Processes 3
  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ethernet.pdf"
    Suspicious use of SetWindowsHookEx
    PID:1580
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1516
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LM70GBJ8.txt

                          MD5

                          ef0984334501d5b843e5eb8cd8910e9a

                          SHA1

                          4482e2098d15b0e060760496b75ca52b33ea6dae

                          SHA256

                          86da67ede38a54317d6db5935cd42f840d18693b0463ca4e1bed7ab588733352

                          SHA512

                          e8e268430a619309e589713e61a662a6339549f5e178a66472770884bb209a9fb3e83f18c2b0bf817ca974c8fc658868a015bd8b556d328f07a054dd7c03d4d3

                          Download
                        • memory/316-0-0x000007FEF7A50000-0x000007FEF7CCA000-memory.dmp

                          Download
                        • memory/1516-1-0x0000000000000000-mapping.dmp

                          Download