a4cc9f0b672d1a1e9cb250b6252b2dce8de3ff39add030604687ea94289dba1e

General

Target

SunCap Hotels.pdf
Size

582KB
MD5

6a8c731945f979d025ccecffbd428a50
SHA1

ee7d95d71d1847f2eee0a92833f95ed465914af5
SHA256

a4cc9f0b672d1a1e9cb250b6252b2dce8de3ff39add030604687ea94289dba1e
SHA512

2e22d902f295a7ff725107ec6876835b3c534f329c9d6c678abc22f32ed7cb10e1e0981f925a09bfd8cda724bb26d3b2c69d1480e86f2805755d8ef42d76ffcd

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341006452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{066005A1-2D29-11EC-A857-CAF2F772400B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 407305e035c1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000ef1d2ef62c96a5f38036ed7c16152311aca082686eb292953c433b832d8dd790000000000e8000000002000020000000b50f4ee3f30e78aad4832acf7ad8083f7358e8d089dd554aa24324cd1355b01120000000d23ffc2d70bc9586d97c987c4d5573c3b4431c7dc4be9812a271c986e4b7ecf74000000028499c23b3217a3842e5b7af96aa7e5fb7daa4de5a5fd547f0fe95fdd80576948ed95f15ce12f83df055aad349973cb03caef879527b18dde155a5d669204588	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000addfbc1f98e5ec2dffaa9296b83dae550f4b8a2b932b299d9303ddc610c3e260000000000e8000000002000020000000d4fda792db31747341cddb80ccd16f28d70424aadb4a6042f3bcd364684db17190000000ffa72c0fc1150e3cd30a207ccabb506d08fd218bfe6a28b037a61921b8bcc978350ebc3b345ad24c4b328671b8d34530e21014a7276a81f97c64970718013c4ffe2940fdf70e2e82906696f3634c20a55ec77fa1881c872898355df74d6a90b9e1f39523f2f994a2149c9fee38e78937ade1c6e69b8de2a923d0ee7c14f559f818b47e29f9965ffc47dd8209916bb2ee4000000036d5109790f4e35b3813d6f1e0b5b30d9083cb5b843f60cafebf0ac9c1a76e52af341a0e7ab5b9851673ae2fbfbd1eb1b574e175e058aea064fb8e9d64f0f3bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1700 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

516 iexplore.exe

pid	process
516	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1700	AcroRd32.exe
1700	AcroRd32.exe
1700	AcroRd32.exe
1700	AcroRd32.exe
516	iexplore.exe
516	iexplore.exe
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1700 wrote to memory of 516	1700	AcroRd32.exe	iexplore.exe
PID 1700 wrote to memory of 516	1700	AcroRd32.exe	iexplore.exe
PID 1700 wrote to memory of 516	1700	AcroRd32.exe	iexplore.exe
PID 1700 wrote to memory of 516	1700	AcroRd32.exe	iexplore.exe
PID 516 wrote to memory of 1064	516	iexplore.exe	IEXPLORE.EXE
PID 516 wrote to memory of 1064	516	iexplore.exe	IEXPLORE.EXE
PID 516 wrote to memory of 1064	516	iexplore.exe	IEXPLORE.EXE
PID 516 wrote to memory of 1064	516	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SunCap Hotels.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.enetgroupeonline.live/b/VfJsp7/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
40ff7eb08fa19ee135b7510b75314409

SHA1
0e54b090c3cb62e82e7ecd0a1c0e456e0b7884ca

SHA256
3cb42e6268ae03824855500fe223d14f0f361cf9fba9e142a1d286a346639f83

SHA512
b878017c584aca15ee48752da4c03e776966943a3273d89ca970ed488cadc1a9dbc898c9806e4b3670bc2a6cda65329e3c96d1d35be22c3505ab9fc69e8d5323

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAMHG415.txt
MD5
843f51b873a028c9496c54b5a602d970

SHA1
f8e542237b894dbba4bb07d870cd62903d591c91

SHA256
9a936b33e0c6b47f9f7c92c95b2ff9d7c96c1734e9ad01247b000332c81e3744

SHA512
5d4512fb735b92f213cc4b3ff6b980577f0a2619e7dbf5d08a88b504e4994e118e630ab771a3a6fa0b458bb6807e4480afadad59d132e5ae8e4d4bd83cb9348e

Download Submit
memory/516-57-0x0000000000000000-mapping.dmp

Download
memory/516-58-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/516-60-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1064-59-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x0000000074F61000-0x0000000074F63000-memory.dmp

Filesize
8KB

Download
memory/1700-55-0x0000000001F80000-0x0000000001FF6000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads