e72900fb5d2ab6efc96af426955dbb8076e6b6a5de4a2c6a4f373f80f8523e9d

General

Target

Leschartreux_Doc#92543.html
Size

421KB
MD5

753114616924ea3beb30bf798201c81b
SHA1

5e5bb4a48d4f6475ce3fe2eefcc06edd86ddc689
SHA256

e72900fb5d2ab6efc96af426955dbb8076e6b6a5de4a2c6a4f373f80f8523e9d
SHA512

dbfa5a2ad32c5bd87854b6e4b8591d7641363d8cc02acb3cdd744ea9282e921d9db7cd5bc6c5f04deb0c7bf65cb3b9f43f9d4a7137ad128f5c6a85a155500a01

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341068344"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341084939"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300616f8c5c1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5465710A-3004-11EC-B8A2-62A5EE0E1157} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000662b14dd4b0204018119f649056551ec755ed6a2880dbd34b3f758ef1e23747a000000000e8000000002000020000000288cba66cd21ebf76c72337023c0e76c0ce51785db2bf40077aca7e2e27af8b520000000a91e260fc76121a137cb2ba2b9b501c71f02c6aab9696e109fabd8989460064040000000f47c8de3f78795c78cb2b455c2bb46cb778d01ebc6a8c3c2c1ddfa8104adf87be26e07077204e1c78bb4a8e26883461f20fc08d1965bd6e7caeaf548572a45c5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f9406ff0332db44b36b7a7c571692eb00000000020000000000106600000001000020000000687a5d58bf265fdf88e67699fe7e32367de4b75178f2a2e8d3c158dae3292a94000000000e8000000002000020000000325d92b83ab61e05a5507a5a70e553fa40cc0c95e3010968e76d272eb84b165c20000000fadd5e2b0e1f80fcd6179a22e0cb84eb3370dfe734e11ac7e79e19fd180776ca400000005ad7ba8daa11ff03da5b25530fcbd99847aaeb3f44101fa4140fe952b947961df89a994121ab61b39ec7aabfe5512a110100fd7acb0a3252b521b9dbfbbbb439	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341116930"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c845f8c5c1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2784 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2784 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2784 iexplore.exe
2784 iexplore.exe
3444 IEXPLORE.EXE
3444 IEXPLORE.EXE
3444 IEXPLORE.EXE
3444 IEXPLORE.EXE

pid	process
2784	iexplore.exe

pid	process
2784	iexplore.exe

pid	process
2784	iexplore.exe
2784	iexplore.exe
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2784 wrote to memory of 3444	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 3444	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 3444	2784	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Leschartreux_Doc#92543.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JYC9K4O1.cookie
MD5
aca0bb2ec743a28e4e9ebd6c89d4218b

SHA1
33f12c00b69202de96159eb1b6ef545d969c2dc5

SHA256
cea5ae7818a4110f2c1a45c6b4c0b3dcd8f91c00207b3322cd8eb29760f9d397

SHA512
e984ba97d161c398b807f207c480b9fa909703ab38dd5b41b3aa081f048d520d73e384c8c678be916550772c7bdbc440e43b00eb3ef9cda8f231eae67c95d5f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SC22QWQ7.cookie
MD5
d6e01ee3ed9560ef9131e9c8268d63e9

SHA1
6e390a1071471a9bbf56a701cbc9022590a073d7

SHA256
bfe4cf5dbddf4602f4bcd4164e7f54b9106d1e54af351f02b4249ded380de3ce

SHA512
499dbd2adc3c8fbf5398e8e0234ef9e8107527e1623933d3766ea9cba1b166a781995f7cf88345c4f1e427e12977632e75cc723156de100cc2a33ebfaac70f75

Download Submit
memory/2784-143-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-125-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-146-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-121-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-122-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-124-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-123-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-145-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-127-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-128-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-129-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-131-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-115-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-134-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-135-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-136-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-137-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-138-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-140-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-116-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-132-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-119-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-120-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-148-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-150-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-151-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-152-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-156-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-157-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-158-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-164-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-165-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-166-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-167-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-168-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-169-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-173-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-175-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-176-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-179-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/2784-117-0x00007FF8A1940000-0x00007FF8A19AB000-memory.dmp

Filesize
428KB

Download
memory/3444-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing