e831bd6213fa5b9e25b89f7c1142acc8615f1c48c74db37bcfaa707fd3169c52

General

Target

Outstanding_Invoice_10_29.pdf
Size

35KB
MD5

6da9c25fd69786797262133f5ae5b13a
SHA1

20665729a04ce87d38eddd780c13cbbc4f9aacfb
SHA256

e831bd6213fa5b9e25b89f7c1142acc8615f1c48c74db37bcfaa707fd3169c52
SHA512

e10f0ddf2fda98009c16ab485c4f6e554cdb9e0fc572eea4e5613c55c65ff0c6e7b4f1835d21f2d6ed251bd068530aa385166548ef78d789e2241ee6970d3263

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504290982bccd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BAA64251-381E-11EC-9BB7-5A6B47CA3C39} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA76A6D1-381E-11EC-9BB7-5A6B47CA3C39} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342211518"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000007f4d5583b77f4aff2189dbd8295105a7657ff0dc41406a75573c11f685852cb7000000000e8000000002000020000000dd91fbe8c1a36d19d74e592e170bf0e7dddc85823244ad5f478616f9130d5c3b200000002d7c4db11b1a81483fff7400fd3fa47d01cea34b058a4b658af3befa5c9eaf0e4000000082c87be87c44c8f70e85a01ac71fe6dcd25a2ff8361aa52c47398caf912dd90e44520302eaefdd4ead630f800f5de7f1ee7eda952e47562b9ebbf62b6c4808ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000006547f13666d0b170bdbced0715f47d16fa56cdf5f7ea6e40ac434d1174f838fd000000000e8000000002000020000000f10e5138a75e5990b11fb4132206c08a7bc550b42ace29eaab2298467308e829900000008f2a397987dddc6ab19a31cb30ce46a28b681bb231deaa064c29d0dd5c483b50c3f39422c81cba1b908b7f2f3e6f9926a7d0520ebef0a3258928e1c7b928a25ae945626f2226a5dafc54313478005870bb2cf57e7841c9f88b9efe092f52bf8c723cf73c3d4aa6bf2c68030e033e14bafd8ca39feb805ec9ccaf1ee5a72319279a43eece86bc2cea65683cf20c58969c4000000086d896625a2e6ada11f58b5a6b5fcc8854c02e0819b9711a6083b318cf8bbd85c667121fe012a7d354e232725ad57b31fd65936b5e26bd53793224223ebf555f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

760 AcroRd32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1832 iexplore.exe
1880 iexplore.exe

pid	process
1832	iexplore.exe
1880	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
760	AcroRd32.exe
760	AcroRd32.exe
760	AcroRd32.exe
760	AcroRd32.exe
1832	iexplore.exe
1832	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1880	iexplore.exe
1880	iexplore.exe
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

AcroRd32.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 760 wrote to memory of 1832	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1832	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1832	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1832	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1880	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1880	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1880	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 1880	760	AcroRd32.exe	iexplore.exe
PID 1832 wrote to memory of 1608	1832	iexplore.exe	IEXPLORE.EXE
PID 1832 wrote to memory of 1608	1832	iexplore.exe	IEXPLORE.EXE
PID 1832 wrote to memory of 1608	1832	iexplore.exe	IEXPLORE.EXE
PID 1832 wrote to memory of 1608	1832	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1116	1880	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1116	1880	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1116	1880	iexplore.exe	IEXPLORE.EXE
PID 1880 wrote to memory of 1116	1880	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Outstanding_Invoice_10_29.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://s.id/IdJgJ
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://s.id/IdJgJ
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BA76A6D1-381E-11EC-9BB7-5A6B47CA3C39}.dat
MD5
67c14989825cea23f0b029748b9f2596

SHA1
9c2e0f2da7c3a556762dcb06beb801acefbfe5b2

SHA256
c205de8f4160f7f511fc426dc00a8eac7ade48020c1b52c693355f3e57c31e0c

SHA512
9c8dea1e20a82ac37b0b63150d8961bb532999e599c10eac8b316c86d911c8afb73d9c9cfc4eb5c557488e4063df843cf8a533fbd79c83abdf83f24b1a2921a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZR0SJ214.txt
MD5
c2df564cca7d9f3c69b173917108b3ae

SHA1
3e9270cbbafb139173f33f460c33ceb78f4f231d

SHA256
8dbf0b8f22677b723f7c80422bef69e7e9781777d62286fcb623ab753d3a3fec

SHA512
f8ae1ff929c38e5d217426e2ed177f87139f7ccec6246f2025adbf4549d079eb605245860bad428c9f2518a1a55e5dacea6fd2575b47a2160fd178cfc50d72d1

Download Submit
memory/760-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1116-60-0x0000000000000000-mapping.dmp

Download
memory/1608-59-0x0000000000000000-mapping.dmp

Download
memory/1832-55-0x0000000000000000-mapping.dmp

Download
memory/1832-56-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1832-57-0x0000000001F20000-0x0000000001F30000-memory.dmp

Filesize
64KB

Download
memory/1880-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads