57bed7441de5b4e401bd3237d44b5fffcbc8ff4a88569959edea7573bdd13ded

General

Target

prbsbnk21nov11.pdf.exe
Size

214KB
MD5

fcd9a3c4fcaaa8b79160097217e72990
SHA1

1952f5b38218ea08e2efa6f00ef3537df675b805
SHA256

57bed7441de5b4e401bd3237d44b5fffcbc8ff4a88569959edea7573bdd13ded
SHA512

19e4ebe418d44fb3bcc848dc484a30961106af0204f2ffd20b57ea67cc618404c1a369d248971d3dc5f47d2e66cfeca98a94adec2d05f597b134229cb3e9f483

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab000000000200000000001066000000010000200000007d35e974500642bd89fc264e7867351b412652b32ec9fafdb99e6ddc095b377e000000000e8000000002000020000000b49f5f1316d44f87b4df6cebff7819a60f43301ff36b16162e6d7886cd2c8aec90000000868e473c92b6867424c6a4eac4289436cc2bbff2b2645e5960a0a0d7244ffd1016419f1242f6db1e1940701ef3c3fb355882538c209f51ac2567db7af79b6a27434204c2bc14bf2aba29f5e1c437164d7ce4bbc817caa0fc24b28584dc519f911c7efcb6cab0220b619f4dc34c4939b63892b42fedd0f3ee0796af7e2429c2d792c00ae178760176c3d33a5677ae5b1740000000a04848f2cdbdc41a14d7f114a19b500ad9bd08590a3e6156e4b341669fb4ac947dad7f3bcb43fe8fb041f1987a747632798f0a0497bddf5ef5177feb39b794c9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343483591"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab000000000200000000001066000000010000200000007f46edccf5a3db3d438f80804ce457bed38e12bfba97011bb0435aae0292d6e7000000000e8000000002000020000000fb8b66ffb4c7fee692bc564618d9461be20dca6446592dfec11fea38adc8d90c20000000948183a247fd160f8db7f5d7c3647caa44a7845b34b80773f73fad5c1805bb7340000000df0ad1e91e839f6a6e630b644a9a45851023d67b09838db90f868ff14b0e85617df8939470ce8ca535841f6fa3a6ec542a1f89a3d273d094f511a0141b804076	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0224074bdd7d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{907FA0F1-43B0-11EC-B70D-7EBAD90671C6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1100 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1100 iexplore.exe
1100 iexplore.exe
364 IEXPLORE.EXE
364 IEXPLORE.EXE
364 IEXPLORE.EXE
364 IEXPLORE.EXE

pid	process
1100	iexplore.exe

pid	process
1100	iexplore.exe
1100	iexplore.exe
364	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE
364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

prbsbnk21nov11.pdf.exeiexplore.exe

description	pid	process	target process
PID 1648 wrote to memory of 1100	1648	prbsbnk21nov11.pdf.exe	iexplore.exe
PID 1648 wrote to memory of 1100	1648	prbsbnk21nov11.pdf.exe	iexplore.exe
PID 1648 wrote to memory of 1100	1648	prbsbnk21nov11.pdf.exe	iexplore.exe
PID 1648 wrote to memory of 1100	1648	prbsbnk21nov11.pdf.exe	iexplore.exe
PID 1100 wrote to memory of 364	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 364	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 364	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 364	1100	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\prbsbnk21nov11.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\prbsbnk21nov11.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=prbsbnk21nov11.pdf.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e09653e4be64232ea760a94e490074a1

SHA1
b0bbfde81cbc7326d6a03cdea619d60b50ef7813

SHA256
6a26b5635f9343e092df3e4c256a132da0e03ded3ede7b58a38da3f7adfc7d49

SHA512
1d95f1e9de665dcaccab268a17e6870431db9ad0a3b12488e5802591c40c3d897c5f0a65984ff000a8c60b058e8de1f53b9d6fd144b9738421dbfb14f2ff3ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\01ppg24\imagestore.dat
MD5
23664e110f380c0e32acb3446731d684

SHA1
e552ae1a53131470b489e02f92678deece4aef98

SHA256
6a4aa19b86ddc29ec50714a4cc2045ad8c08f323ef62c9e64ce55795054a5017

SHA512
8181b8041ad0649fc498453def73e6b3e6b200aa3046361097ea5dd1efe19cc9676362d81373bbff92e41132014082181bcb43d9d262d11a836bf466ad903df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DAT34R3F.txt
MD5
00c423118b5561a32f6bd5f80e12ce53

SHA1
aa4e85ead3b423674daa8947abd9013df4281061

SHA256
6ba71103de40b3302b3dfa90dc152d1e0446d3c609bc4e2aa9f80d167246fc76

SHA512
55f7b6245514872c928839beb74bed81528bdcea53b426358006c2b5e32b4d5eece78cbcda4922df4553a7014f12cce6af507c44b17260e89fa80e29479f7771

Download Submit
memory/364-57-0x0000000000000000-mapping.dmp

Download
memory/1100-56-0x0000000000000000-mapping.dmp

Download
memory/1648-55-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing