45588bd540c3664239a86e838628d0eb4c8304b1f27e41c3beca84473b737c35

General

Target

09c9d9827554bd4361be386c70a8db9f.pdf
Size

30KB
MD5

58c0e38e53d932eaf9b3461fee556171
SHA1

b5690a1b9a0df83eac3ced67bf15930760aadc20
SHA256

45588bd540c3664239a86e838628d0eb4c8304b1f27e41c3beca84473b737c35
SHA512

365f2630d7ae81af270f937dce570d6f0387d34dd6d6db11a449fcf94885b35692d295f3bad982ad6fa8e524b1fb6a16b7b1d4accc6a442eef6512e33c9cb76b

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ba116111dad701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87D76F91-4604-11EC-A20F-5EC4CE0CAB55} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343739558"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000668c71e690a3213cb2768a0b59f75cbaa551b53ebb0c00885adaa1e2fe7092cf000000000e8000000002000020000000f788fd44a6387e5956d307dce99f22fa011cb71ca7e860dfcaaa66a82d3c13ab9000000018051889ae5991725b39585b638d503ac7c3bf2bd43b69aa521da7bdd1a461499f39f450b423a73dac5ad60cc327ce56f585477fa42209eaeffff9fafa0183b63d8bbfab8f847dd8da4f0ab24e6dce5b3d14964e8ff9001dccab33fd91fe87cf6d4e12d7a40440fee130a1d297c6a64857171ac83ed01955a9f6d5de3fc172e156845ae3ada97ffa66b63bc04d38ab6540000000af8a24e175384e67fd149440a568a163bf749d7f269ab9a474cfc92ea390b0c54b83eb80ded308aae4f7dea659c33d8cb386146d7ee0169f429df933c6c2f9c5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000086de8396b8ef2a6bf5f986a5d004eeb52248ffe489d4fe0116e3f1915fddd125000000000e800000000200002000000038541fd903adb4b9782c65678a892142afeb4753f591a39f17c9708246eda3c120000000e02f12e32031bdc6d550536989a849e984d508d94b643cff3129b9ac2738f85a400000004c0489ad786a6ce989cf9bdc64001c9a274241ec56f0342320878f279d683b3d8ab90a45ba8a2d983bbd9588bcaf9e40c6805fdba7ed92a7d4087859655e5505	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1620 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1448 iexplore.exe

pid	process
1448	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1620	AcroRd32.exe
1620	AcroRd32.exe
1620	AcroRd32.exe
1620	AcroRd32.exe
1448	iexplore.exe
1448	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1620 wrote to memory of 1448	1620	AcroRd32.exe	iexplore.exe
PID 1620 wrote to memory of 1448	1620	AcroRd32.exe	iexplore.exe
PID 1620 wrote to memory of 1448	1620	AcroRd32.exe	iexplore.exe
PID 1620 wrote to memory of 1448	1620	AcroRd32.exe	iexplore.exe
PID 1448 wrote to memory of 1608	1448	iexplore.exe	IEXPLORE.EXE
PID 1448 wrote to memory of 1608	1448	iexplore.exe	IEXPLORE.EXE
PID 1448 wrote to memory of 1608	1448	iexplore.exe	IEXPLORE.EXE
PID 1448 wrote to memory of 1608	1448	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\09c9d9827554bd4361be386c70a8db9f.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://corporateestate.co/fefadrn/R3ZrNDLYuVKQaQILApkrOjlMcI8/ZFs1qPUFTEVhnhxvEa8JM9phXZaf/38xFhqspEhvuliDZnDbz1PDeWaQ/UCpSt5va2wWqTK0yABq5G0q1ikdw3irbaK?e=30QBKaz4HBgh6sBOClRWQhzZj2o9I6gpOOXllmBfAVwid8mrr98AwpvM2Borange2xEfVHdaU5EuyxD0VEe9cJN2dRRWuXZCdsD6L0zqAOc0nzuQFwxZN9u
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BZ9GOOS7.txt
MD5
4efb961cc843708c667515cc72527bd0

SHA1
d258b9f8ec807984512f65c16a9193595e66bb3f

SHA256
d0435ec4961b59ab2d1da2aec2504af9bc6b87878a7dc8e244fb89ac0ae7b030

SHA512
efce28798d07a54c445c0c543ed70af9e2d607fa1d94ab094ff5f0c7d3bc9959676dadd2b0572782ccfdc218347a9b75a595448a228454232a6fc2e02591cf70

Download Submit
memory/1448-56-0x0000000000000000-mapping.dmp

Download
memory/1448-57-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/1448-59-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/1608-58-0x0000000000000000-mapping.dmp

Download
memory/1620-55-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads