ModuloConfermaIndirizzo_2016_56.zip

General
Target

ModuloConfermaIndirizzo_2016_56.pdf

Filesize

89KB

Completed

16-11-2021 11:58

Score
1/10
MD5

3e4e9232f4a973055eef13a2692ffc54

SHA1

94cc703064b56a0416d884be1bf6a2edb66521c1

SHA256

445f1576ff067209bd366064032e5826ef4b3b0e6b299184443053be75e49289

Malware Config
Signatures 5

Filter: none

Defense Evasion
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb1936000000000200000000001066000000010000200000000c0c985d1ae4b560761a1096707c38ee1f0d90a2ef914f3dc23849125f2e35e2000000000e8000000002000020000000b33601b77f25af06feb5341aeb8f16e9a6f5125e9ab0782db27dfbdb07022754200000002645d95c46b170ae293ce906f7a228262e08acaea4b6fd93fa8e095d247c33ae40000000e00b20395657ddd0a179f4ba6ef6051a352bb570f9ce9e3c0ca378f8f8ee5deb5b7ca56fc6249c61249606fa2abdebd3b125ac3018252ae439974459cec264f7iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B88F741-46DD-11EC-AF99-4AC5DC9B600B} = "0"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d2a1f4e9dad701iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343832577"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000f1226706f54d7e57957e863b8db93e6a63d7ad31c9e083c8473de0444b0602f7000000000e800000000200002000000080fcaf9122fd9e5b32dc3067726c8ac35487f3b1ce058efcfdffc959226a0f20900000007e740fc7bc879f0edfdb821edce659a07596c06e739d961746af93e38d9944b30f385c29df16bb82b6a4f726d633a1ddc8ac8b69d9947700eaff6c4dc9179b4df232f86f5d313c2e7d5e9c6a5efee9596675efbf7ff01ac0281d89c4ca9e739463853f973b4dae2a04e59ab04d9e6672db62fa316d62bbdf44adda765bfcf90246acf03ef5b5c71d94d3406dff15ccb840000000770097d602a3eaa9e6794e863ed9f9764bbed6f68c1e2e0a6cb802869d68bb72c9f31420888d99be0b35d21c72cd59d6dce721a740d455c42c3db657ae15e8fdiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
  • Suspicious behavior: GetForegroundWindowSpam
    AcroRd32.exe

    Reported IOCs

    pidprocess
    836AcroRd32.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    804iexplore.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exeiexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    836AcroRd32.exe
    836AcroRd32.exe
    836AcroRd32.exe
    836AcroRd32.exe
    804iexplore.exe
    804iexplore.exe
    432IEXPLORE.EXE
    432IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    AcroRd32.exeiexplore.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 836 wrote to memory of 804836AcroRd32.exeiexplore.exe
    PID 836 wrote to memory of 804836AcroRd32.exeiexplore.exe
    PID 836 wrote to memory of 804836AcroRd32.exeiexplore.exe
    PID 836 wrote to memory of 804836AcroRd32.exeiexplore.exe
    PID 804 wrote to memory of 432804iexplore.exeIEXPLORE.EXE
    PID 804 wrote to memory of 432804iexplore.exeIEXPLORE.EXE
    PID 804 wrote to memory of 432804iexplore.exeIEXPLORE.EXE
    PID 804 wrote to memory of 432804iexplore.exeIEXPLORE.EXE
Processes 3
  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ModuloConfermaIndirizzo_2016_56.pdf"
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:836
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.b-soft.it/FOTO/DHL/ModuloConfermaIndirizzo_2016.exe
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:804
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:804 CREDAT:275457 /prefetch:2
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        PID:432
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\59D5FEL2.txt

                          MD5

                          675b382e051c79e8bacb93a82249f42c

                          SHA1

                          2dca7b031bbb656a07375582f61834b40b9500e5

                          SHA256

                          c27e3f2582f391d1f49fdecd1541bd613d9b9bb89eb10f3b30834806f4d5b76c

                          SHA512

                          d2ad91e543c527152fa004d663be5f4683cbb06fcd7333e98720e129a9436bd5a53ba4b0480b9e38b28f4cd3651cdc6660fbbb9bf05b64a30ee376cb3a7d9052

                          Download Submit

                        • memory/432-57-0x0000000000000000-mapping.dmp

                          Download

                        • memory/804-56-0x0000000000000000-mapping.dmp

                          Download

                        • memory/836-55-0x0000000076531000-0x0000000076533000-memory.dmp

                          Download