06a008dbce17d3b8de0069ed613cf3b75efe781f68beeccfbc0cb5d497f0044a

General

Target

4e5babd52282234b954e5b9081e7fd60.pdf
Size

78KB
MD5

4e5babd52282234b954e5b9081e7fd60
SHA1

62546eb9867a789aaa8058a31e30f69530f9feb6
SHA256

06a008dbce17d3b8de0069ed613cf3b75efe781f68beeccfbc0cb5d497f0044a
SHA512

6d992003079acaffe84ff94e105f8ac84b868aff0b974662dd13e988eb522215893e0d3d90e1b0d591cfafc3188ea4a765e8198ed778687d9235eb666999f047

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 007951dabde1d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD0E2DF1-4DB0-11EC-B22F-6E030FB8EC08} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab00000000020000000000106600000001000020000000f8828176d63ccfb5e555000aa5e8cdf5ce73f83163710dbdfaf09f935843c164000000000e800000000200002000000044e0c93d6ff52ab505c3b74e2c79fc50852662af7a0014744c3508a81ecd38ba90000000dca6f4e07cf6955853e0d42b01a914dfb3f314ad88040ca11f1c2e9337756d7d3695809abb830eb3bfd428cb325e418297507a52703d8603f52c107981ac4267d4cbf524e2f93175bd0e3e251cf03293c7701732befa014a5461c88aa6f1c146d90cdbc528a5837f926d0c21dcbaf20f8f463782d09f9fae94927b2b9c6cfdf82e671d006b319b8ba09d46dc4aaa387a4000000036a5bbaa1765afeec411da238aeef0be7725ce65224fa176cd98a2c260807623cca8a3eed2ced82ad4cd7e09d7d55baf047df0a3154a68d2ffad98a8f2fb1339	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "344583285"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb601b266500a1439caac4cd216a44ab00000000020000000000106600000001000020000000a2e6bebfcd4cd3a2fc17989e3016c1e2400c7a29e923c1805aed64d9f1472f5d000000000e800000000200002000000026012a303696a2b3e429b4e9826dad154479e55d434dc50047bfd8621f383f9f20000000cefd9c585cf7aa19c281a07db194617c3cdecd96b37f6d85a14748d69a7188f340000000e4a1b4322bab9ba1990821b2c1c807de65c88bde36918aa9bd90079699bf9c21fc85b5510b316b55f3129490fd13ec337a1c9d8d60ec4b4d72e8748299ce9331	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2036 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1920 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid process

2036 AcroRd32.exe
2036 AcroRd32.exe
2036 AcroRd32.exe
2036 AcroRd32.exe
1920 iexplore.exe
1920 iexplore.exe
740 IEXPLORE.EXE
740 IEXPLORE.EXE

pid	process
2036	AcroRd32.exe

pid	process
1920	iexplore.exe

pid	process
2036	AcroRd32.exe
2036	AcroRd32.exe
2036	AcroRd32.exe
2036	AcroRd32.exe
1920	iexplore.exe
1920	iexplore.exe
740	IEXPLORE.EXE
740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 2036 wrote to memory of 1920	2036	AcroRd32.exe	iexplore.exe
PID 2036 wrote to memory of 1920	2036	AcroRd32.exe	iexplore.exe
PID 2036 wrote to memory of 1920	2036	AcroRd32.exe	iexplore.exe
PID 2036 wrote to memory of 1920	2036	AcroRd32.exe	iexplore.exe
PID 1920 wrote to memory of 740	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 740	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 740	1920	iexplore.exe	IEXPLORE.EXE
PID 1920 wrote to memory of 740	1920	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4e5babd52282234b954e5b9081e7fd60.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=asme+section+viii+div+1+2010+pdf+free+download
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
28e453e75460c0a04c393a2eac4e915e

SHA1
0b02660951051c3a26083b9f85609933695d351a

SHA256
20db0cca2a417376cac9dc2c8996da1c2aee0485457abdd68d149b187731d350

SHA512
5cdd3424f235a1af38ad289a1ff22e7c9f1d838026205c38bae7c3e5a865ed03d6edf25f215f2595b57ff181245fa6b3514210e135c6d360bcec33e058b5f258

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PNJNRZRD.txt
MD5
2247248eca93c4ced1990a207c43aa5c

SHA1
b327902c6efdfad1fe368979780ccd39e38f4dc6

SHA256
948acabe697882dfc5d589f05f92d7eda22a51114f1fc8a2ea48a3c55c76cc2a

SHA512
5d5021333b59521e522fdaedee58b95e695c27198557a102cfa3227956550db9dfcf16a74534a7664302f5941d5675ecea1ac939dad8762d4766fcd613fa9077

Download Submit
memory/740-57-0x0000000000000000-mapping.dmp

Download
memory/1920-56-0x0000000000000000-mapping.dmp

Download
memory/2036-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing