1ae689c455de332bf15e6768f2e42f8f4a4a75180b577f1fa083f30a0b3f2e84

General

Target

commande 15545-56656.pdf
Size

2.0MB
MD5

2f34e45fdab67aa048b76f6500956f46
SHA1

fb9aedab28de27e62be1813d72a5b999b7240b39
SHA256

1ae689c455de332bf15e6768f2e42f8f4a4a75180b577f1fa083f30a0b3f2e84
SHA512

f210302a3b3b277260f4135f0c97cf62b1f0c8a7a0b3f4bd57c6be7178e6634b7b4767a7ac598fe95038bc9ab2a284f05b3e4b3762257d64482ad0a0b0d670b0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E34E361-5CBC-11EC-A5D3-46E10ED6D8F2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000cfb3b03b0cc9c73bda55d2293d1957ad36bc301ed429fb688c211dbb8286162b000000000e8000000002000020000000bf3c758172a28820c003ce81e82d22112b952b8f8ffe7051630a8ae4efd2cc752000000035b53ecb5faef5cbdd067a26cd4f6428891206246e4be5c3af1e0f29b11fc55140000000d1067821df8addf9b8e344a1183516d9e9f46bbe5a0fa8d56475da482d7afc06c6d231406356df8ed5465e78440ee19f656eec12faefb075680db4c2db663a75	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "346237548"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0be1477c9f0d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000003a7448c8a5bbc78dec6f07946252e728137efa97e26390da22dd92971b0d6483000000000e80000000020000200000001dd652b477525902ef779bd65700dc201ba42f92aeab4f8866b033b226bc3ad790000000ae35868ca30e2582e142449dc392a5d1ee398bb5784dd186b5e67e8afac5455839b084a2d33b7a9bfc23c266df285991f27e9318356178612ac56dc631493ad5a0c9ba5157b5a9681ab22b4ef7e85b4fc3022c934b06dc1eff3412088789037eb33cc533f583008e85cdd602c89b1ece28cc58acdb728c8689da76ccbeeb674c16b91dbffad4b533e07a89dee9f90b7b40000000a706675c4ee21aecc694adfe6d8a73af096b8a269ed53e9933bd25a50a97131a6e8587cb2f142fbd4f8ff3bfb488c8888df4c9125c4717b418146496c84553e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

952 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

556 iexplore.exe

pid	process
556	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
952	AcroRd32.exe
952	AcroRd32.exe
952	AcroRd32.exe
952	AcroRd32.exe
556	iexplore.exe
556	iexplore.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 952 wrote to memory of 556	952	AcroRd32.exe	iexplore.exe
PID 952 wrote to memory of 556	952	AcroRd32.exe	iexplore.exe
PID 952 wrote to memory of 556	952	AcroRd32.exe	iexplore.exe
PID 952 wrote to memory of 556	952	AcroRd32.exe	iexplore.exe
PID 556 wrote to memory of 1776	556	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1776	556	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1776	556	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1776	556	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\commande 15545-56656.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://youngcapitalistrecords.com/ybellinger/docu10-SELFHOSTING
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UN5Y4PRS.txt
MD5
0792710114377c188fd81afbebb46c9d

SHA1
3f0e64dbad7bbe5041153091164e06e1e10e0569

SHA256
ed0dfbfb54cda69c0dc697c19f9840485333e9df6ce6dfd53bf8bdc359fb9499

SHA512
0f9179b7659f2a3181163fc8ae95ad810edcfba492534aa9dddaa6e3a0bc40fed1c3257ad75d43d6f23973fb4d1566649d205756a83634a529d09ed187cd1fee

Download Submit
memory/556-55-0x0000000000000000-mapping.dmp

Download
memory/952-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1776-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads