8582c4343849266da86edab47060a15719a25ebd2ae44ba4d4c7013ceac747ff

General

Target

74298115367.pdf
Size

88KB
MD5

92ec88534143c5a0ccc61e7fdd6f98f8
SHA1

baf99192584655e265a6f8d98171f4100535f758
SHA256

8582c4343849266da86edab47060a15719a25ebd2ae44ba4d4c7013ceac747ff
SHA512

2566c6324b8582118561f4b0e5abc5b737bdad37c5b5565a80dfa47b96741285a471ac876f57b12497521abcc652a227a78f45ccd0fa4bc1e8504427ece446e6

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207ab1720ef5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{991CD561-6101-11EC-AF3B-7EB9569AE3EA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000006a3f5619c43488bd1296e6ed1d6116f9a1623e4f04ddafa6d54d5759e80936a7000000000e8000000002000020000000d6c1e8fb50cdd342b54d8d16174dff3501c836a112f0fb8c9822cd5a6e4223752000000038aba1031ee6147f202a2c4011f47e690620047a353a87a50ee980232979128c40000000504ba60b26b84a49c0cca3a23c3803bb9fb32fa75947ad805d93f3da81b73dbd310657057288bf6b302dee56daeba5da35b6af006059f1c35c0e7f25761a5bc1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000008c25823e381b96274c6fb1e574372712fdfc2fbfc789231f5adef465330679e8000000000e800000000200002000000060eb01c094ef9e0ff83231e1718dc41dd32c9b583dd8e148f648bc5f0b67991f900000009dc2db9674ca2c004e4e9acb91bd6ee030326d3cf03e490a960fc0935f66e6dce8cc6043e695db14f2dc55453c50ca8a7b76ef072edfce5cb47316c01fda8906d09a2cf478bb9938c97e662943a1836ac3e7387f4fdd9bc7b48e8724d5f0595405a1c7e3ce377e4ffce82536e40e390f19a22781b3b122416dd948de9cf8c681438d01990aed852059d4d8baec8207f340000000176615a09f11e064d90ed1bd34f45ae69e293747410d1c48b25cae725c3ed3f2da3b45c23da58dec8dc93bc70c23f8a82fb7024622fe554dbed40e059cb869ca	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "346706979"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1292 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

572 iexplore.exe

pid	process
572	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1292	AcroRd32.exe
1292	AcroRd32.exe
1292	AcroRd32.exe
1292	AcroRd32.exe
572	iexplore.exe
572	iexplore.exe
432	IEXPLORE.EXE
432	IEXPLORE.EXE
432	IEXPLORE.EXE
432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1292 wrote to memory of 572	1292	AcroRd32.exe	iexplore.exe
PID 1292 wrote to memory of 572	1292	AcroRd32.exe	iexplore.exe
PID 1292 wrote to memory of 572	1292	AcroRd32.exe	iexplore.exe
PID 1292 wrote to memory of 572	1292	AcroRd32.exe	iexplore.exe
PID 572 wrote to memory of 432	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 432	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 432	572	iexplore.exe	IEXPLORE.EXE
PID 572 wrote to memory of 432	572	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\74298115367.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://coretry.ru/uplcv?utm_term=friend+sample+affidavit+of+bona+fide+marriage+letter+for+immigration
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:572 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
85255d4a3657b1eea62e1314260bc9e0

SHA1
d820e05e6d86ef226b2df237f78ee3d99f255dee

SHA256
c84877d9f313cc5c6e536b8c8ecbdd2edde21cae08a3168b66547b7d5efa916c

SHA512
b375da0f0f4956fefb063a06873df9e538fc169ab904a202d6ceafe55a0f9f9817c4c61df5f22b9ae3e17144b1854c772eb7494b83d5f7208a2131139f8a7bb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GFDIC405.txt
MD5
7aac849d278e404884ddc62ee562914e

SHA1
506f8694eef27c5818c307b56d46206df3bc772b

SHA256
952e8139b6645cbde12f27679776b85eb14f24d82c91a680f948f3de06bf90e7

SHA512
c3f2d18a160412cf8ee7d18af6915ec62ae2919a6f4675cc92d28a44cd37d84e34fde9b45d9515f6c9a9bccc89e27b7ebbb20acaf3f1e21cab968154142cad59

Download Submit
memory/432-56-0x0000000000000000-mapping.dmp

Download
memory/572-55-0x0000000000000000-mapping.dmp

Download
memory/1292-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads