Analysis
-
max time kernel
119s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-01-2022 12:08
Behavioral task
behavioral1
Sample
69750ebdc5ef1da9ec91ef594fc966cc.pdf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
69750ebdc5ef1da9ec91ef594fc966cc.pdf
Resource
win10-en-20211208
General
-
Target
69750ebdc5ef1da9ec91ef594fc966cc.pdf
-
Size
60KB
-
MD5
69750ebdc5ef1da9ec91ef594fc966cc
-
SHA1
f4338e01d2ebbde8ee2e784f9034157b92352afa
-
SHA256
1878d91f418b3af2aafacb1c46dd408779cb9ecdd978290f2cd9993548368e10
-
SHA512
c73b3d67e01aba49c9acaf0d39a0ccd79a681bf209534d257970262d0c3cfe04f5f2453a894ed7feeed060e68ae49b44ec8bd94dc5fffabc0d5e54c7d6269482
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3052773df602d801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "348235930" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{774F2691-6EE9-11EC-AF3B-7EB9569AE3EA} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1592 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1060 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1592 AcroRd32.exe 1592 AcroRd32.exe 1592 AcroRd32.exe 1592 AcroRd32.exe 1060 iexplore.exe 1060 iexplore.exe 1868 IEXPLORE.EXE 1868 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
AcroRd32.exeiexplore.exedescription pid process target process PID 1592 wrote to memory of 1060 1592 AcroRd32.exe iexplore.exe PID 1592 wrote to memory of 1060 1592 AcroRd32.exe iexplore.exe PID 1592 wrote to memory of 1060 1592 AcroRd32.exe iexplore.exe PID 1592 wrote to memory of 1060 1592 AcroRd32.exe iexplore.exe PID 1060 wrote to memory of 1868 1060 iexplore.exe IEXPLORE.EXE PID 1060 wrote to memory of 1868 1060 iexplore.exe IEXPLORE.EXE PID 1060 wrote to memory of 1868 1060 iexplore.exe IEXPLORE.EXE PID 1060 wrote to memory of 1868 1060 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\69750ebdc5ef1da9ec91ef594fc966cc.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download?cid=1AC0D6C8F26E34EE&resid=1AC0D6C8F26E34EE%21570&authkey=AFOqk0TvLVs1mHI2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
d0ae14b5c2e12f3e39dcae0f8c346bd6
SHA1d3f81e7e32640c38a2edc13c8e31458f8786e565
SHA256a2d1c29cb542d68b3813bfa93eece2d55ac12f3e9b744a1296d61fbbf57f3817
SHA5121b7cf7900066f30dfd72de3d761dc20326b160a791e20df07358cc379917d48e3291cd2ac1f85cc72894c315f7dd8b24ff55735454da82d096866c055c1c62e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
bbfc3d85f496b6878cf737238864961f
SHA10ad59c22e72ed7b76d0608f17e979eb99d4c3a1e
SHA25667a039535754b605d549d7e782710e7deb22788cc4670b9906ee13de920d485b
SHA512a98bc4d06f4ce468fee9e6bf5e750aaffd0ef0f26425d3205ed414cd3df1224f95f198980a430721272400c7923f123eafef6409ff9665b605d9827895a6e289
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
bb4ba33703e72f78fd5cd8a6a904d6e9
SHA1063c1289b506d7c995cdd55fee6ea0c1259e3028
SHA256a36ba75fe633241715859fb090f532f56e9b587965c0205c4034725f2ff23b82
SHA5127746c414a4cd6102f49992685b836ec67a7eed73f8c459eb4565bfa5d11b412a9568bb3b8d5c7473ea4c09a4a0fd282965eeecc03a12eb7d562e131a8e85ab64
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1Q0FWJQ2.txtMD5
a69236ceb5410f785c582fdf64b61969
SHA1abc50943eba3070e029905110828b3348a108104
SHA256b621e336e0233844662196902fb68c9e54fc3889c037b65eae9ff466b7c7bc69
SHA5126318b1b80ef09df99f447e613c1007b64af43fe4598176e412d6f8f3f37f575ac5ceeffdcbb69a2f6326f8d824f663d6c325d75acc6261d8172cc7c03f641722
-
memory/1060-55-0x0000000000000000-mapping.dmp
-
memory/1060-56-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmpFilesize
8KB
-
memory/1060-58-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/1592-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1868-57-0x0000000000000000-mapping.dmp