960819fad5679afb7c056bbe99f15507f0b4994249e4d21d739394a3e4a3ffa0

General

Target

Invoice to Approve.pdf
Size

105KB
MD5

260b691e864099d828631587be5445eb
SHA1

d560fe474d6442a013508fa29429b397a36729cf
SHA256

960819fad5679afb7c056bbe99f15507f0b4994249e4d21d739394a3e4a3ffa0
SHA512

2b8b9199b9bc18315c2a8b2abdfc46d694418abb1337f2f0fd07bd42ce8c7bc848fbc759cdfe7e3e694c939a13378bd7d0ab3caf7cdb1998e66c33a66d6bf708

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9DFBA721-6F9B-11EC-8C33-C64E4713EE09} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000dcde183ec3c31d8a4eb721427ca5305ba1e033e875866ba9e41e278324c35fa6000000000e8000000002000020000000199d656234927d5da7e39c4526fe26416fbd48170a8d5aa78a74689fc31430ac20000000a7b4069ff2673a730dfa33f9b4a476ea733469399e8c772e80efad4a0955238040000000b62b5e8f645bd66cf44ca8ed55574c8e6c8380e1efac36e0844e0368fbdb5ebfc4a88c9d6d688bddd3c7826478271feb4755fe93afbde3ecc02185b4a832b336	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02f077aa803d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc920000000002000000000010660000000100002000000076e4f206f365bfc64da6a2db5916ad6bfd9392042079ab4a5ce1c0d057f64dfd000000000e80000000020000200000008d3ebce528a189786a0b27519f603ee3132950423fd5e8096af3bb7547a9cd969000000082d2a9b3859c6afdc6a93e020ea986bbb71b8d5da2ef3e63c0ccb0f4f9910433e90817727cf495e93f691e8f7599e772306aa4391ebae79cd29d5e3d7dc5113cba1be9080cfb77dfc3d72a1af0a634b19cfe111fafdf822dd2798d4217b35809491c88c007d2cf1c2f947d82bd192713ed11ca9246757d54157effcc344b6bec5413a0bf0261451d7c5e49eb4573e70e4000000063c039b8b75fbcf724989c9d1c5597a71d68f6281cd59b1011073b0afed686c1c67e1528480bea2b79ae0731ab6f5c5955bec0d15af096d5c9c3f2d783c8b188	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "348312447"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1516 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1620 iexplore.exe

pid	process
1620	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1516	AcroRd32.exe
1516	AcroRd32.exe
1516	AcroRd32.exe
1516	AcroRd32.exe
1620	iexplore.exe
1620	iexplore.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1620	iexplore.exe
1620	iexplore.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1516 wrote to memory of 1620	1516	AcroRd32.exe	iexplore.exe
PID 1516 wrote to memory of 1620	1516	AcroRd32.exe	iexplore.exe
PID 1516 wrote to memory of 1620	1516	AcroRd32.exe	iexplore.exe
PID 1516 wrote to memory of 1620	1516	AcroRd32.exe	iexplore.exe
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice to Approve.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cloud.degoo.com/share/4q2CXPRvl7uRimoweumjzg
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
31e331bb3f1ed0af6aab841ac0ae8a62

SHA1
2441ca9693ba7effe9d25895bda724725c2f4b67

SHA256
993534698813b2008fd36c4989fe2995bfe2188cbdf32b8f75fab900cb40d2de

SHA512
b5d7273289db7ed72a80a8333fcd13ab0e1dcf57b9031168bcf3c61c58462f3c259993a09b1db600600c5445792b4474c26233678ecb49b554b98a5bdc71d5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3AI7S2SY.txt
MD5
2e70052f584018a20f09360ce31e8095

SHA1
519548379f7225a68abb6af2c1f4f783f861b98e

SHA256
32bad9ee646b79a7d4c7c004df4311826e196ce0be6d037c50b24a314c5c0f9c

SHA512
a1b7b26c47b1addae2bb0829b33caf0262e364a2ea8130101da6bae7eb9f49894e502c5815757ef7f130b56d00f022dd7f1556b1e6b17d0657cd116944e15e72

Download Submit
memory/1516-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1576-57-0x0000000000000000-mapping.dmp

Download
memory/1620-55-0x0000000000000000-mapping.dmp

Download
memory/1620-56-0x000007FEFB611000-0x000007FEFB613000-memory.dmp

Filesize
8KB

Download
memory/1620-60-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads