7700956c40e85ab484f4d4c937dd41d9f7733e5f83fdb14ac6d67d2072edfffa

General

Target

16072221066cf9---sukinumer.pdf
Size

74KB
MD5

2079f4005121937ec4155cbf95d61154
SHA1

92bc3b68cb19c0e4d1bc0bddb72cd3af0adea8db
SHA256

7700956c40e85ab484f4d4c937dd41d9f7733e5f83fdb14ac6d67d2072edfffa
SHA512

5b7bf1f16d44ceddd88ee852f591d4aaade13b7602f23000e02971acc883408b38469be0884a69fbf89c1145fcdc1ba4c4a311b7522ed4e2dd4f8921a772decb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc920000000002000000000010660000000100002000000076c1915e0ab55ac4c1845cc5e656bce0c2d0c09d2ce1ebfc62df466c4adb0d69000000000e8000000002000020000000118cb02f43ab0b9d581b5ba2898830744d42bbe9d4c306fc10ce11902eb6280a20000000d6646407e7494ac6b96807bea2b534051302c7cecddd87474c1e94c7581fa0f64000000073d7d0b1652f39c38875920e3eccb626bf070688bb8e8451208a0125304178ffc17287e8bc123199b50ef163ac171c9b4ab355939a180f77b7917026f531ef2f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000129269f29ac6e056a0611366e06ebdf0bd2b8b908736b9fd45054f2ada13264c000000000e8000000002000020000000fd87b923e618294a5c009573bb63c217ffe6c87ac99c6be2d9ae40ed4a8f0cf990000000dd353475c0160e146567cdac4d98580143c828612909c1afa50bb7d7fda8d468302af4e756e835ccd57e6346e7b29a0b1b4972704dc9be5c6ef16478da070b448638275b6dd27179caa30c7d84dd33e03c26b95bb687c497ea756ee22a77c8f9ba4b251f3a139f7baefa70b2c6da25faa5e7e5b584a6eb0e581237d4ee89c241bc36f38be4871d5fbc54a923a2d25321400000005175c32f460229ea585280e969087750196081ae08ff6df9aafac9e53c9e9334603b5cbf6011f0f879fa5591227a2d4d061d34b3e7d7b47531eacd60055c8b16	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0020c91290ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5941F21-761C-11EC-8C33-C64E4713EE09} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349027598"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

964 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1620 iexplore.exe

pid	process
1620	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
964	AcroRd32.exe
964	AcroRd32.exe
964	AcroRd32.exe
964	AcroRd32.exe
1620	iexplore.exe
1620	iexplore.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 964 wrote to memory of 1620	964	AcroRd32.exe	iexplore.exe
PID 964 wrote to memory of 1620	964	AcroRd32.exe	iexplore.exe
PID 964 wrote to memory of 1620	964	AcroRd32.exe	iexplore.exe
PID 964 wrote to memory of 1620	964	AcroRd32.exe	iexplore.exe
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1576	1620	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\16072221066cf9---sukinumer.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=lcd+vs.+plasma
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
fe3025a5c29967d74514fc88e4982fe5

SHA1
c3da795b869a5b02882c38f7dca4df095e03ef2c

SHA256
587dab35c0f4be656fc0755f2312db6c7bfadccf89353f154b7a15c457387205

SHA512
5c16a81f779d5305f983d1634f103463f714dcf181877d4011f1f82784616ba00cc368bad5618c7a34be3329cbb534fd555022a30d9ce32fbdc0247d2f4a80fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\210AZLWT.txt
MD5
081c74e8801388df86ae61d93a47487c

SHA1
fa58c0a729b8a3b0b0935426163de4c877b8e5a5

SHA256
76540e90eacedd38e9f92cca244c70d375d8ae6500749301dfcbe58ffe712954

SHA512
2e71d0924e061b0d18ee8766593e0b20c61987e9a1df224348cece00f591489413df4193451b547a7dcdc5f1c3805482533d74df55017c6236e839f649240102

Download Submit
memory/964-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1576-57-0x0000000000000000-mapping.dmp

Download
memory/1620-55-0x0000000000000000-mapping.dmp

Download
memory/1620-56-0x000007FEFB611000-0x000007FEFB613000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads