99c3586e83471b9e81882dcbac49a859fd45bc34351ddfa665d04f5d255c9b02

General

Target

history_of_liquid_propellant_rocket_engines.pdf
Size

96KB
MD5

2f3a66f935b32d85f2b983fc2767bfb5
SHA1

8f5ae992a350b851217247757781461df5f138a3
SHA256

99c3586e83471b9e81882dcbac49a859fd45bc34351ddfa665d04f5d255c9b02
SHA512

89eef695863dd3235c2fc42e6b4f0a7e3f869d95b780cf4e4dcd8cdac5778ecdf493e3e9fb666ea55a2070cf1e54050c0dde078bc162d5240741dc5c70410230

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d088f0d7f513d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350104893"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC253D91-7FE8-11EC-AFF5-422B4DF990B1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000cc387cb8960bf6ea1bcf0931e4b922beef0a50079de4a1b7e315abcae0049bb2000000000e8000000002000020000000a1972f9a81266c99b68a9dcc74e32784b04c35441241984ad433372aeb67fa41200000004f4249c6286cfa032abc9ddf28bfbe64cad60f7f7c0eb38182ff9e499619b80140000000b81c366f7dd8257db48982191f6866c436d78062517c169531a88678fb5684987619e08e1313c8bb435f0394d14c5e614c741db1273d89bba51dc0b340ac206d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000e41a93cdb634f137d11cb96385afbe9ed9ed87e371d0b9ab9a2558ded4cef56e000000000e8000000002000020000000dd45a0e0ff69bcf96905a05f2d208d3bdef7820cfb7eeb2571c2113af8840ef19000000033e8c1a19369f6a14c9f46562b58b3eeac86e317b3309c4b5a8a361a588bc486092b4136753bb3e6e7242f90a470a4263084e80cd903ddd88d96dd413a9e4e5396989245c3194d32b9454081974c873f2f328d5a3edf01ab0f120ea76cf92c96973859638edefcb522a61b4a50136cb0ec7aa659aaa502f665d7b02fd65cb8a7468aa54473e3e793d604467fc9f2e9064000000078e20fcfd9eff26895d65eff23ecba711239bffc35008021de2fdc8147557aff636507b7b2ab0d007cc6b59ffa675404f227327c1a2cf29305697d12133b40bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1736 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1472 iexplore.exe

pid	process
1472	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1736	AcroRd32.exe
1736	AcroRd32.exe
1736	AcroRd32.exe
1736	AcroRd32.exe
1472	iexplore.exe
1472	iexplore.exe
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1736 wrote to memory of 1472	1736	AcroRd32.exe	iexplore.exe
PID 1736 wrote to memory of 1472	1736	AcroRd32.exe	iexplore.exe
PID 1736 wrote to memory of 1472	1736	AcroRd32.exe	iexplore.exe
PID 1736 wrote to memory of 1472	1736	AcroRd32.exe	iexplore.exe
PID 1472 wrote to memory of 1036	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1036	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1036	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1036	1472	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\history_of_liquid_propellant_rocket_engines.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://feedproxy.google.com/~r/Infin/~3/3fYlV-OKy98/infin?utm_term=history+of+liquid+propellant+rocket+engines+pdf
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
fbb22ad1be5e51fe15b94ff55139c9ee

SHA1
0b202ee24946bb12ebb8327fbc8fedd5997d39bc

SHA256
3a20ed9bb0f7b9b66e2185f2f027b1f9f84aab959c3e27c3f80e78849a59fc2f

SHA512
737da2186695e22e002f33ff2fdfee11500e4c314fa6547a0b3d24a94d89eef2005b92d9c50521590af2ece1aa4eb24671d48d5b646c7eab90786c82c55c1b36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\879DQQ9C.txt
MD5
f2b4e7e6e1c6a9388aa21a5a2bf5f248

SHA1
2b9013906593b3c86acf9e954498627ad677e400

SHA256
7b24deb107d57560e0e20dba8a04c7897ba34c571e5bfbe481fdf337831b1c2b

SHA512
f87e572cf9e89fdc923771159eff802c3666b635f4e7abccce0fd97c9f5f12c9bd46193fadb75441bcf38e8414409f140d52cb4b73f58556dd4215bcb43b0b32

Download Submit
memory/1736-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads