0d44129d366e4e9134b96a8db785fd10ac0558c271154acd30e54ba628d15eae

General

Target

Processo-0X7RVY_1529898.pdf
Size

359KB
MD5

35bd5b4df61bf52d807365c4a810ec36
SHA1

dcac4cc4429c6c7d52d9ef93af8732d6503c3d0b
SHA256

0d44129d366e4e9134b96a8db785fd10ac0558c271154acd30e54ba628d15eae
SHA512

bb2a44e1316c2254cd482e1a83f8a1be77553a16f1a9b996209b8bcb2b39413cc410aa411b07e15a232054df1909e167e5acdc922af66d9290ee263138f883ed

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B51F2D1-8A6E-11EC-9092-66AA5408C5BE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000e1e253a75ae11323d5076699846220f1a44d8e6007cdc1827e9c57f0b4545c97000000000e8000000002000020000000afcc24f9538f3901eeef6cc461a96750bf6199f241540dd6069384bf0c6135e3200000005ae7ab031b3cbd5baa619956f9e32c3e2bff90326ee8d2e52ed18e38c4cd57c5400000000e54c68858ff98d74cb0151fc7211d347efcc76a0d84dd79c7a357c34b57817682a6103a45996971558a746d3a99febec8daf7f182289e6615a89de8ba94a6f3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000d473d0ac32c2fb69cc2f4166276436dde5d6183dabd8b1b071111b22959f1036000000000e800000000200002000000002cfe8bfacc5806275da9fc40af5d9730fba431dbfc7b338af2be7f28e846a7b90000000f2f08642e0a885864e4e25127b6f55f599fcb9a179f0ca0e899a37555dda9c98015e57fec0ae88afc24338c9ab01f3817746ab835783eaca1f0ad6e265e285c45a61c3b1d249996603138ac672f23f0c2f8517749d87547e8b8110703781cc3c1bc0af712ec338e4bc563ab37341348a73d45d14477a91ceaa1047e9aca135c31831a0dead2be9b1bfc432eb65c1a17e40000000becd440d140eaabe75887f1115f460b9fd4d9c8f73264b648db272bec737a619cf647dd9f0bd6ed5c9e57b1471f0f44f9c5c067b0f7cdfecc05a7765e0f921d3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0099c6637b1ed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "351261767"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1684 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1800 iexplore.exe

pid	process
1800	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1684	AcroRd32.exe
1800	iexplore.exe
1800	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1684 wrote to memory of 1800	1684	AcroRd32.exe	iexplore.exe
PID 1684 wrote to memory of 1800	1684	AcroRd32.exe	iexplore.exe
PID 1684 wrote to memory of 1800	1684	AcroRd32.exe	iexplore.exe
PID 1684 wrote to memory of 1800	1684	AcroRd32.exe	iexplore.exe
PID 1800 wrote to memory of 1652	1800	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 1652	1800	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 1652	1800	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 1652	1800	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Processo-0X7RVY_1529898.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/grcpdlqdhzi1/b/processo203023948845/o/documento.html?iuhbuheiuhiuhf2f93u2hf93uh2f9u2hf921h039f8h238fh9028hf29783869236823728678723687r76dgfddf
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a180774cd47d9b135926cd6e15f0a755

SHA1
5e6b604f525ca66ed895efd2d741aa867a0cfa8f

SHA256
cc9e25cc319cd0fd15707bb74258ad468d393d4a628bb8a699c38c7748595574

SHA512
3cf849db45f35ad6d52d192c9b0c599479662354e5cca62638881fae61c43d0f63bf13698be2dc4228291346f7991cb9c382ad039666092cb7296b0dfd6114e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MO564IR8.txt
MD5
ce5b1f602f92c1d8477bb88bfc186833

SHA1
590ee0f2133d91ea585dda6c10b0b38bd66f6e34

SHA256
672736bc9b4324f3028b8f5e676964109aa1473da7d87e92c06f06f8ce2d3dea

SHA512
232df2299b75a44b708a99df87463e281ed15dcb4e70777a96b71e350e9ef582e56676ee0eef43a85cc237a5ecfe181215d914e019392d1f09538546549820f9

Download Submit
memory/1684-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1684-55-0x0000000002240000-0x00000000022B6000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads