8c4838099234cfad14a8b74c268477d16e0d31d1eeee5c9a00d688ae1fbf7082

General

Target

FAC-DOC-2022-5KO6KTGI49FK4JFI5GTK59KII59FI4LO.pdf
Size

120KB
MD5

78f5bdeef40b898c9311e8eb3f6ffa99
SHA1

a0fbfeea543b682b5786b8856ac62151f46bb12f
SHA256

8c4838099234cfad14a8b74c268477d16e0d31d1eeee5c9a00d688ae1fbf7082
SHA512

e19b7c423d5b82e7eaecc168d71867712222d781fc94ad691ebf3d14a9618a8806b55074884cc68c4bc67e436978f083ea0d178eac99eb37e9f7bc22c96587dc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353710939"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab8535dea0c55241b6e6a02dc814678c00000000020000000000106600000001000020000000b4126417f9cc27270b7718eadc8bd5c6b373332bf71b185de09d0203f3310aad000000000e8000000002000020000000c2e598d13ffc5de09e04ffe03a231e4a2012f67106318444bc8476a591ce7c7890000000b821e200d83251398d7236c71ece676cbb2fe222c77e7fdd0be252b06048156caeabf09638d9f8914dbc5b369529b54c69d87e199f8f48d4adcffa096d3fd6118c10d805f1e0b2a4e45d3401678db434223a8af32acf25e896a7083938b5a00f2673b95e1793fdcb03b4676f7d653267c1c127365e1f2b5b769ceafad383985284606350f1548d0125746b9227eb862640000000f04b326ee6e8f5b85ef633059929b6d8390f12ceba25798569c46374d0507e59d4939baa40c411da03e14c63208b133d485bdf234e0b8967d3655a91e3777626	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F72AA7C1-A0B4-11EC-A960-CA7181F047CA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab8535dea0c55241b6e6a02dc814678c00000000020000000000106600000001000020000000e6abc7cc59d75899570ed2a2422f9fb900841a9267506af0b2b32b7cdd14996c000000000e8000000002000020000000d1d4ea654308283dd09266f94666983e2af81aa530f2307775d8242180cf8cde20000000b56991e8e40ce2edf3d21e64f457efaeb7535deff91a8a8c629605d72fdbd69640000000c6248853d1d374c4df7da0a8b406aec5168ac8c7b373045b4426464787ee0c3c67540c2a1e00b1dbcff320fd879a94c1cc02aab32e8dfb6e5f8e118e677a2603	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808a97cec134d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

688 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1104 iexplore.exe

pid	process
1104	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
688	AcroRd32.exe
688	AcroRd32.exe
688	AcroRd32.exe
688	AcroRd32.exe
1104	iexplore.exe
1104	iexplore.exe
420	IEXPLORE.EXE
420	IEXPLORE.EXE
420	IEXPLORE.EXE
420	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 688 wrote to memory of 1104	688	AcroRd32.exe	iexplore.exe
PID 688 wrote to memory of 1104	688	AcroRd32.exe	iexplore.exe
PID 688 wrote to memory of 1104	688	AcroRd32.exe	iexplore.exe
PID 688 wrote to memory of 1104	688	AcroRd32.exe	iexplore.exe
PID 1104 wrote to memory of 420	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 420	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 420	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 420	1104	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FAC-DOC-2022-5KO6KTGI49FK4JFI5GTK59KII59FI4LO.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://clickmetertracking.com/doc-pdf-html-tgj39dk23is
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
9db186df017f7aa5b1734bba726da607

SHA1
31251dbb9bfc044a33aa054d3736b618075dd43e

SHA256
abe873fedf365c8efbacabb7ef23c87f33b8210c37792ceebbaa1b151835f431

SHA512
30a564ea062516fdb9b3fddc7e897c62fb21b40e619503b10f48e90b3b3da6b9626c6ca56773e6671f602284b92e3ec248525a78d189cad77022f752ea04e868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rx62z5k\imagestore.dat
MD5
b270efd52dc0a0d5bb6a95d47346567b

SHA1
a5d44a7710c1f560affffea76b6295f1ab46b7c0

SHA256
a4ae11fd906c8c2edb01faf6ba31f23ed64d06cc86c5070c27d22674878d93d1

SHA512
476421e8c12150a41ad9fb103190cadaa0a17f91aa64370d52adacf617a0ba32eea158b792e82fc87eed377f20469f050d87551968438a2cda7f2a20380d97f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Z8K92S2R.txt
MD5
a9f02265e1ee6d13735d987ab7e6cc6a

SHA1
03996a62ad96070d4429a0a158ad196c2e007654

SHA256
dcc951aecb403bf0c251e9ac35e7213010ceb70c601cb24fda38dd951fbfc3bd

SHA512
34168cd99dbd79906843e34f5c2a6253f241c5581de80e39270ef5bf58ac49ba576bc5f4f89b55611220463e48bd5ba643d8460d4cbc820a99a26c802c104208

Download Submit
memory/688-54-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads