9cb3f090bfee962da6dd2248d9bbde9a82c1c4f5b69f4482b23b03f2ce27a4e4

General

Target

Spielen.und.entspannen_qd8g6vnSwTJAgYG.pdf
Size

614KB
MD5

b9d0493b482b3113a464495ba0f3381a
SHA1

d1cb79bd3af390d152b8f2d85048e158bb5661f0
SHA256

9cb3f090bfee962da6dd2248d9bbde9a82c1c4f5b69f4482b23b03f2ce27a4e4
SHA512

6a26b130cea852fd8d1411894779277e407e2dd82ca268e501a0ea33b9437b97898e5f196fea9800b511460b677218cd384fb6fc69f018cd9add24bc310ccfb0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000bd853662632873bc4ce99e0b4c9dea93836c0d42e476bae022a743dd78dcb0ca000000000e8000000002000020000000b2fbb01f197703acbb0778026d3dd6d1559394cc8442a7c919b49410086ae6d220000000fca9fc7be8eb69674b2fec4507dac37536bf242befdf610dc8e78102e1b6dcf0400000003b8df62ee40d7023c165c1382b988d0ce61116faf487c3882c7ed323b657e0dfc1ceb67a2605a79a546096a4927ddd95469abeebd9949177f22da0fae0867185	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38897571-B357-11EC-A102-FE6AF4D7C376} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06b01fe6347d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "355759748"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc000000000200000000001066000000010000200000001c3dfffe50fc919eb8ba69d4223dd360c6210cd35b2add828270cde803287bef000000000e8000000002000020000000c1ec5b9cf3011748a10d0eb06218edc797d0b4c31120a524ae96c7cdc6690b3290000000c3c05c96c57bc67f2c3fb02eb083300fc06fa378b57abc9a500a54de43cdb437a28f955258a5ea51a7661f6c83af99828204133f297119539f06ed3a67cc93074d1ea8d9b5e04392cc7cd653434e32a41688f83f4a2dfb585eab0067ec4dd4714cf19c788341363ae0b7003ffd8aa6b7b5763b6f7a8b1b7751798057107584bdb792479cc3e99aa5ea3b82c65c1303d6400000002f2e3106afbb19670d23f00d89eb5feaedab6214718242e03c61c453ab75afbc307a728751510ff2502959797c3fa929203c3c9fbd1635bc6695c455b6474543	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1280 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1732 iexplore.exe

pid	process
1732	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1280	AcroRd32.exe
1280	AcroRd32.exe
1280	AcroRd32.exe
1280	AcroRd32.exe
1732	iexplore.exe
1732	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1280 wrote to memory of 1732	1280	AcroRd32.exe	iexplore.exe
PID 1280 wrote to memory of 1732	1280	AcroRd32.exe	iexplore.exe
PID 1280 wrote to memory of 1732	1280	AcroRd32.exe	iexplore.exe
PID 1280 wrote to memory of 1732	1280	AcroRd32.exe	iexplore.exe
PID 1732 wrote to memory of 1520	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1520	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1520	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1520	1732	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Spielen.und.entspannen_qd8g6vnSwTJAgYG.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/36HyG5W
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1d75c711bfb9b0535f5e6f5187b1318e

SHA1
a27009f93c37e79d7ecf8916a193725c81fd77b5

SHA256
9dca4aae8d5cb914401296e8cf0bf88c01fe7af87917890b0074b7a73d696e72

SHA512
927c3c6007015d3d27976da433ed265406ca09aa9e99765240661379ad48eb60e29f36bf1649b831e0b4fd5e983987f81759953acc5aed92c9142f0b91a8650c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
028785636bf7093ef1f1e2acafdaa25e

SHA1
db5961f4ba15dab0d78ad706783807cc5236add6

SHA256
db58be4cfbef180cb62391a2947dfaa0b6a953ecf6fe35f922b0403968bfef03

SHA512
9b74ed5293e3df2aca667478c48ab36b87975fd7c4948c6c482aae2da5e2d89fdeaea69e12dc77575e68cf41cdd8473fff08394b15e385280fe2bdc0571bf752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1F326C3T.txt
Filesize
603B

MD5
969776b6b131969357bfb9610a4235fd

SHA1
5c0e4dd83239bf3bdb8f514f4e139bc1f447fae8

SHA256
4ab0b74724a7fea25e8fb8c378abf028353a51bf43ead43a51df42484026cbde

SHA512
08d4afff8a880cbdef16bbe52e826d62f70ec47ec6909df50cb7f78d79e6937fa8c992f043b2d31da7767a5eceb018b675da3104d79c05418f9ff31b3694ef55

Download Submit
memory/1280-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads