3a264b771372b9547f31dc1cb8b370a014610583dbc2c7a5b675f2775f563b95

General

Target

PORCELANOSA Grupo Shared New Fax Documents With You.pdf
Size

85KB
MD5

1195f9ee2f39c2aaef05e888a6ccf322
SHA1

a3716b622ace35b718caded71fbb62d473a4a55a
SHA256

3a264b771372b9547f31dc1cb8b370a014610583dbc2c7a5b675f2775f563b95
SHA512

1c6609f1bbf69fcf434d2643e86a558672a99de9e578ec0852e2dbfb22fa1f736ab1f64d4ebde09e375f628c22fe42200e04c4aa8c247fd1ee6c4fa51f20dff9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2c0bd9fd0fc1c4d8404f89f10ad210100000000020000000000106600000001000020000000b5a12e1a6b1a0cfb10a844986d49af22fb1d8fa02b06801ac9e32290822f601e000000000e80000000020000200000006b762b7c260878ea93e1870c16b674a0c1696d0112767066e9a627f0cf9cc9bc20000000e69c24e53d73dd67003401dbb86e331b5e198f1dbacc04ada5d74ba8053c57304000000009d361b07aaa76b3b74d874fe5bb9a6f0b10a610e915e02590361a9d0fb60417d6fb7bc895c5c296c6a17e436614a16ee07c27cf8114d3d443d6fc71033eedb4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB7B3A21-B698-11EC-8AC2-C6BE2B78949C} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2c0bd9fd0fc1c4d8404f89f10ad210100000000020000000000106600000001000020000000f78b8673440ac02ae2ca99c5b1df126d571063c1c4d1f2c71d7c1e1454290fe9000000000e8000000002000020000000de572fa6db5b9a35f9ffa3c64eb2d59858e7771f1886f67dfad62ba42a34efd990000000e682cc4414ca23c5078fab693c919fc753a7a606fd378844cc305a41899d6f1772607939ac6a875c75ff543fbc485beb896c42429fe31aa6fb42488e5287278ff58713c51782c73d5d638f9a3b45108441cdb5b4a53679336679f0e316aecf1b8394b245ae249f872a8037a0d34217452d738b9e66f053c5e81e8b03f1e439467dfcddf004bd6c72ccca5ffefc0ca70a40000000f3b38778fc83bbaabf0262014425e052dbaadcb5053efa2400da02642b005900ef72b4882542c40931a523f49a38dd45e54ed602863045f0f3bef076e5a3a9bc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356117857"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d5a2e6a54ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

IEXPLORE.EXEAcroRd32.exe

pid process

468 IEXPLORE.EXE
1968 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1680 iexplore.exe

pid	process
468	IEXPLORE.EXE
1968	AcroRd32.exe

pid	process
1680	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1968	AcroRd32.exe
1968	AcroRd32.exe
1968	AcroRd32.exe
1968	AcroRd32.exe
1680	iexplore.exe
1680	iexplore.exe
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE
468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1968 wrote to memory of 1680	1968	AcroRd32.exe	iexplore.exe
PID 1968 wrote to memory of 1680	1968	AcroRd32.exe	iexplore.exe
PID 1968 wrote to memory of 1680	1968	AcroRd32.exe	iexplore.exe
PID 1968 wrote to memory of 1680	1968	AcroRd32.exe	iexplore.exe
PID 1680 wrote to memory of 468	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 468	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 468	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 468	1680	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PORCELANOSA Grupo Shared New Fax Documents With You.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://laced-false-tibia.glitch.me/offcsmail.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e16d7264cb988bb0af8da8440613215

SHA1
6081d79a0df8ebcca751c94a322302147ade84ab

SHA256
e24a19d3b0cfc5f07c246eeb01ea20e3b0a6e80b481fec534b3354ec1ec9ac14

SHA512
d40def28118054620a19077f453374c64f42ca4daca3a55d5c8d59ebafc8550f2112d11207baeb62c0fcfc03e97cf277fa7209d4dcd7cb9971d367ae3cc61124

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UW0DJ261.txt
Filesize
608B

MD5
ce283a6dfc4d2ba2916f6bf40a5a263e

SHA1
342b4f7aef26719227e819b54cd21de4013e0a94

SHA256
283e6019bc25d95d856fc6090a3cc488ecea34d363eeadd150914dfd5b1fdee9

SHA512
b68466fdc8171365f88f7f5b56fc6698929afe4adab6c023330a2173073f7000d956ef6adf362b2f1042a5adeed6652b11c143a0fd4b48c12a3b9cf573f3cd80

Download Submit
memory/1968-54-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads