d70bf028f9f573338769826fb39cc3b0d50119b32425c807b09c1cc6d507b56c

General

Target

DOC040720226860.pdf
Size

90KB
MD5

6971aa649ec13d96da8702bb478081c5
SHA1

03bee9254c821125a6c29b29a0dc6aef77c06605
SHA256

d70bf028f9f573338769826fb39cc3b0d50119b32425c807b09c1cc6d507b56c
SHA512

bffb8a9b4b5ab631f2ef9f1bdea12687df28e8a5a3e421c758b3367f744aa7235291a0a5c2c1479187a4ad4883c5a3ca00f9bca5351cde6e2edfd1d3658d6d6c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2c0bd9fd0fc1c4d8404f89f10ad210100000000020000000000106600000001000020000000e07e3f49169c794aff80526a517b2346bc343da4de2c677f68affb803b3842e6000000000e8000000002000020000000181e79d5c53f15c55a9e68cbf79ecfc1d8a521eb9790cd8c21835a05827a78a420000000eb74d13a12a440b1d78c91e831e010474e988ddebde6ca1afc71d4c0edc6ea0340000000843e803ab519dc8a7328314a0cd4d10f791f3a9f519f48f76c61ed73834c60d20d92a3c98c07b299a3c27f76002c85e400a00df1008fee8ab2530a548f5140b8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C85BD61-B793-11EC-9B5F-DE73391B6164} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356225334"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01e7718a04bd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f2c0bd9fd0fc1c4d8404f89f10ad210100000000020000000000106600000001000020000000a5a63b6ba64bb1378051f5d7e9ea714a5bf56ec1b9574d71807c4a5be66aa223000000000e800000000200002000000042a3e28faea945d0cf78cf46a81910de993ce23d7ea0c9d01a57742f03e2eafa900000008e350d1cd0ccb2a83fae97d64794f410211dcfadec75d55913912cade2d0479d513a70be12a72590d72ccb5e575b0e67048038eec2eaf16833c010924adda6bf9a9cef77a919e12e54d6b8018cc2607e79a9601148981c65e3bd90e662104554ad4c3e232752746cf002b42e78b8b3ea5a47fc29078cb7fd36d7a62b623f8440e59468f8fb0c364d873a6f86047c2fe34000000054faea366d3a03d8f64d2e00c8522772db23f88b92825f3eca0073b273f683c7c3592defcd406a313b8cd308a3eb7d4a3b268980f9a166874e933837ffe37794	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3422572840-2899912402-917774768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

760 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2024 iexplore.exe

pid	process
2024	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
760	AcroRd32.exe
760	AcroRd32.exe
760	AcroRd32.exe
760	AcroRd32.exe
2024	iexplore.exe
2024	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 760 wrote to memory of 2024	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 2024	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 2024	760	AcroRd32.exe	iexplore.exe
PID 760 wrote to memory of 2024	760	AcroRd32.exe	iexplore.exe
PID 2024 wrote to memory of 1952	2024	iexplore.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 1952	2024	iexplore.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 1952	2024	iexplore.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 1952	2024	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOC040720226860.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ivcbdgrowers.com/AdobHtml/a/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EIEOK0EJ.txt
Filesize
595B

MD5
36427e51a8b5c9d6fb7a37060ed3dc4b

SHA1
1cd717217bcf5d52cd230d7d3526e82f784b0b60

SHA256
bca12521c9291ea632403c66c55e7461def1e2588aa347d802a1ca3bf04deb6d

SHA512
a4afbb84dfe247da84b6c690972f513d43c99d19f0999b35fd1019d7ee1f95961cf1514141a27e52f797453a000c807d8e654c7280b5515229f2e34bc47748fb

Download Submit
memory/760-54-0x00000000769E1000-0x00000000769E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads