ca5c170acb6c302f880e2d403306effb3cfc39d2d21cbba2a786d261bef391d5

General

Target

s62b96u4aw8..pdf
Size

113KB
MD5

1abde47738b218dd52056c1de16c8c80
SHA1

1b003212c92d419aaa36380b555eb508735ec056
SHA256

ca5c170acb6c302f880e2d403306effb3cfc39d2d21cbba2a786d261bef391d5
SHA512

d0626b30bd42de780f0b703af484cc13b42bce1ce0be42cf2becfdc18b7b3ef416680147aab7df29ad6a29d47e9246299a74363a2ba992ebc96e88caf17d499c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{057F1621-B9B6-11EC-ACF2-E6E0E85785DC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356460175"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c000000000200000000001066000000010000200000006e5a0789ba29bdac85a25b6ce3d823f3f8665d99d9f8abae2e389d4cd86bf3e3000000000e8000000002000020000000478a36581c4d4d127081ce301a702070624cf8b3443d3a540982aa1863b57d8c200000005b47ad0627318aa042329aee79cc4a45f43f92a4eb05ab5bde9cddc09c7cd95f400000001173c5783ba1443c61a7d5ea9becebbcc1b9d4f7ad11898adb7c188dba3bad3772df17664ce654f333712b4b68b034c58fd820ec99a0e772152a3d16d981e975	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c000000000200000000001066000000010000200000003452e04e0b6375bcc694e3d48e682b2ae1748702b669186e6ebcdf670a3e7dfc000000000e80000000020000200000003d2245c8383b0c980cdf9591b27c5ced63a6b6ad5b29fd9cc4c25df93fcb668d900000002e84c12e01b7aefa4d71ae2c3c6a96b97f47322c716fce25ed1f7561e1fa7495282e6ef016c0bd825014faac64c4c5ef2a07a835a06b7fe0743b491e456a13745027305c2bda43951d67b9ac11e8e8355d253556bd75a298cfd3c0405c95f20f69c322fe822fa3099c8f1b9b23c7a9c559595bc744ff3e80ac574f6cebfc77023cd12dcaecc66a5eefd65afc4e34217740000000cd30dcb42749692f08e714f0e4bac5a879f997fac5b38fbda25158280e8da6778cfbbafb3ded8d056e6f16f8c3db8a77e4266d9dbadd5b5985e8941efc7e4a93	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06a33cec24dd801	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1396 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1236 iexplore.exe

pid	process
1236	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1396	AcroRd32.exe
1396	AcroRd32.exe
1396	AcroRd32.exe
1396	AcroRd32.exe
1236	iexplore.exe
1236	iexplore.exe
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1396 wrote to memory of 1236	1396	AcroRd32.exe	iexplore.exe
PID 1396 wrote to memory of 1236	1396	AcroRd32.exe	iexplore.exe
PID 1396 wrote to memory of 1236	1396	AcroRd32.exe	iexplore.exe
PID 1396 wrote to memory of 1236	1396	AcroRd32.exe	iexplore.exe
PID 1236 wrote to memory of 1772	1236	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1772	1236	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1772	1236	iexplore.exe	IEXPLORE.EXE
PID 1236 wrote to memory of 1772	1236	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\s62b96u4aw8..pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/3KpkBZI
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
535659415a8673dfb4238673666652de

SHA1
a828af1eee6e6c50d3c07a8fd80e9d3d89f17bce

SHA256
9273bc67c2e3067d526b58bde3eb56c408da6246f1e185529d4b0683ae0f14b0

SHA512
e553f76436ae255939e5fa7b3e61f0651a49e680e1187a02a004704223c4e9b5bcdf0faef3c13d369f6cad682777c488287e19d29971d231b206d498f30e7d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0e2621d3510c6da7394fda8c26d6d760

SHA1
f2351a4f74cfa67d3c8798590a3373f759b50cd5

SHA256
b57ddd36aefde98fe713af7ded7674cf9dc6db8be0b53e1d44c111bb19fd8d58

SHA512
d839140eb45ac1bcb62f6d2d46d904416bf668c5800abeef5d94b2d28793eb6c0a976e5c412c6883ef11650da7eec145d38930d0bc006430d06840c1cd0c23c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3J94RL27.txt
Filesize
608B

MD5
02c64742eab0e3e921069d09a50f951a

SHA1
43bf144261620f327e25fdb955e2be0b0c10355e

SHA256
44c531a2c7ed6a6b739d319fdd16687f95cf3992640a75597bb8ac9723512928

SHA512
be45ecf0673558529d2372e5221f38b3e2a4ea21127d3baabf7e614240a87370b922e28fa99ce63c03001470d920dd9f930073d4fc3a7271539ccafbe407fe32

Download Submit
memory/1396-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads