d6921c15f9b6a67d7a16763bf4c08e8cb3596ccd7cc40bd6ef23888cc703c2fd

General

Target

PDF EmbeddedFile HTML.pdf
Size

2KB
MD5

8cc13c9fbff51ca84c3c1c033c3718c6
SHA1

81a2357b761df7cc471c590683398d78d77b41f5
SHA256

73fb9d94156c360334fc28cfa1ab6639f4f5d1e675734f5f200ad028dc66007c
SHA512

e6549646f62894c108f5aa15da4eab7e0f0dc14dcc0917658f56e660661128298a62548edaefe94a3d27e1f53ffac7ed94c2d5f836f18dc4b4aae8dec4638a02

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A2C7301-BC17-11EC-850F-E6BBD082ACA2} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000b1a538009bb6f46af8a3f5d31ab25fa9d68e4f997f4a7123bf580113f7b76501000000000e8000000002000020000000321485eb64b11c54e9283503fc4853ca346a19a8c76d8f5de6ceea783987db759000000072a074f8cbf9ee027fe7daa040408d5c81a01f4969069044d0686a23238cebc75413c88473d59bba7d16626cb341e093780bb04d592c68aa9ba44c23c5088c1f2e4ba166775819d27b48773e1a30d93c0c3edde39dc6080d01e31727efbde9cfb02445ff67d656bcbb74de555515722d91d285090bed692adf8160bad0942f47cd14f46c0a08cd1efd3a40ba5992c59b400000006622d7cf54e23e90173d1585afac11aa77e34f3c1ef5054394f58ff8e3a097ec77f065f0f9190d0e7eca4d7e935a51fdf23e6224aec63e76a69e4579e0947f8b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356721846"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000fca20ea2e0d2ba1b7cef89476eafe6f1ead59f5e31700fe4920d492de816f8d1000000000e80000000020000200000006e963f97e83afbddae14e5a55a07433a702bd96b7954fcbffd4808f96f64cb232000000084fbb167f25b0c2660548c429643926bc82c028c3cd92de6f036db59ae4e793340000000507885f28119f40919a72a6111c174fec76f12e2028dd68c6a76129fa274b844f58252b48716d2dd0df63df06a23f05efc000a05e033238a7a47052541af2cfc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805c74242450d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1376 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid process

964 AcroRd32.exe
964 AcroRd32.exe
964 AcroRd32.exe
1376 iexplore.exe
1376 iexplore.exe
544 IEXPLORE.EXE
544 IEXPLORE.EXE
544 IEXPLORE.EXE
544 IEXPLORE.EXE

pid	process
1376	iexplore.exe

pid	process
964	AcroRd32.exe
964	AcroRd32.exe
964	AcroRd32.exe
1376	iexplore.exe
1376	iexplore.exe
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 964 wrote to memory of 1376	964	AcroRd32.exe	iexplore.exe
PID 964 wrote to memory of 1376	964	AcroRd32.exe	iexplore.exe
PID 964 wrote to memory of 1376	964	AcroRd32.exe	iexplore.exe
PID 964 wrote to memory of 1376	964	AcroRd32.exe	iexplore.exe
PID 1376 wrote to memory of 544	1376	iexplore.exe	IEXPLORE.EXE
PID 1376 wrote to memory of 544	1376	iexplore.exe	IEXPLORE.EXE
PID 1376 wrote to memory of 544	1376	iexplore.exe	IEXPLORE.EXE
PID 1376 wrote to memory of 544	1376	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PDF EmbeddedFile HTML.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\A9RA759.tmp\HTML Javascript obfuscated.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9RA759.tmp\HTML Javascript obfuscated.html
Filesize
769B

MD5
6753e429e2a5fb32278e9614eadd3416

SHA1
4c64652ead8b010e94b267836bdf57b97fa52700

SHA256
b71ebf3c71bf7695e41f6a6a0498d651023c1dc705b6aa4b0fef1ae9bcfecf4d

SHA512
ce7d5ae038f39cd19f5bf9ee3a3ad095f3102b7277e65cf15cb99a93d8620a1e559418d823c4bc005b477dd5ea8b95d740697c7692077a4811e73c1d4245dc9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BZ8TBVE8.txt
Filesize
595B

MD5
99c185c447659404329dc5e1e7a2b449

SHA1
cca65fe1c745192dabb914972f28eeb6747bfa80

SHA256
883929a39aaa56dfe5fc8ca44822d1a6e37acb5e833e21de5ab1162d1677e392

SHA512
f4a51adf9f224194daf536a1e61f1271256e4ce0bdf20fb0213b133d3a86bb8e4601d2a859ecb37a2cb5e951faf3d8681211e471c04f423f18d28548ac118104

Download Submit
memory/964-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing