13daae9ca92e8952feb254fc468bfa33b862d305be099c4f4ad5be3296358deb

General

Target

Notificacao-Detran.pdf
Size

119KB
MD5

f927ebf5e6be9feb237a672e90aca5f6
SHA1

b82500bd09a8784899a9e8a738ca789093869c9a
SHA256

13daae9ca92e8952feb254fc468bfa33b862d305be099c4f4ad5be3296358deb
SHA512

0dc93fd1033b5c4b97f7bf49ce00cc335217fc7c6d660515fa6aa51ddbf4cd2ff630eb62158b5246b75952ffa562b20c7c62df9de79cbb653957294778844e2d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356714378"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c00000000020000000000106600000001000020000000af59bf448524ca1a5635eea42d1cae532438e64424da7b8a6f60b579aa3d3031000000000e8000000002000020000000c2c439bb1adf57502d13a913ec309a7c1408729c20ccc2b4ccc1511909e0a56a20000000c49cf971ee72cdfa083baef900be29f80b79e272eecb821a0465acddac063e35400000009a8a8ec77cfe5676fe181dd212b237cb98823ba474a0e65d8aad75e7c6d20db3c4ae15a43673eeef18909a1e45a048b36dbf81e4140733afe1c58c47c2a277c5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DDB9C341-BC05-11EC-BF55-4EE2981408BD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d34ebe1250d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ac970f6e21c8045b4ad45959768992c0000000002000000000010660000000100002000000034d72df0aebf134d558f5a3183d04f5c03bc9184d1d88e37bdd00a8b64bed4e5000000000e80000000020000200000008ce8484d8f30e369e3e316aab27a05dfc1c31c046639c0a0be189a141bac164a900000001b69e1863cc765d8a3d495395919e4f4ce3b63bcc3d48633b8bae50e611b606588baed30e83cf37a9dc6c4e94318f2caae8f9013ae3b4e689f7899cfa69d79b61f883e0e5456cb5f7965b69a9716732e27a941e74ac7f42dccaf1dddc43c6179559dffd86f989da3eea9175aabf5595fe80c22da8b3e2acc0ab1d34f35f8eb481d21d9a192c091c5e7700a8456b250854000000061b6b6d769a35c57ffc8c1699365889ffaa2ccbef292e5105012c081ea387721d541fcfe849771e8ce6eb4b804827ee3f339139dca9f52c637532aa43eb4ce87	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe

pid	process
2020	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1820	AcroRd32.exe
1820	AcroRd32.exe
1820	AcroRd32.exe
1820	AcroRd32.exe
2020	iexplore.exe
2020	iexplore.exe
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1820 wrote to memory of 2020	1820	AcroRd32.exe	iexplore.exe
PID 1820 wrote to memory of 2020	1820	AcroRd32.exe	iexplore.exe
PID 1820 wrote to memory of 2020	1820	AcroRd32.exe	iexplore.exe
PID 1820 wrote to memory of 2020	1820	AcroRd32.exe	iexplore.exe
PID 2020 wrote to memory of 1676	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1676	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1676	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1676	2020	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Notificacao-Detran.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://storage.googleapis.com/notificacao/Infracao.htm
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2d844d57a8d795841f895b1f8b7e2515

SHA1
cf49fdb9e0ca034f46e101a845a03d0ec4cf8f57

SHA256
eb6f4fad27887b737563c6e4aadd32813f8dff7a6e1940f1d68297abe3ef7139

SHA512
d266b22f7d2d9865aab48c9148adae9dc6c9b622f79ffc0de473ea916a8ec1a612e9ea1192e96bde87b7adf7e2f115c57e42e38a7de336b2c722aedf044ea7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\b1rou5u\imagestore.dat
Filesize
5KB

MD5
2654d67a127d00a52622f89fbd81365c

SHA1
63401f91926dd0afbbaf00b6eb4051cd2a6c84b4

SHA256
3ffac0df9eff922b91ca2a76d1fc84043bb3389e67f36e0d0d0310991fe91c1f

SHA512
f4e2e44e4cf5c5ebd38f0f53f722d96182b4f979d82660920d59423ae9817a6587a5d7701bbbe4eab20794741333e79c12ba2dfaf6307f813f1ccb57d495a72b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LUBOTI5H.txt
Filesize
607B

MD5
870deb17c1edb4e1c3a313feb750007c

SHA1
3776c83be5fc1162d79c53ea66686a3151237903

SHA256
327b6a91887a243edd2ac1d81a2fa02c87f46117b213777cdab5c7d4be00b879

SHA512
ecccf17ef69b299e249c6be5526ecf472f1f181dae67bf6e500ce8eacc93ab953fd070b67a64edca8503336aa47c32e6ad4a22cb67d06c7d342378d735b3014b

Download Submit
memory/1820-54-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads