970e824d2d6de840b0408008353e8190b3c9ea65611593f34dbda8810c767f7e

Analysis

max time kernel
117s
max time network
135s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/09/2022, 03:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VRFAVS02JADFSYP04_pdf.html
Size

102B
MD5

372fbd869903bf41bc892d715783ae8b
SHA1

56ec1889b796449d13b4d2040cec051ce07f90a3
SHA256

6916533072653305d17d18d8196f7dceadd8952e200319054ece51d4e394bdc3
SHA512

8955d789e9b130fdf987a02f48f581a4ec4068abf02fa3d26913eb61c4b45906a12607773d3c43bc63064cf1166177c466b2ec7939d235ac6aacd54f4a0d8198

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 6067ae237dcdd801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000b997a6cc8df423096f48c16b3969f4c3c0b1139c77c6f12b8578d7839a084ecf000000000e800000000200002000000062f7d72fb15d3de82a0cc00b3322c43c2b29325e8a50e435ae57e0133c62ce77200000005cf7879021711ad08ac1ced37abe9fb9b62540415ab9b2d221d169bb7cb49da04000000010b36c8888dc6aadaaab2597ff8b0d9b20ded9c8d2ad9965f44449535bc368bd3f6e1ff921b9efee465e69a66dd91520f1c5f8318e6a8b1a52fb0f5b5010d47a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000ed283cb7b7c383908432cce19ed954b36c680c6ab1f1fc9306155fe8b16d5381000000000e800000000200002000000024caa0d0f15a51682416dcf9ae1623fe8460b92a2eb9bebfc34f4c39aacb18a2900000006592864a2a2e45b9d665a3067a731a135435fedac45872e1fb2362e3c804d9e91aa1fd3041595e2673ebe766b36a366c4976505212bd9b43c35d334482c96f93ce01b6d74a9d27efb53450402d9a42c18ec8b6e186c17753d9ec48db838d8de6fcbbc98c4124634b9b848a309605b93d5dd2a2842729e59f54b0bf549b06cda8291a428fcc3b4423873eab6edfbcd5e5400000006f288a4a58a6c43e4d8b298397ebb427b9775837c314a57dfca8992a89a3c47706e1c77c96b71189619a664c3386ce2263a258cc8ea4a88f9563f453279d5e9c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370503998"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A043921-3970-11ED-9C90-C6457FCBF3CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0096c3307dcdd801	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1764	iexplore.exe
1764	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1764	iexplore.exe
1764	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1732	1764	iexplore.exe	27
PID 1764 wrote to memory of 1732	1764	iexplore.exe	27
PID 1764 wrote to memory of 1732	1764	iexplore.exe	27
PID 1764 wrote to memory of 1732	1764	iexplore.exe	27
PID 1764 wrote to memory of 832	1764	iexplore.exe	29
PID 1764 wrote to memory of 832	1764	iexplore.exe	29
PID 1764 wrote to memory of 832	1764	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\VRFAVS02JADFSYP04_pdf.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Windows\System32\isoburn.exe
  "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\VRFAVS02JADFSYP04.ISO"
  2⤵
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e1e8c0203ad050da86360eaf3359f48

SHA1
1ac074c36c5fd0ea9417fec20b6e1eb92ac3c35e

SHA256
b286a83e8ca8a57ca4b40cac185c0268ec4e66c2fe592a92969dd7ef2882fb44

SHA512
48542acdea120d0a541fcfda9214c07961669124691d1dc72becd7192997fbc07fcb57d34a131019f880c63607577f553dff57f5268f25e44d75082b36b512d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\VRFAVS02JADFSYP04.ISO.18f1f36.partial

Filesize
300.6MB

MD5
ab86b2a828271fae9eaf84df54355115

SHA1
97e96aa77af212484282c6d674bcf2e16bb9cf8d

SHA256
3df9e84055f4afff90bb1e40cf51d377bfbc950ca45093d77d881db146026ac7

SHA512
a229eac463fbb0f2cd90346ab728343877417c2700cd6afdbd5c130cfe4b1e943e85ce968f99304701ee555cbc288854ca38fb9b176ab7d205d590d960809eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TZGSSIS5.txt

Filesize
601B

MD5
f4ad0b722bc35f41bcc949e02d0e371f

SHA1
9e4c42593237e24adf1439d87dc254e89760727b

SHA256
2fde0dff726b33c34bbe85537f2a6392aafc5fb62bfab8774ed87abb73d8e7e6

SHA512
59d10bfca2bbe1afa55a5930cf22aefe6608f9b52c5c9c44607c6675f859485d92d32731ba91cfb31dbefb1cd75902f0a78de62bfd4402e4415395e595583965

Download Submit
memory/832-56-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads