5138510ff06642265abd2971e581e7facbff28059577b87ebdb26560be0f402f

General

Target

Prepared DOC.pdf
Size

153KB
MD5

b9cac336efcf0fd240de8bbfff32f473
SHA1

7e6e59352697e5d74e114ff63570476d7a875f6d
SHA256

5138510ff06642265abd2971e581e7facbff28059577b87ebdb26560be0f402f
SHA512

e4fe1e491d156214f3b972c02f29e5d2c2a1fecf01b5bd916c01c9dd52717d0e70b4c90db4b4aa771d0cf3ccd43fb6d41aaead641ccd5cc2a333c5656511a0ed
SSDEEP

3072:5PhDP8velqthOuQOIiDL57e8yf0SZSGOxXczH5463SJjL2B4p:5GGUvQQL57e8yf0SZcRczHq8SJvfp

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000003e032fb1b7c19db43dad614372caec34286d8da0395391915ed119a5df9bd0e7000000000e80000000020000200000000d462e8e7e108ddce51ddac7f9551ad6052deff2f85af72fbb0260fea1ea0e5820000000746ff09db8ddbffd5e03d530f62a04cef5dcc1c2bd357f832a9551c09acda8c04000000010170117a0849562822078669c1f2fbbc786624802c2ad915621f0da88bc12ef567d3eae4d93c798bc0490b30e58e0b0fdf9a6b4ebc404f21fbf0c499207a978	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371798376"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000002b20f95d0bbdda2571b5e6a69ce19a7817ecc5b75481af242e1606aa3855f7ac000000000e800000000200002000000036ecd302d15596aaaf1573b5a1df3087334ab4c44877d8837714a363ec738fa5900000001a3a3d94d966bbfccf0d383edcf703ad7ae82e4509c6d98579aa0a399de6afc9330f1c962a43a7cdab25858748f4d37efd592b928f5c533fc65b6e41cddff20342b3a6571bfd74254fb34620610a19412973a9fe26a8351f2ad2bc755a2c4121771fb200821b83584937716bcdbb55985ffc013f93d031450a3cdaada3d0f35afb9e0089f8b69dacd34209e9641df3f640000000b50568eed4066238d4576299e4d62d266cb72e7379bcb87b78f8b8147c11830bf75208f278ee6830e455170c43a711338a3e2f66473cbb2fb06aac3ac45a82e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F971ED1-4536-11ED-A20B-4279513DF160} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0028b1e942d9d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1696 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

584 iexplore.exe

pid	process
584	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1696	AcroRd32.exe
1696	AcroRd32.exe
1696	AcroRd32.exe
1696	AcroRd32.exe
584	iexplore.exe
584	iexplore.exe
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1696 wrote to memory of 584	1696	AcroRd32.exe	iexplore.exe
PID 1696 wrote to memory of 584	1696	AcroRd32.exe	iexplore.exe
PID 1696 wrote to memory of 584	1696	AcroRd32.exe	iexplore.exe
PID 1696 wrote to memory of 584	1696	AcroRd32.exe	iexplore.exe
PID 584 wrote to memory of 1764	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1764	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1764	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1764	584	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Prepared DOC.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://vasf.net/wp-content/themes/payam/detos.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TK5X8A0B.txt
Filesize
608B

MD5
ee4af77fb167b83b6a8eb7f1fc2c21dc

SHA1
92ae78e66b2e78063cfd8fbb2efaa542095d544d

SHA256
55c00ea52cf47370a6698fa389753385c65873aae3af3b1d2201c878e5b940f0

SHA512
a1b0da2165c759d840287e4149ce3f6ae97bcb158765b68dea8ef9487c1ed55ea4b28a357cc87c068334e543b219ea394568d215ee20cfa9b0d91aaa6d5c86d4

Download Submit
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads