21e1e8c2bca2388c0c7c606c0e3b4c65f24e71ca0b808150c5f0f4b6e5872114

General

Target

78866552249.pdf
Size

80KB
MD5

e43fa14ddb952e930eaf7b3a66e05d4f
SHA1

c297aba33e0417b01a0b2ec11055a6ce9d7dc8ff
SHA256

21e1e8c2bca2388c0c7c606c0e3b4c65f24e71ca0b808150c5f0f4b6e5872114
SHA512

8dab6e8ede7aaab841fcd5591c317e82db80bf58834758a61b62fccf812e2a837e0fc9d54fd0c3614abba33bfa84ece250c20115354440cbd477b2a5357de1f7
SSDEEP

1536:wwSk6sHkQBdbqz6tIYcv5disP1lPbEogm4eIWSzKzBzeBGcWwpOSHvS:AAkQPewIY6diS4Jm4eizKzNeBG7SK

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b8b3b9835750f032bb96503c28ff3e3a248463d68eb644d63ea51a44368ff067000000000e8000000002000020000000a20595a465df2273ac93b1d9a54fdfa7aaf6f696c1514408a43000ed0cf3480d90000000c15863d0a40245002b5838061ddf609e7585a6a588e66307a2d9266b84b7d41b086dc8c2639359204128d677a339421d6e09173309957bf2a0a8b943b0d3b927e92a9b88252c29c690529958f3c170c53587a3374e7cbbe73c483d39335492043a51e94623c44a9305e63fbd4c40d476b6f87a6217cff23de92174bc09261588f5d389ffcf0448eaa67da7181d5f10fb40000000073fdb013f99b7e38c480f9608db517dae7ae87a20f4da5cc3d3f0968e66826e4064be4510cc70a3c67e6470e8fbfeb141f40ed8e95dca3d1782f340cd3e649b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7016ef310fddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000003745ab5b3938e17f51c7e941e8532a3b58087047539d6cc3d759e9b1b5cae8a9000000000e80000000020000200000006ac57dc4bb7f8a882623a75b0355a396f7ef68f17d9ee00556098e0d9d48b84a200000009be43059eb91e6f53c96b1d3d43e2a8fb8252fc8571070e3bd6b3626f636122240000000661a823dfc2ff6bb088de3e698e513676bf613dcbd52e58f1eb3c3b13aa7bfd51cabd1c6f44f8efadb91d63af1a8803f6f70841e1ab18ab20a6da0185cf7fd74	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{576069E1-4902-11ED-954F-D29BCC0F3FEF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372215967"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1368 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

896 iexplore.exe

pid	process
896	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1368	AcroRd32.exe
1368	AcroRd32.exe
1368	AcroRd32.exe
1368	AcroRd32.exe
896	iexplore.exe
896	iexplore.exe
800	IEXPLORE.EXE
800	IEXPLORE.EXE
800	IEXPLORE.EXE
800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1368 wrote to memory of 896	1368	AcroRd32.exe	iexplore.exe
PID 1368 wrote to memory of 896	1368	AcroRd32.exe	iexplore.exe
PID 1368 wrote to memory of 896	1368	AcroRd32.exe	iexplore.exe
PID 1368 wrote to memory of 896	1368	AcroRd32.exe	iexplore.exe
PID 896 wrote to memory of 800	896	iexplore.exe	IEXPLORE.EXE
PID 896 wrote to memory of 800	896	iexplore.exe	IEXPLORE.EXE
PID 896 wrote to memory of 800	896	iexplore.exe	IEXPLORE.EXE
PID 896 wrote to memory of 800	896	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\78866552249.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://feedproxy.google.com/~r/skout/mBVl/~3/6naE_Nh8_CY/uplcv?utm_term=sonic+the+hedgehog+movie+coloring+pages+2020
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fa252ca4103db29d0a599338c2a54234

SHA1
f1d87a35bda8faf416bb92a25f3a607995a3c3df

SHA256
23e1b743317f746078a430e8854db3685ccf934a5dfb80c326e25b175128ae28

SHA512
8a3e76043946321d15b4d8c72ce699a860251bdc1da47dc8c2c798eb621af6dca4d3ca649cf558956c91b1d38f20b3696d0b41d504e1eff6417791bba9741202

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JDNJG65G.txt
Filesize
608B

MD5
991153cec045af93542138b059d70cc7

SHA1
cafcdba80f22959faa2786b84be4b696c7274fb1

SHA256
a58a50a79f35fd42d222055c51500cddcd51de04ec93ade367d800d8bf97e358

SHA512
14e6b4891bcedfef6b43c1767116ca0d9cd10d6b2a69909219c7a58f80f0df017c4ddacd4fb3287847f7dc6a062561461246ef34ae8913f2fb033ac0adbcba69

Download Submit
memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads