54e6d9edfc464897c5a761bbab53ad6b7d2a881df2e4a13fb119578ab89b85bd

General

Target

Quotation.pdf
Size

114KB
MD5

abaf0b1f64bb5b4a2317839e3b704491
SHA1

b39cc0e36b004c4c7d7e0865870dbcf141619354
SHA256

54e6d9edfc464897c5a761bbab53ad6b7d2a881df2e4a13fb119578ab89b85bd
SHA512

1ba0cf66c466a0d2a7293db4990592fce74e6283f160f4ec4cd8fcf503c7abd8540b1ca4e327e692f0a1b9be7b05bc9f5b5cf425d2802b758e5dc98cb7717cd8
SSDEEP

3072:vgN6/rdYCDt72mDlgwRyBq0rrxNBBo1Va:vgN6jtJ7HZgFJHBq10

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372414382"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4FA4C9B1-4AD0-11ED-991C-C6F54D7498C3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5097b12addded801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000069004a7c0387ab0b2134597f10334c67314a31a072a7356dc4177edc082ef0c2000000000e800000000200002000000026acbdd4192eafa1546d514dcf0c88501b173736c4615e0ff1f811f3f27cccad90000000c78d208788c522ff97d1010ace2e68aa4a91ca6cd9f60efb9f0599f0b91c7ac8c021a029c3cef8a6e530862e9aface2eacc96c6a9ef99bd6ea20ad948e9e34507558578f7401a90dfb267d3ae2759285919d137739bcca190db91ed26d5fdb5f3e66243f7733e065c75211b8b22596aaac26cdb204b0b198609baee0f3b8b991caf927720b9441b9c6c83b8aeecf946a400000004abe386bc1cc61a3ce28299e7933ebb1110466652c25db46a22d440ed25b1dcd4cbf0b9a180ecf0487747235ee6d71c9f740b884343ea26fb5b34f0e7860651c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000008042fc3f3711fa6f76eecf5cec6146e31d038293368ce34c73493906f6cbbcb1000000000e800000000200002000000046283e4d02b4104a2d0a973eb30dea86b2eafc844deeda22003cf4a469c9204d20000000f3f6a414707599310373bccda3754569326a6716698473ade9b7a9d99a4c644d4000000012eee5146dcfd88e3ebd7fe88f0060a2fabf6fd7a886377a53fb39cb89726fbb4bd4e8c853f588b8925759903a2e5e2782fa63d1802de974b43ed5f9de032482	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

832 AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1336 iexplore.exe

pid	process
1336	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
832	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
1336	iexplore.exe
1336	iexplore.exe
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 832 wrote to memory of 1336	832	AcroRd32.exe	iexplore.exe
PID 832 wrote to memory of 1336	832	AcroRd32.exe	iexplore.exe
PID 832 wrote to memory of 1336	832	AcroRd32.exe	iexplore.exe
PID 832 wrote to memory of 1336	832	AcroRd32.exe	iexplore.exe
PID 1336 wrote to memory of 1984	1336	iexplore.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 1984	1336	iexplore.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 1984	1336	iexplore.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 1984	1336	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Quotation.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://m.addthis.com/live/redirect/?url=https://storageapi.fleek.co/2ee61029-ea2e-45b4-9c41-a7327b42a611-bucket/onedrive/snow222/snow33onedrive/adobefinal/eadobefinal.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
f4d44d96a4fa366491fc60b530371483

SHA1
f6a5bb0f1e2891d7c917a061cd2f4058372908c1

SHA256
102d6967459dd230606d0954244abd8062e1ecdf175fbd1a3de265e1939b2840

SHA512
08a44e787aac1b972a4be9a592c7db96d405893dd581130ed39402ea483165dbafbd97f951526ba9e019f34d9b4962f38724cb02b1fc6c7dd692cf166704fed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RC8MJNNZ.txt
Filesize
598B

MD5
3ceb82065350d3321665f09420223fa7

SHA1
f59ede25c43173a574fe92ffe47a28d7baac3c0a

SHA256
caa947bb9af2b07bce92bd24f1dcb6fcdb12f5f682d6744a0dcf675d8ec05c83

SHA512
7da0588b3fdb0d6b0867ece9d47a73e1c6614c861db9cf3e91f9b7472e3111632700bae94a06f59818634caf6d38dd6eaf343ae6a3b4e5303978c265ee382c57

Download Submit
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads