5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/10/2022, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72.pdf
Size

123KB
MD5

3281ce2c486f7462c79fa207706694cf
SHA1

bfb01a943541e973ec4a37b3b42ea4d8e7550efe
SHA256

5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72
SHA512

9110f4b32abc9ed7b12d291b9dab29ccfb903daac6d6509fa809f54fc600e593c1498506d4687307729f64ed87a73fbb148dff5fb95d8db51e9b6604e0a7451d
SSDEEP

1536:a680m3GtfiWmX2RgBkLZavodSVBJ3M37XMOANB77cF5bnCem7sRtMTLCkRmZ:Y0jIkUTVb3M3TNwE5DCemoGGku

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\hcaptcha.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000003ee022666020ff6e1ed413dbed72fa896f5541ac071e099b75033bd10a347d91000000000e80000000020000200000005dc53e81cf52ba8f24ee0ea78ac3d79bf54d9ae7a9a2383f615dba79e435f0e62000000036391b9aa5e2b0064748a0f483a06d12793c85d1f3e90495c2a258bb323592c740000000c11a0babb0954ace453393a387cc995bb1b94d6cbba9b06de7564a2e51c5599ce393644ebdf41cadc7ccf6317b816abdfedeeca2261845f5b7ebd70079835e9c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000582a239ecfaf9ea150df641aaea7a647b654ed03e491a2ed1696b2316bb6cfb0000000000e8000000002000020000000fbc0879b20dccc665c751441cca7957897f2186d52c77deed45defc70c556355900000002f60ff4f85ff555007c07383c96b8f0b25eb0212bc79c45a482872c9678a02b565f38715373dd1c3eaae30aeebc813e10f4902a2b224d3edf3d548d30e53f28694810627f28fd3443a4982ce5042563577a8dff7588e75c68ad3d8fff447f7c451bc77895eaf9df98c46902f54121d54e24f3727f9949b62ce26b95c0a7756dcbee358bdb6a7753843fa66d1390bf64e40000000b280313e01df2baf5443064764c45d4b6655b3b5b62d85bd6665c681d850d37c8ba4f1e64f82c11cf8bea9cc54393646a5884ae08f73d76fd114b8dedaebb605	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f1ae481fead801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\hcaptcha.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373652242"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D636D11-5612-11ED-965B-E20468906380} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1572	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1968	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1572	AcroRd32.exe
1572	AcroRd32.exe
1572	AcroRd32.exe
1572	AcroRd32.exe
1968	iexplore.exe
1968	iexplore.exe
892	IEXPLORE.EXE
892	IEXPLORE.EXE
892	IEXPLORE.EXE
892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1968	1572	AcroRd32.exe	27
PID 1572 wrote to memory of 1968	1572	AcroRd32.exe	27
PID 1572 wrote to memory of 1968	1572	AcroRd32.exe	27
PID 1572 wrote to memory of 1968	1572	AcroRd32.exe	27
PID 1968 wrote to memory of 892	1968	iexplore.exe	29
PID 1968 wrote to memory of 892	1968	iexplore.exe	29
PID 1968 wrote to memory of 892	1968	iexplore.exe	29
PID 1968 wrote to memory of 892	1968	iexplore.exe	29

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://evacdir.com/asks/bobo.grillparzer?TWljcm9wcm9jZXNzb3IgQW5kIEludGVyZmFjaW5nIEJ5IERvdWdsYXMgViBIYWxsIEZyZWUgRWJvb2sgRG93bmxvYWQTWl=crackling.inventing&retracts=sternly.ZG93bmxvYWR8OUxjY0dKbGMzeDhNVFkxTkRrNE9URTJNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
697ec2490d523f92596e4116a057e44c

SHA1
392aa141a0935545f894b00f8954251541b508e9

SHA256
2c20ebd50b97326d4dca9557fc8eece1bcb1a20fd7c26f92d2fe3400f8581bae

SHA512
da34d98c0594fd660d022d0d0daafe0d1ac201be7ad9187e000062f4db1e129f0c54081144cce07ebbc447cb0956af2971a75f4078fae1917ac97e81fd6e876d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5LL2U13M.txt

Filesize
603B

MD5
6130d2988792942855ce2215db084fda

SHA1
ca22ca7b8e7ea9af819e863693b8f5806fe99960

SHA256
d5e33cdd040341ec56f363e43c3c2023d3c40e53649cd22c50155a1dc5ecafd5

SHA512
e3216b98d7819faee1f6af34a3176e5f7a4dbbe28644adc26d3c078df43b1ccbde4bc6a56506a7b5d8595fd4925cb929096a4e946978ac9fd5974f9281c1d373

Download Submit
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download