a92cf86de1686ded14edc40d316a61817ee0e89cfb75dda175bc32c50aa7d62c

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Invoice 6002845UDOOPZE.pdf
Size

48KB
MD5

7793cc4248dab61ba2a4bc9dba8c2f4a
SHA1

13146493aab95d61d1a8edf3e10ca3e9627bc9ac
SHA256

a92cf86de1686ded14edc40d316a61817ee0e89cfb75dda175bc32c50aa7d62c
SHA512

b4b6f3abe70b7d07d4057293a090b907c0cdab00268aece025c83fb06b2f3b623e1b6baa878650088c401598d275b09201c0a7c05409a1089eca91d876d421a2
SSDEEP

768:ySIlnsVlp0uzf1WAUmRhlnuqi+jdhcdKrcYUg0uP0qXTDRNwewwpN0AZPo+yWY:SsZWihcqiShcdaX0IDdf1kcW

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1043619bd8f2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000024646220426658790efa22c5c88d14854a21cacd4a27156160f3813d9ee2f76a000000000e8000000002000020000000a8df97e3063555474a403fe54f27028137af55cb5f93a0e0572d813780d50608900000007c565dc7774b712f9ab6d5122929555307705829c5ccd8a71c9dd575eb117d57aef65e1140c6a70965cfa45864e666ae3519a460bf6f5cfd213758b5fcb8d99eb793febbd884827d12459d30a198b2244789375e630f002e19537defb19a4819187fa9d5c6e46d658e8cf2c424cc9644510cdb5926d1971bb43f1534468999a243f68bf59cc4f9a534d4687681f069194000000099ac83d4acc34cceda6f6233359f37043a41e48fde44bffa47014c633f3921cb0b72aad51edc4532f7c858e39445ee11208ac497f373c5bcbf51c1cccfb9e515	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000001cb4c63a87030b870157870dc5c7af22aabd572f986c029bed444438b50b5aab000000000e80000000020000200000002667dc4bc5791db4ce5676f6e0b98320a89debfd47db372b4988682af5feb6e120000000ec63b2126d05bedad4bf7a801d1728673add5f877943a6dd1add1245b67bd0a54000000090b124f605c471882dd4013760015b2634827e4d1b291c25af03d48830f908151c975eb34e926a95b3474f271eaf2179a8d7cd46dac776778c865826b5b87a87	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374611423"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B192D721-5ECB-11ED-B2BF-6651945CA213} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1356	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1356	iexplore.exe
1356	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1356	1944	AcroRd32.exe	27
PID 1944 wrote to memory of 1356	1944	AcroRd32.exe	27
PID 1944 wrote to memory of 1356	1944	AcroRd32.exe	27
PID 1944 wrote to memory of 1356	1944	AcroRd32.exe	27
PID 1356 wrote to memory of 1624	1356	iexplore.exe	29
PID 1356 wrote to memory of 1624	1356	iexplore.exe	29
PID 1356 wrote to memory of 1624	1356	iexplore.exe	29
PID 1356 wrote to memory of 1624	1356	iexplore.exe	29

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice 6002845UDOOPZE.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://cargopattern.shop/qset/cisco.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9b433bd5b5852ff9173d73e3dbf1826a

SHA1
885fa06f29a8b70f72699d767e9e18c83a88fa99

SHA256
66b21d412b4dd6d7c18f097c165363b7c37240fabc48f0eac546594534166b14

SHA512
ed213c4dfdd5b469e7716552a40059e0f3243048bdd7329f48254cfe29e79edf35fc2aaa09bff1afaea9337b10bd9ebc1945611a8e77b922010790fc7fe9c520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
21KB

MD5
6035ec1ed481af9e9e597402534c03ed

SHA1
c5fd9e96a805b36ead53c2ec57d2025f91d46337

SHA256
cc80d88c922ecc50b82d01bcf131ca2dccc5217c5f58e8c8b77c1a452a70cf96

SHA512
262a22bcad2644defe078ce6557bfc65a354aaf17e6a538f1e34576e1243fdcc32de60c3530269ef11d244f657e1dd8515580d9f745a9132415e533417103ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\13I48APK.txt

Filesize
608B

MD5
3793e0ff4eb878d602448708b15de78e

SHA1
00d00f8f6be52363aa8b81be13213f149fc3b9a7

SHA256
c5239cc694223979949963cb789e7459a4a39320b8f95e8f45f1ba9afa3d73ac

SHA512
d9b80f8d19ac70f6e07d253b34c6915fcf8627e87dded9fde86158d549610da2bcb32ace422f0692b74c952a0ed6343184bd2ac5adfac976b3c78375d99eb2b8

Download Submit
memory/1944-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download