21d77f0a8ee870384b2f731d61cff76234e964a708cfbf032768ad5ef73d72e2

General

Target

Anexo_Registro-PEFIN-SERASA.dll
Size

1.0MB
MD5

c31baf4a8efca208382a4ba48542b4f1
SHA1

b51ca167cbb1350ed4a1d70843eae52876f3f0c9
SHA256

8f65dcdec1f883c5f7122bc11486637a428c9e308968558f4d86cb8b0243dcb2
SHA512

31ce3d77092ce5ea4085f649669b37e18bc3da3bfb60cf97fc1394428842ce3f93e2fc339947a6ba844cdebec7a996493d419266788c07a33070c7c0912e9408
SSDEEP

24576:unF21Q1dE4BcHDaAAxrPnLdgn4MR4vdcGpRBGTuwv91vCQrCEafeZH:E9z2VTuwvrvCQ2g

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1348 set thread context of 1444 1348 rundll32.exe svchost.exe

description	pid	process	target process
PID 1348 set thread context of 1444	1348	rundll32.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9056a3f0c403d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000014f8429b61777d478df9ad4b978be4590000000002000000000010660000000100002000000033a6f1ed876c04e8d8c80634faca06cfbd9606fd53f3cf8888882b59bc23b787000000000e80000000020000200000000c373b5aa3e4daeb004d12edde0c1c223356730b6743e5112c6212e525d61d5920010000e34781d7c90f4b3fb82756a09ceb43a34765542ece27379d645aae615d4dba6017557c6a2baf0a15483a1d1147ab2093a3a072375c124fa0155b00ed226fae54f18b3c77ecef41c199e46e139983ae126f816dbeed3bee2782f38762ec061be08e19e7bb3cae834a9fa368f609022ec9d98a49ed3cbe6ef256085ab5f82931b50d80df60f3ee4b85ae295b810ec8c581c6eae3d22999d63b3deb09787b2e80264fe17d17bd58eb6b9a2cd3cdb1b1f7161aa86bfd76c164803f2bcfa5d8e4477e366f42ad9b2071660b197be04ed7aefd911a925e60f9a66aef26e1f441ab12f983ce9575de9557c7ae3c17140a3796a7d26367284ee0d5823819e1b0c14954dbefef49215e8656b139635dbe0f9f1d0b3e2c39f2e94aac8f0652e3e3a9b3a947400000009e5995d7c31d091af566a37f55858c1467b098682328ae2b0e9be8f8bcaa2bdb499ad0f9da15ecdc8d5e07f9656f17e128d5cd3ef7ce62b0cf6c9310558fdacc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0867A831-6FB8-11ED-B25A-FE72C9E2D9C9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000014f8429b61777d478df9ad4b978be459000000000200000000001066000000010000200000005a95a23c6e9b283429035111a2f6c61744c1520d6cd48d70f2c12853f1630556000000000e8000000002000020000000a3879f4d092cd8c686fd97b4e33de00fabadcbb3dab95fa662f5dc31c163875020000000110030116a639d9a111a377d4d898156b129daa70a187b246925fe424a2b1f74400000000fbbbbee0f66ddb35054e710b056f60e469a0d020dbaadc42e4099d783bab215594610505b6a22b2f7032de9ec865d4626c539c8bd792c4449d70f0fb0d27960	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376472149"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1224 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1224 iexplore.exe
1224 iexplore.exe
1964 IEXPLORE.EXE
1964 IEXPLORE.EXE
1964 IEXPLORE.EXE
1964 IEXPLORE.EXE

pid	process
1224	iexplore.exe

pid	process
1224	iexplore.exe
1224	iexplore.exe
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

rundll32.exerundll32.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1348	1640	rundll32.exe	rundll32.exe
PID 1348 wrote to memory of 1444	1348	rundll32.exe	svchost.exe
PID 1348 wrote to memory of 1444	1348	rundll32.exe	svchost.exe
PID 1348 wrote to memory of 1444	1348	rundll32.exe	svchost.exe
PID 1348 wrote to memory of 1444	1348	rundll32.exe	svchost.exe
PID 1348 wrote to memory of 1444	1348	rundll32.exe	svchost.exe
PID 1348 wrote to memory of 1444	1348	rundll32.exe	svchost.exe
PID 1444 wrote to memory of 1224	1444	svchost.exe	iexplore.exe
PID 1444 wrote to memory of 1224	1444	svchost.exe	iexplore.exe
PID 1444 wrote to memory of 1224	1444	svchost.exe	iexplore.exe
PID 1444 wrote to memory of 1224	1444	svchost.exe	iexplore.exe
PID 1224 wrote to memory of 1964	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 1964	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 1964	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 1964	1224	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Anexo_Registro-PEFIN-SERASA.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Anexo_Registro-PEFIN-SERASA.dll,#1
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/pt_BR/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f990dd626743180f87e51d3adf4546c3

SHA1
cbe2db56f733e539b7afd8d44a82765bd228e5fe

SHA256
6f2637fa179eed45a2c0eba480db45bec610706a362440d2285e0d2017ae5f50

SHA512
f699c525d361e6a6cea5a21834bf4f9daeac0b6fa0d6931b3b2c73638b100f722305ab39c9c4187aaa937bf899c201318da117dda29f27ad5b92879a3008261a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
Filesize
5KB

MD5
0503caad09e4f52710347c8266906c88

SHA1
9c3c15d36d4c37fd8b5a6aee965d74c1edf4fb94

SHA256
45a5376364f99b723bdf3a3e7c9349e999b14aa851369fe3af9764bf380cd5cb

SHA512
1003ff79a2cdcd2f59ec302c506c44d8409bfe82c97de85d414d0b0af054a4c3b37b5f191effbd2027b005d180d70447fb3f868610397a64b8aaae98c076fe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.gif
Filesize
1KB

MD5
832e205e91f45001f3f82abebe0687a6

SHA1
5fe753f6287f386eb617b2b391ef5fdf1da3aa1e

SHA256
beb98d641323f3e577eab4d357d256c5c6d8e84f4ddad8555569c941ddf3703f

SHA512
b70b6f4da4bfb2ac6c3402971c0f729c2a7d08a6a9781f1fb575d64840c3080057770d8897cdb12f44a5c448abe90c6d3fb544d083e555ef9c8896c54ec2246a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WLFG7YPW.txt
Filesize
603B

MD5
6fd5128ebec5781adb27c99015c57ffd

SHA1
beaec8633e6df884dd7a1183c53beacd7a46c96e

SHA256
a174cb2cef740622bf4183c75684544e36747b723b1f7f2aef30792c607a3ce2

SHA512
aaca73ea1f4f941e0261e1732e6b59b81928b5d7142b99d98e6f086aa34f715a2454ec9d88f96f425477e29aa9d49ccc141363f0c08ff5445faae6ca83eefa9f

Download Submit
memory/1348-55-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1348-54-0x0000000000000000-mapping.dmp

Download
memory/1444-59-0x000000003C082744-mapping.dmp

Download
memory/1444-64-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1444-60-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1444-62-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1444-58-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download
memory/1444-56-0x000000003C040000-0x000000003C09F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing