Analysis
-
max time kernel
128s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11-01-2023 17:53
Behavioral task
behavioral1
Sample
Request_1-10_INV_236.pdf
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Request_1-10_INV_236.pdf
Resource
win10v2004-20220812-en
General
-
Target
Request_1-10_INV_236.pdf
-
Size
127KB
-
MD5
97d0e8f68b3f57d9a30fc01bb56da4ed
-
SHA1
6a7ed2bc017749e89ec78071140cf75d0cee47f9
-
SHA256
f12671f2c75f6775b37f4edb1f72bef6ead512102a9860be67cc0529971c72b4
-
SHA512
dd9fa6a1c854e420f99d28dd04f7c555003d75817fd00ab75bd331a9842a6d572d4f48a7d948e684b3c9b3414487c28222929bd5a1b4c9559da0eefc77ee1e62
-
SSDEEP
3072:431i8aurDTSoWqSHuov0kPp+eLRwikxFmaOKaUaUMC/uByslS:vG3SoWHRcw+elamrQ3MC/uQslS
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 804667b9e525d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED1C0F61-91D8-11ED-9201-42465D836E7B} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1304 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 884 iexplore.exe 884 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1304 AcroRd32.exe 1304 AcroRd32.exe 1304 AcroRd32.exe 1304 AcroRd32.exe 884 iexplore.exe 884 iexplore.exe 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
AcroRd32.exeiexplore.exedescription pid process target process PID 1304 wrote to memory of 884 1304 AcroRd32.exe iexplore.exe PID 1304 wrote to memory of 884 1304 AcroRd32.exe iexplore.exe PID 1304 wrote to memory of 884 1304 AcroRd32.exe iexplore.exe PID 1304 wrote to memory of 884 1304 AcroRd32.exe iexplore.exe PID 884 wrote to memory of 1772 884 iexplore.exe IEXPLORE.EXE PID 884 wrote to memory of 1772 884 iexplore.exe IEXPLORE.EXE PID 884 wrote to memory of 1772 884 iexplore.exe IEXPLORE.EXE PID 884 wrote to memory of 1772 884 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Request_1-10_INV_236.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/direct-topic-372419.appspot.com/o/pmdlvfW1wx%2Frequest_01-10_INV-282.zip?alt=media&token=91a0b8c3-a22d-441d-938c-cd97723f16e52⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\request_01-10_INV-282.zip.pc2n8t3.partialFilesize
310KB
MD51c75d3c92219370c1c9c26b447d38025
SHA1d96fd01510fd413caf8b352b1d886c2d7aa54c6e
SHA25645b9f455db544f13bdbbb69ee9b600545e8c2964dcc3ef097b435479cdaa1d03
SHA5121518473f418e47f1bbcbcb1773c6f3186a5c00a7b74cd01297abbec0e14b714031b862d7a9fd3b233d522f6f7208a2c8a5e1dedea3d07be974c278f44a4a2723
-
memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmpFilesize
8KB