Analysis
-
max time kernel
1632s -
max time network
1635s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-01-2023 19:50
Behavioral task
behavioral1
Sample
Scan_46_INV_December_20-29.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan_46_INV_December_20-29.pdf
Resource
win10v2004-20221111-en
General
-
Target
Scan_46_INV_December_20-29.pdf
-
Size
129KB
-
MD5
80a27a9ca3fd024b3c3df8cfe83da184
-
SHA1
dfbe736c62d9fd9f52609168162ab2630991eaeb
-
SHA256
01ab479e899bc61c9b2fbc309a0b7e84762c0f47f679e96b5c67d56124f6ab6a
-
SHA512
e082d6db3308a79958b9e666f834d47ec745153129036dc8581f81caa74254081fb97b44399a7fba7d871ba78a5c770c46ac387fb60039138a1b8929b34d399f
-
SSDEEP
3072:ikzpgbYFXmQw6LQ2JNggY/sCrFFVT9z3flvqAjoZDySDKrng9V:NVhL5QgY/bd9z5YZbDKrng9V
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b0363571fe25d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380235235" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A73F78B1-91F1-11ED-8D6F-660C31E8D015} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1916 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1652 iexplore.exe 1652 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1916 AcroRd32.exe 1916 AcroRd32.exe 1916 AcroRd32.exe 1916 AcroRd32.exe 1652 iexplore.exe 1652 iexplore.exe 1788 IEXPLORE.EXE 1788 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
AcroRd32.exeiexplore.exedescription pid process target process PID 1916 wrote to memory of 1652 1916 AcroRd32.exe iexplore.exe PID 1916 wrote to memory of 1652 1916 AcroRd32.exe iexplore.exe PID 1916 wrote to memory of 1652 1916 AcroRd32.exe iexplore.exe PID 1916 wrote to memory of 1652 1916 AcroRd32.exe iexplore.exe PID 1652 wrote to memory of 1788 1652 iexplore.exe IEXPLORE.EXE PID 1652 wrote to memory of 1788 1652 iexplore.exe IEXPLORE.EXE PID 1652 wrote to memory of 1788 1652 iexplore.exe IEXPLORE.EXE PID 1652 wrote to memory of 1788 1652 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scan_46_INV_December_20-29.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/earnest-dogfish-371720.appspot.com/o/Naj4sa9RRa%2FINV_December-20-29_52_scan.zip?alt=media&token=dae649ca-d112-4061-b55d-0f8ca1369fd62⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1788
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_INV_December-20-29_52_scan.zip\INV_December-20-29_52_scan.iso"1⤵PID:1344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
340B
MD5ca2586717f85006de8183ad2d0ede63f
SHA1f4b625f5096bbd61827ed3ebb5b95c501c0ae5af
SHA256882478cf20706f4f483284a8034fec0481e395deca614ca84b9577da591803b9
SHA512823cc4d469dae97de9ba7f77d33865b58ebd9b2aa6045892b6e77c4e45746b9186b433a0eea57a7242e751c66127d1998e9b2f71b6e49cef7a50ad520686a794
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3BQ0IDZZ.txtFilesize
608B
MD556bb9700364a7f0650ef07c2ea8f527a
SHA1378feac25930fe262795a3f9fade385090e09773
SHA25626810faec3c22ce3a239ac3ca34b0746608b20788dd186f8766e95527731e2c3
SHA5125cb150e3554b146eb01ce63898b3f01822ff714a97880f41f44abe7616da1dbbce1687736ebeac48858dd974fbd57f1339c5834b8f83009c7abf2cf9204ce1d3
-
C:\Users\Admin\Downloads\INV_December-20-29_52_scan.zip.hjl6h3s.partialFilesize
164KB
MD58c7e51f25d45b00f4ac5486d2f68fa5a
SHA1dfd41d01799f15102cb8e584856f8858270335d3
SHA25656dfc8dc5c9f04041c9f49ab22a025fb8afae4161f84fae8640c15fb3bbd5b30
SHA512f4d09a641859adce42c955b82e755f49f1fc6283926db694c0b2ceadd0e3d9332a69a89e1a74eac3b7d6f265dbe43f0e139c24b2224c0c3468a5709c22957194
-
memory/1344-56-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB
-
memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB