01ab479e899bc61c9b2fbc309a0b7e84762c0f47f679e96b5c67d56124f6ab6a

General

Target

Scan_46_INV_December_20-29.pdf
Size

129KB
MD5

80a27a9ca3fd024b3c3df8cfe83da184
SHA1

dfbe736c62d9fd9f52609168162ab2630991eaeb
SHA256

01ab479e899bc61c9b2fbc309a0b7e84762c0f47f679e96b5c67d56124f6ab6a
SHA512

e082d6db3308a79958b9e666f834d47ec745153129036dc8581f81caa74254081fb97b44399a7fba7d871ba78a5c770c46ac387fb60039138a1b8929b34d399f
SSDEEP

3072:ikzpgbYFXmQw6LQ2JNggY/sCrFFVT9z3flvqAjoZDySDKrng9V:NVhL5QgY/bd9z5YZbDKrng9V

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b0363571fe25d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380235235"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A73F78B1-91F1-11ED-8D6F-660C31E8D015} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1916 AcroRd32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1652 iexplore.exe
1652 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid process

1916 AcroRd32.exe
1916 AcroRd32.exe
1916 AcroRd32.exe
1916 AcroRd32.exe
1652 iexplore.exe
1652 iexplore.exe
1788 IEXPLORE.EXE
1788 IEXPLORE.EXE

pid	process
1916	AcroRd32.exe

pid	process
1652	iexplore.exe
1652	iexplore.exe

pid	process
1916	AcroRd32.exe
1916	AcroRd32.exe
1916	AcroRd32.exe
1916	AcroRd32.exe
1652	iexplore.exe
1652	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AcroRd32.exeiexplore.exe

description	pid	process	target process
PID 1916 wrote to memory of 1652	1916	AcroRd32.exe	iexplore.exe
PID 1916 wrote to memory of 1652	1916	AcroRd32.exe	iexplore.exe
PID 1916 wrote to memory of 1652	1916	AcroRd32.exe	iexplore.exe
PID 1916 wrote to memory of 1652	1916	AcroRd32.exe	iexplore.exe
PID 1652 wrote to memory of 1788	1652	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 1788	1652	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 1788	1652	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 1788	1652	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scan_46_INV_December_20-29.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://firebasestorage.googleapis.com/v0/b/earnest-dogfish-371720.appspot.com/o/Naj4sa9RRa%2FINV_December-20-29_52_scan.zip?alt=media&token=dae649ca-d112-4061-b55d-0f8ca1369fd6
2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_INV_December-20-29_52_scan.zip\INV_December-20-29_52_scan.iso"
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
ca2586717f85006de8183ad2d0ede63f

SHA1
f4b625f5096bbd61827ed3ebb5b95c501c0ae5af

SHA256
882478cf20706f4f483284a8034fec0481e395deca614ca84b9577da591803b9

SHA512
823cc4d469dae97de9ba7f77d33865b58ebd9b2aa6045892b6e77c4e45746b9186b433a0eea57a7242e751c66127d1998e9b2f71b6e49cef7a50ad520686a794

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3BQ0IDZZ.txt
Filesize
608B

MD5
56bb9700364a7f0650ef07c2ea8f527a

SHA1
378feac25930fe262795a3f9fade385090e09773

SHA256
26810faec3c22ce3a239ac3ca34b0746608b20788dd186f8766e95527731e2c3

SHA512
5cb150e3554b146eb01ce63898b3f01822ff714a97880f41f44abe7616da1dbbce1687736ebeac48858dd974fbd57f1339c5834b8f83009c7abf2cf9204ce1d3

Download Submit
C:\Users\Admin\Downloads\INV_December-20-29_52_scan.zip.hjl6h3s.partial
Filesize
164KB

MD5
8c7e51f25d45b00f4ac5486d2f68fa5a

SHA1
dfd41d01799f15102cb8e584856f8858270335d3

SHA256
56dfc8dc5c9f04041c9f49ab22a025fb8afae4161f84fae8640c15fb3bbd5b30

SHA512
f4d09a641859adce42c955b82e755f49f1fc6283926db694c0b2ceadd0e3d9332a69a89e1a74eac3b7d6f265dbe43f0e139c24b2224c0c3468a5709c22957194

Download Submit
memory/1344-56-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads