b8f71c71da3231d6bcd466c1646784a3aa67b67e2720575d7fba14cfe53bcf44

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qfou.pdf
Size

57KB
MD5

22a8687f1e3f486817de90cc2bd1cd6f
SHA1

58310d22240372d8c77871ffc3919ca04e08a99b
SHA256

b8f71c71da3231d6bcd466c1646784a3aa67b67e2720575d7fba14cfe53bcf44
SHA512

57944b0883da153d21c8cc9d112bbe748616b6e348706587626673e036ab8b80d738ab0a6e5fde2ac88f8f35c0306e21e4654ad807203b319c91d86c4003d5f2
SSDEEP

1536:FY3Ebu3VwzXwdQtCKfOoQ10llsLJaIkUVFLS:FY3EykmQYCOoQ10leo6FLS

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E709E5D1-FCC0-11EE-8466-6E6327E9C5D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2124	iexplore.exe
564	msdt.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
2124	iexplore.exe
2124	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2124	1652	AcroRd32.exe	28
PID 1652 wrote to memory of 2124	1652	AcroRd32.exe	28
PID 1652 wrote to memory of 2124	1652	AcroRd32.exe	28
PID 1652 wrote to memory of 2124	1652	AcroRd32.exe	28
PID 2124 wrote to memory of 2740	2124	iexplore.exe	30
PID 2124 wrote to memory of 2740	2124	iexplore.exe	30
PID 2124 wrote to memory of 2740	2124	iexplore.exe	30
PID 2124 wrote to memory of 2740	2124	iexplore.exe	30
PID 2740 wrote to memory of 564	2740	IEXPLORE.EXE	34
PID 2740 wrote to memory of 564	2740	IEXPLORE.EXE	34
PID 2740 wrote to memory of 564	2740	IEXPLORE.EXE	34
PID 2740 wrote to memory of 564	2740	IEXPLORE.EXE	34

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\qfou.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://dabniac.com/dsfklkgfd54gfd/gfd465gfd/gfd465vbc23gfd/465hgf6h/hgf456vnbvhf
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\msdt.exe
      -modal 262298 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFEFEA.tmp -ep NetworkDiagnosticsWeb
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:564

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0785f6a97144c3fd346a4717cbde4191

SHA1
bc845f8f1509f1264b314670a9b4272c20c29d4e

SHA256
9da31ed92dc27d025c32814de94989a2ce928d7bf681cd9865694cf8753dc1c4

SHA512
b494e2e98769e482f3f04ec7e394ff5e88b09904e8abeec4d83312f50759e95d15d1db86f2bab628fbe5b6fc511e40dfff990b663faf847332fc1334fcb32935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd3c42d41f306b5e4e55e8d0a52cae2f

SHA1
acf56567a7967dab30b14db860d893d3588a1563

SHA256
d56dbd948a14fc98d5a3b2f6a9ebd4c4b70a8f0a2b5ccac06b681fa8cb6c774a

SHA512
6788c61e474885b25dc165f93cf61ee0aee945fab93722029dc657eeb83b5a2fa6d0c128464d1f5b0af388b6fe1ba886462056e1e9ec714452b35527d87da7e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03afb2881bd1ab62888b82bd76658f1e

SHA1
7e2222b03189a369f184642364e35c7dbdcdce55

SHA256
070be79f9615b14f04a4b2afe39e1b783c55ed0a618b3c6c6b8fdaad6b6950f2

SHA512
17de8a546becb23404e1853f402bd68d46f219ecd46be447c2d68c1b633af2a953cbb2477478269360997649ae8d0fd367a856eb78aae8d581b3d86d940c4b65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e1d5395a7ea9fcb93111878b2a15628

SHA1
101a7d0561be9614aafa1c7c75c308b664ec5dad

SHA256
079236135bf224eca4db6e29f170de5094ab0f477a0f0f8131c431bc992aa8d6

SHA512
e02d44ae55423e60792332de59923620f42079f2ee642381051ff886ca7292d0278b92ac14c153b321b1f26befe0b49b1ee71601a9480cccd59d60780f34e6b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67cc32c285d26b3ad4aebee76e5480b5

SHA1
78f983af16391d07bdad968fdd79e75dda78a91c

SHA256
5df31f7fca9008ab84ac7dfe6df7f7ecff833c577e6dc64045c346d5387a14c4

SHA512
512e33e3b24f324038428f8af7b6c2cd885ccdeb5be9b51ecba4303fbf5e3c9483729f0217d6b2e63256130bc7d5930f5c30697e3b84b5768134509e9a7eed15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0e7673369ab28e74cc54fad3bbf9843

SHA1
51234113b6d0fa2b9ce151546c5d1b0c5e8256e3

SHA256
1fabc1f9fd7d96fcbd4de27cdbcdf6b315ba5a8d4b195f9e5f5ddd65d8ae0907

SHA512
6438730cc059f6a6047b28bc3f32902c1d8510e2af87c93345b0cb2b126dfb977e119b2f2ef31917bb51dafb4940e075ed10008a98c83e09cf4533c010c7b67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1fe14e94592fe84d59dd58cfba399162

SHA1
25091ba8313bdae0a1b92d2f121dc0682ee24053

SHA256
5066cd8379c54bc207635143a5ab54b71aae8fd42a77748aff6161e6edcfdac3

SHA512
3ee593ca1a5f594def58cd1a26b569f0750e1dd1838285f48ac7908b199a6d6274f0fc681f04ce8184cc9e08a3e27c81b9b4f826e3992079234ebcd2c36b35f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8577895d5b3d7f78658f89d48c756fef

SHA1
2e842715dcb0447391b3d1a9b1d9a846b9a6a1b7

SHA256
1d0c2454807d3500c6c2a8d241edd7d5476365a972cbe0b11651cba9471bb823

SHA512
bbbde8ff6f8a98613c90c6a3762a63cdaac1d0c884fba33e314516532f02bd6f6bd0f4d90f603e82b705911fe3ee9f52c7cd6c2997a449fa0a6d3e2582d31b84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a8a4e5309a810a8cacaf44687dfcdb7

SHA1
b98bd30aac90dc314d8c39f337df5c6dc50317bc

SHA256
a1b33b13f6a74a951826e19aa02d2d4eed9aa02ba5d5e92fcf285db2255af231

SHA512
3da922d1e5b3f889fb7c625f02113252ed12d8844c286f4b0f4f0c54d22724db9adde14420259a74514aa03c76770c93b8f7f393be56d77cc14e2717b2a8a26b

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024041713.000\NetworkDiagnostics.0.debugreport.xml

Filesize
3KB

MD5
77c8d1f040670215c11500500806611f

SHA1
aaf82a3fef7fc4afb5fd2e652d2c556f06abbe6f

SHA256
84c628249b3e3b918a27f4a644092eea59dc2a44fa6c6788aa9c6863fc793855

SHA512
9288ed740788b1a283e0a318a8417e619a04fae3dec6f29a2b7fe2e6b28c0119d03ae4bcc8a49cf38b4c0fa0c146c40e83135c826aa4e5b0094d8c14f8fef17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCD9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFEFEA.tmp

Filesize
3KB

MD5
5b818ad20ca40bfd8f4204eed9410b83

SHA1
3333c2f5bde2b55ba664d6f5c3d98f93a6366156

SHA256
1d382a85f3016ab319cf0db8ade4c7e41df4c14f2051636898676893615803e4

SHA512
37ed158af6e1128005a989d729914162d0e7316ee0a3a0b95a58cb4cb6fb3b78dde4e07953207d53dca0fdfdfca4b1de5837e4358409f34e60fecdddc27b1a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE85.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
582feb6b2d0dbed64b261f0671c5f0cc

SHA1
e01fdd83ccbbe1abc41a3ad2c7e5ed91b50dffeb

SHA256
e27c04084be6f78ca5e008be2a3929079264f724b3b189905a7b830de2556dc6

SHA512
164da2317177ab7770cee941cf3bd1a0d3cf43262fac9e4e59b911534ff7dc661446f7f3668b7e712ac3e2970257a4fe6c1d488d137a58b36bd7e59f1ea93ec2

Download Submit
C:\Windows\Temp\SDIAG_709991df-6a53-4e87-a710-dcbf176d093c\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_709991df-6a53-4e87-a710-dcbf176d093c\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/564-377-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1572-476-0x000000006DD00000-0x000000006E2AB000-memory.dmp

Filesize
5.7MB

Download
memory/1572-380-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/1572-379-0x000000006DD00000-0x000000006E2AB000-memory.dmp

Filesize
5.7MB

Download
memory/1572-378-0x000000006DD00000-0x000000006E2AB000-memory.dmp

Filesize
5.7MB

Download