Analysis
-
max time kernel
147s -
max time network
73s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 11:43
Static task
static1
Behavioral task
behavioral1
Sample
Customer Complaint letter NHBRC258812.PDF.exe
Resource
win7v200722
General
-
Target
Customer Complaint letter NHBRC258812.PDF.exe
-
Size
329KB
-
MD5
69940b99a87df030b38ab4b04281d7ff
-
SHA1
a4cecf005b0777ed740e4dc9671e87349e3017cc
-
SHA256
9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb
-
SHA512
e43a7dedfcd91b104dcf77b45fd57e28b8dc20ce5a2ae0b094479c4651c8f60154695c13ac770e975d3cecd0d7cefd6d9237428c01cbea2ef1a85f9c29eae2dd
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exedescription pid process target process PID 2928 wrote to memory of 4000 2928 Customer Complaint letter NHBRC258812.PDF.exe explorer.exe PID 2928 wrote to memory of 4000 2928 Customer Complaint letter NHBRC258812.PDF.exe explorer.exe PID 2928 wrote to memory of 4000 2928 Customer Complaint letter NHBRC258812.PDF.exe explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exepid process 2928 Customer Complaint letter NHBRC258812.PDF.exe 2928 Customer Complaint letter NHBRC258812.PDF.exe -
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Customer Complaint letter NHBRC258812.PDF.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Customer Complaint letter NHBRC258812.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Customer Complaint letter NHBRC258812.PDF.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exeexplorer.exepid process 2928 Customer Complaint letter NHBRC258812.PDF.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeRestorePrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeBackupPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeLoadDriverPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeCreatePagefilePrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeShutdownPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeTakeOwnershipPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeChangeNotifyPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeCreateTokenPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeMachineAccountPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeSecurityPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeAssignPrimaryTokenPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeCreateGlobalPrivilege 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: 33 2928 Customer Complaint letter NHBRC258812.PDF.exe Token: SeDebugPrivilege 4000 explorer.exe Token: SeRestorePrivilege 4000 explorer.exe Token: SeBackupPrivilege 4000 explorer.exe Token: SeLoadDriverPrivilege 4000 explorer.exe Token: SeCreatePagefilePrivilege 4000 explorer.exe Token: SeShutdownPrivilege 4000 explorer.exe Token: SeTakeOwnershipPrivilege 4000 explorer.exe Token: SeChangeNotifyPrivilege 4000 explorer.exe Token: SeCreateTokenPrivilege 4000 explorer.exe Token: SeMachineAccountPrivilege 4000 explorer.exe Token: SeSecurityPrivilege 4000 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4000 explorer.exe Token: SeCreateGlobalPrivilege 4000 explorer.exe Token: 33 4000 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Customer Complaint letter NHBRC258812.PDF.exepid process 2928 Customer Complaint letter NHBRC258812.PDF.exe -
Sets file execution options in registry 2 TTPs
-
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Processes:
Customer Complaint letter NHBRC258812.PDF.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Customer Complaint letter NHBRC258812.PDF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe 4000 explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\33951oq1ykwm.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\33951oq1ykwm.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\33951oq1ykwm.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Customer Complaint letter NHBRC258812.PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Checks processor information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Enumerates system info in registry
- Modifies firewall policy service
- Modifies Internet Explorer settings
- Checks processor information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Drops desktop.ini file(s)
- Checks whether UAC is enabled
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2928-0-0x0000000003599000-0x000000000359A000-memory.dmpFilesize
4KB
-
memory/2928-1-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2928-2-0x0000000005780000-0x000000000583C000-memory.dmpFilesize
752KB
-
memory/2928-3-0x0000000005D00000-0x0000000006140000-memory.dmpFilesize
4.2MB
-
memory/4000-4-0x0000000000000000-mapping.dmp
-
memory/4000-5-0x0000000000900000-0x0000000000D40000-memory.dmpFilesize
4.2MB
-
memory/4000-6-0x0000000000900000-0x0000000000D40000-memory.dmpFilesize
4.2MB