Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7 -
submitted
31-08-2020 09:48
Static task
static1
Behavioral task
behavioral1
Sample
de.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
de.exe
-
Size
300KB
-
MD5
ae4f045f4a0b66fbf927f230e98a3648
-
SHA1
014ccaa6cd43ebf06f2fd4387f2ae6d899e2c6a0
-
SHA256
4a87068b0ac096d9472fa021fd6bdfcf7d218ae8716fabc2c027ebd595a2381f
-
SHA512
9fd676fb69426ea72a83d98b5aca2080fc273140fe3ab1cff65262529496637791a695c4d61baaa203fe831a0598586e039bfe079beae209d09d98fa9588e874
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\5ci3u9aew5m7s9q.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\5ci3u9aew5m7s9q.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\5ci3u9aew5m7s9q.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
de.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA de.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
de.exeexplorer.exepid process 616 de.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exede.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString de.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
explorer.exepid process 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
de.exeexplorer.exepid process 616 de.exe 616 de.exe 1636 explorer.exe 1636 explorer.exe 1636 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
de.exepid process 616 de.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
de.exeexplorer.exedescription pid process Token: SeDebugPrivilege 616 de.exe Token: SeRestorePrivilege 616 de.exe Token: SeBackupPrivilege 616 de.exe Token: SeLoadDriverPrivilege 616 de.exe Token: SeCreatePagefilePrivilege 616 de.exe Token: SeShutdownPrivilege 616 de.exe Token: SeTakeOwnershipPrivilege 616 de.exe Token: SeChangeNotifyPrivilege 616 de.exe Token: SeCreateTokenPrivilege 616 de.exe Token: SeMachineAccountPrivilege 616 de.exe Token: SeSecurityPrivilege 616 de.exe Token: SeAssignPrimaryTokenPrivilege 616 de.exe Token: SeCreateGlobalPrivilege 616 de.exe Token: 33 616 de.exe Token: SeDebugPrivilege 1636 explorer.exe Token: SeRestorePrivilege 1636 explorer.exe Token: SeBackupPrivilege 1636 explorer.exe Token: SeLoadDriverPrivilege 1636 explorer.exe Token: SeCreatePagefilePrivilege 1636 explorer.exe Token: SeShutdownPrivilege 1636 explorer.exe Token: SeTakeOwnershipPrivilege 1636 explorer.exe Token: SeChangeNotifyPrivilege 1636 explorer.exe Token: SeCreateTokenPrivilege 1636 explorer.exe Token: SeMachineAccountPrivilege 1636 explorer.exe Token: SeSecurityPrivilege 1636 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1636 explorer.exe Token: SeCreateGlobalPrivilege 1636 explorer.exe Token: 33 1636 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
de.exeexplorer.exedescription pid process target process PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 616 wrote to memory of 1636 616 de.exe explorer.exe PID 1636 wrote to memory of 1252 1636 explorer.exe Dwm.exe PID 1636 wrote to memory of 1252 1636 explorer.exe Dwm.exe PID 1636 wrote to memory of 1252 1636 explorer.exe Dwm.exe PID 1636 wrote to memory of 1252 1636 explorer.exe Dwm.exe PID 1636 wrote to memory of 1252 1636 explorer.exe Dwm.exe PID 1636 wrote to memory of 1252 1636 explorer.exe Dwm.exe PID 1636 wrote to memory of 1292 1636 explorer.exe Explorer.EXE PID 1636 wrote to memory of 1292 1636 explorer.exe Explorer.EXE PID 1636 wrote to memory of 1292 1636 explorer.exe Explorer.EXE PID 1636 wrote to memory of 1292 1636 explorer.exe Explorer.EXE PID 1636 wrote to memory of 1292 1636 explorer.exe Explorer.EXE PID 1636 wrote to memory of 1292 1636 explorer.exe Explorer.EXE PID 1636 wrote to memory of 1976 1636 explorer.exe DllHost.exe PID 1636 wrote to memory of 1976 1636 explorer.exe DllHost.exe PID 1636 wrote to memory of 1976 1636 explorer.exe DllHost.exe PID 1636 wrote to memory of 1976 1636 explorer.exe DllHost.exe PID 1636 wrote to memory of 1976 1636 explorer.exe DllHost.exe PID 1636 wrote to memory of 1976 1636 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\de.exe"C:\Users\Admin\AppData\Local\Temp\de.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/616-0-0x00000000061CB000-0x00000000061CC000-memory.dmpFilesize
4KB
-
memory/616-1-0x00000000078A0000-0x00000000078B1000-memory.dmpFilesize
68KB
-
memory/616-2-0x0000000007EF0000-0x0000000007FA5000-memory.dmpFilesize
724KB
-
memory/616-3-0x00000000082B0000-0x0000000008431000-memory.dmpFilesize
1.5MB
-
memory/1636-4-0x0000000000000000-mapping.dmp
-
memory/1976-5-0x000007FEF70B0000-0x000007FEF732A000-memory.dmpFilesize
2.5MB