Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-08-2020 09:48
Static task
static1
Behavioral task
behavioral1
Sample
de.exe
Resource
win7
General
-
Target
de.exe
-
Size
300KB
-
MD5
ae4f045f4a0b66fbf927f230e98a3648
-
SHA1
014ccaa6cd43ebf06f2fd4387f2ae6d899e2c6a0
-
SHA256
4a87068b0ac096d9472fa021fd6bdfcf7d218ae8716fabc2c027ebd595a2381f
-
SHA512
9fd676fb69426ea72a83d98b5aca2080fc273140fe3ab1cff65262529496637791a695c4d61baaa203fe831a0598586e039bfe079beae209d09d98fa9588e874
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\97m1g117.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\97m1g117.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\97m1g117.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
de.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA de.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
de.exeexplorer.exepid process 60 de.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exede.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString de.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 032395198c7fd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
explorer.exepid process 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe 3372 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
de.exepid process 60 de.exe 60 de.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
de.exepid process 60 de.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
svchost.exede.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 2604 svchost.exe Token: SeCreatePagefilePrivilege 2604 svchost.exe Token: SeDebugPrivilege 60 de.exe Token: SeRestorePrivilege 60 de.exe Token: SeBackupPrivilege 60 de.exe Token: SeLoadDriverPrivilege 60 de.exe Token: SeCreatePagefilePrivilege 60 de.exe Token: SeShutdownPrivilege 60 de.exe Token: SeTakeOwnershipPrivilege 60 de.exe Token: SeChangeNotifyPrivilege 60 de.exe Token: SeCreateTokenPrivilege 60 de.exe Token: SeMachineAccountPrivilege 60 de.exe Token: SeSecurityPrivilege 60 de.exe Token: SeAssignPrimaryTokenPrivilege 60 de.exe Token: SeCreateGlobalPrivilege 60 de.exe Token: 33 60 de.exe Token: SeDebugPrivilege 3372 explorer.exe Token: SeRestorePrivilege 3372 explorer.exe Token: SeBackupPrivilege 3372 explorer.exe Token: SeLoadDriverPrivilege 3372 explorer.exe Token: SeCreatePagefilePrivilege 3372 explorer.exe Token: SeShutdownPrivilege 3372 explorer.exe Token: SeTakeOwnershipPrivilege 3372 explorer.exe Token: SeChangeNotifyPrivilege 3372 explorer.exe Token: SeCreateTokenPrivilege 3372 explorer.exe Token: SeMachineAccountPrivilege 3372 explorer.exe Token: SeSecurityPrivilege 3372 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3372 explorer.exe Token: SeCreateGlobalPrivilege 3372 explorer.exe Token: 33 3372 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
de.exedescription pid process target process PID 60 wrote to memory of 3372 60 de.exe explorer.exe PID 60 wrote to memory of 3372 60 de.exe explorer.exe PID 60 wrote to memory of 3372 60 de.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de.exe"C:\Users\Admin\AppData\Local\Temp\de.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-0-0x0000000005F36000-0x0000000005F37000-memory.dmpFilesize
4KB
-
memory/60-1-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/60-2-0x00000000081C0000-0x0000000008275000-memory.dmpFilesize
724KB
-
memory/60-3-0x0000000008710000-0x0000000008B50000-memory.dmpFilesize
4.2MB
-
memory/3372-4-0x0000000000000000-mapping.dmp
-
memory/3372-5-0x0000000000C70000-0x00000000010B0000-memory.dmpFilesize
4.2MB
-
memory/3372-6-0x0000000000C70000-0x00000000010B0000-memory.dmpFilesize
4.2MB