Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
14-09-2020 16:06
Static task
static1
Behavioral task
behavioral1
Sample
Factura_pdf.exe
Resource
win7
General
-
Target
Factura_pdf.exe
-
Size
651KB
-
MD5
a9345ccbf5367e9cb23076e0268b6a05
-
SHA1
16f36de10d18cc7960fdcb2e2a8e02bb30c8033a
-
SHA256
c2eea0526fcd8596d700eb7001185ac149b232319e8268bce21ccfe4fd1d7500
-
SHA512
420b3e0542b531586a40ef404c5883957cfe23dc772aa8731ab4f4806754325cfd16670807c059ab0d3e89c1df957e337bc8c5407e32aa5107ca9d93139792f0
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
35w19uws3_1.exeya51ime17k.exepid process 1808 35w19uws3_1.exe 1956 ya51ime17k.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
explorer.exepid process 1880 explorer.exe 1880 explorer.exe -
Processes:
Factura_pdf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features Factura_pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Factura_pdf.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\35w19uws3.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\35w19uws3.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\35w19uws3.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
Factura_pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Factura_pdf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
Factura_pdf.exeexplorer.exepid process 344 Factura_pdf.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Factura_pdf.exedescription pid process target process PID 1124 set thread context of 344 1124 Factura_pdf.exe Factura_pdf.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Factura_pdf.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Factura_pdf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Factura_pdf.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\35w19uws3_1.exe:14EDFC78 explorer.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\35w19uws3_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeexplorer.exepid process 1940 powershell.exe 1940 powershell.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ya51ime17k.exepid process 1956 ya51ime17k.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Factura_pdf.exeexplorer.exepid process 344 Factura_pdf.exe 344 Factura_pdf.exe 1880 explorer.exe 1880 explorer.exe 1880 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Factura_pdf.exepid process 344 Factura_pdf.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
powershell.exeFactura_pdf.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 344 Factura_pdf.exe Token: SeRestorePrivilege 344 Factura_pdf.exe Token: SeBackupPrivilege 344 Factura_pdf.exe Token: SeLoadDriverPrivilege 344 Factura_pdf.exe Token: SeCreatePagefilePrivilege 344 Factura_pdf.exe Token: SeShutdownPrivilege 344 Factura_pdf.exe Token: SeTakeOwnershipPrivilege 344 Factura_pdf.exe Token: SeChangeNotifyPrivilege 344 Factura_pdf.exe Token: SeCreateTokenPrivilege 344 Factura_pdf.exe Token: SeMachineAccountPrivilege 344 Factura_pdf.exe Token: SeSecurityPrivilege 344 Factura_pdf.exe Token: SeAssignPrimaryTokenPrivilege 344 Factura_pdf.exe Token: SeCreateGlobalPrivilege 344 Factura_pdf.exe Token: 33 344 Factura_pdf.exe Token: SeDebugPrivilege 1880 explorer.exe Token: SeRestorePrivilege 1880 explorer.exe Token: SeBackupPrivilege 1880 explorer.exe Token: SeLoadDriverPrivilege 1880 explorer.exe Token: SeCreatePagefilePrivilege 1880 explorer.exe Token: SeShutdownPrivilege 1880 explorer.exe Token: SeTakeOwnershipPrivilege 1880 explorer.exe Token: SeChangeNotifyPrivilege 1880 explorer.exe Token: SeCreateTokenPrivilege 1880 explorer.exe Token: SeMachineAccountPrivilege 1880 explorer.exe Token: SeSecurityPrivilege 1880 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1880 explorer.exe Token: SeCreateGlobalPrivilege 1880 explorer.exe Token: 33 1880 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ya51ime17k.exepid process 1956 ya51ime17k.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ya51ime17k.exepid process 1956 ya51ime17k.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
Factura_pdf.exeFactura_pdf.exeexplorer.exedescription pid process target process PID 1124 wrote to memory of 1940 1124 Factura_pdf.exe powershell.exe PID 1124 wrote to memory of 1940 1124 Factura_pdf.exe powershell.exe PID 1124 wrote to memory of 1940 1124 Factura_pdf.exe powershell.exe PID 1124 wrote to memory of 1940 1124 Factura_pdf.exe powershell.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 1124 wrote to memory of 344 1124 Factura_pdf.exe Factura_pdf.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 344 wrote to memory of 1880 344 Factura_pdf.exe explorer.exe PID 1880 wrote to memory of 1236 1880 explorer.exe Dwm.exe PID 1880 wrote to memory of 1236 1880 explorer.exe Dwm.exe PID 1880 wrote to memory of 1236 1880 explorer.exe Dwm.exe PID 1880 wrote to memory of 1236 1880 explorer.exe Dwm.exe PID 1880 wrote to memory of 1236 1880 explorer.exe Dwm.exe PID 1880 wrote to memory of 1236 1880 explorer.exe Dwm.exe PID 1880 wrote to memory of 1280 1880 explorer.exe Explorer.EXE PID 1880 wrote to memory of 1280 1880 explorer.exe Explorer.EXE PID 1880 wrote to memory of 1280 1880 explorer.exe Explorer.EXE PID 1880 wrote to memory of 1280 1880 explorer.exe Explorer.EXE PID 1880 wrote to memory of 1280 1880 explorer.exe Explorer.EXE PID 1880 wrote to memory of 1280 1880 explorer.exe Explorer.EXE PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1808 1880 explorer.exe 35w19uws3_1.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe PID 1880 wrote to memory of 1956 1880 explorer.exe ya51ime17k.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Factura_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Factura_pdf.exe"2⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Factura_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Factura_pdf.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\35w19uws3_1.exe/suac5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ya51ime17k.exe"C:\Users\Admin\AppData\Local\Temp\ya51ime17k.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\35w19uws3_1.exe
-
C:\Users\Admin\AppData\Local\Temp\35w19uws3_1.exe
-
C:\Users\Admin\AppData\Local\Temp\ya51ime17k.exe
-
C:\Users\Admin\AppData\Local\Temp\ya51ime17k.exe
-
\Users\Admin\AppData\Local\Temp\35w19uws3_1.exe
-
\Users\Admin\AppData\Local\Temp\ya51ime17k.exe
-
memory/344-46-0x00000000004015C6-mapping.dmp
-
memory/344-48-0x00000000022E0000-0x00000000023EC000-memory.dmpFilesize
1.0MB
-
memory/344-47-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/344-45-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/344-49-0x0000000002D60000-0x0000000002EE1000-memory.dmpFilesize
1.5MB
-
memory/1124-6-0x0000000000A90000-0x0000000000AC6000-memory.dmpFilesize
216KB
-
memory/1124-5-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/1124-0-0x0000000073F00000-0x00000000745EE000-memory.dmpFilesize
6.9MB
-
memory/1124-4-0x0000000005530000-0x0000000005582000-memory.dmpFilesize
328KB
-
memory/1124-3-0x0000000000240000-0x0000000000250000-memory.dmpFilesize
64KB
-
memory/1124-1-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/1476-53-0x000007FEF62F0000-0x000007FEF656A000-memory.dmpFilesize
2.5MB
-
memory/1808-55-0x0000000000000000-mapping.dmp
-
memory/1808-58-0x0000000072C70000-0x000000007335E000-memory.dmpFilesize
6.9MB
-
memory/1808-59-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/1880-50-0x0000000000000000-mapping.dmp
-
memory/1880-62-0x00000000044D0000-0x00000000045DC000-memory.dmpFilesize
1.0MB
-
memory/1940-10-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/1940-15-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1940-43-0x0000000006320000-0x0000000006321000-memory.dmpFilesize
4KB
-
memory/1940-29-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/1940-28-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/1940-21-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/1940-20-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/1940-44-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/1940-12-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/1940-11-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/1940-9-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1940-7-0x0000000000000000-mapping.dmp
-
memory/1940-8-0x0000000073F00000-0x00000000745EE000-memory.dmpFilesize
6.9MB
-
memory/1956-67-0x0000000000000000-mapping.dmp
-
memory/1956-70-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB
-
memory/1956-71-0x000007FEF5740000-0x000007FEF60DD000-memory.dmpFilesize
9.6MB