Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
24-09-2020 19:48
Static task
static1
Behavioral task
behavioral1
Sample
CFDI_Detalles.exe
Resource
win7v200722
General
-
Target
CFDI_Detalles.exe
-
Size
649KB
-
MD5
25c412970140a1a041d28ad8817d605c
-
SHA1
d7247da0263fe24f2bb3a68703c40579a6eaa1ae
-
SHA256
53533c1e66deaaba84275f5d11465423bf957a5bcc51de05492792128381e7d7
-
SHA512
964110a2a91cccc35eaadc9536c88d319fc1e4ee3f7aed685bcb0a03cdfa1cb00b43a8c19ffe273c1d364af86ffdddfd27a40e42fafd8f5de4fef6a3a5dbeb29
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
u7o511119kscw3_1.exeqqu95i7i.exe1c9g3a1cwk1551.exepid process 2140 u7o511119kscw3_1.exe 2560 qqu95i7i.exe 4004 1c9g3a1cwk1551.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\u7o511119kscw3.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\u7o511119kscw3.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\u7o511119kscw3.exe\"" explorer.exe -
Processes:
CFDI_Detalles.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFDI_Detalles.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
CFDI_Detalles.exeexplorer.exepid process 4048 CFDI_Detalles.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CFDI_Detalles.exeu7o511119kscw3_1.exedescription pid process target process PID 3888 set thread context of 4048 3888 CFDI_Detalles.exe CFDI_Detalles.exe PID 2140 set thread context of 0 2140 u7o511119kscw3_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeCFDI_Detalles.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CFDI_Detalles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CFDI_Detalles.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\u7o511119kscw3_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\u7o511119kscw3_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
qqu95i7i.exe1c9g3a1cwk1551.exepid process 2560 qqu95i7i.exe 4004 1c9g3a1cwk1551.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
CFDI_Detalles.exepid process 4048 CFDI_Detalles.exe 4048 CFDI_Detalles.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CFDI_Detalles.exepid process 4048 CFDI_Detalles.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
CFDI_Detalles.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4048 CFDI_Detalles.exe Token: SeRestorePrivilege 4048 CFDI_Detalles.exe Token: SeBackupPrivilege 4048 CFDI_Detalles.exe Token: SeLoadDriverPrivilege 4048 CFDI_Detalles.exe Token: SeCreatePagefilePrivilege 4048 CFDI_Detalles.exe Token: SeShutdownPrivilege 4048 CFDI_Detalles.exe Token: SeTakeOwnershipPrivilege 4048 CFDI_Detalles.exe Token: SeChangeNotifyPrivilege 4048 CFDI_Detalles.exe Token: SeCreateTokenPrivilege 4048 CFDI_Detalles.exe Token: SeMachineAccountPrivilege 4048 CFDI_Detalles.exe Token: SeSecurityPrivilege 4048 CFDI_Detalles.exe Token: SeAssignPrimaryTokenPrivilege 4048 CFDI_Detalles.exe Token: SeCreateGlobalPrivilege 4048 CFDI_Detalles.exe Token: 33 4048 CFDI_Detalles.exe Token: SeDebugPrivilege 2984 explorer.exe Token: SeRestorePrivilege 2984 explorer.exe Token: SeBackupPrivilege 2984 explorer.exe Token: SeLoadDriverPrivilege 2984 explorer.exe Token: SeCreatePagefilePrivilege 2984 explorer.exe Token: SeShutdownPrivilege 2984 explorer.exe Token: SeTakeOwnershipPrivilege 2984 explorer.exe Token: SeChangeNotifyPrivilege 2984 explorer.exe Token: SeCreateTokenPrivilege 2984 explorer.exe Token: SeMachineAccountPrivilege 2984 explorer.exe Token: SeSecurityPrivilege 2984 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2984 explorer.exe Token: SeCreateGlobalPrivilege 2984 explorer.exe Token: 33 2984 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
qqu95i7i.exe1c9g3a1cwk1551.exepid process 2560 qqu95i7i.exe 4004 1c9g3a1cwk1551.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
qqu95i7i.exe1c9g3a1cwk1551.exepid process 2560 qqu95i7i.exe 4004 1c9g3a1cwk1551.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
CFDI_Detalles.exeCFDI_Detalles.exeexplorer.exedescription pid process target process PID 3888 wrote to memory of 4048 3888 CFDI_Detalles.exe CFDI_Detalles.exe PID 3888 wrote to memory of 4048 3888 CFDI_Detalles.exe CFDI_Detalles.exe PID 3888 wrote to memory of 4048 3888 CFDI_Detalles.exe CFDI_Detalles.exe PID 3888 wrote to memory of 4048 3888 CFDI_Detalles.exe CFDI_Detalles.exe PID 3888 wrote to memory of 4048 3888 CFDI_Detalles.exe CFDI_Detalles.exe PID 4048 wrote to memory of 2984 4048 CFDI_Detalles.exe explorer.exe PID 4048 wrote to memory of 2984 4048 CFDI_Detalles.exe explorer.exe PID 4048 wrote to memory of 2984 4048 CFDI_Detalles.exe explorer.exe PID 2984 wrote to memory of 2140 2984 explorer.exe u7o511119kscw3_1.exe PID 2984 wrote to memory of 2140 2984 explorer.exe u7o511119kscw3_1.exe PID 2984 wrote to memory of 2140 2984 explorer.exe u7o511119kscw3_1.exe PID 2984 wrote to memory of 2560 2984 explorer.exe qqu95i7i.exe PID 2984 wrote to memory of 2560 2984 explorer.exe qqu95i7i.exe PID 2984 wrote to memory of 4004 2984 explorer.exe 1c9g3a1cwk1551.exe PID 2984 wrote to memory of 4004 2984 explorer.exe 1c9g3a1cwk1551.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFDI_Detalles.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_Detalles.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CFDI_Detalles.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_Detalles.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u7o511119kscw3_1.exe/suac4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\qqu95i7i.exe"C:\Users\Admin\AppData\Local\Temp\qqu95i7i.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1c9g3a1cwk1551.exe"C:\Users\Admin\AppData\Local\Temp\1c9g3a1cwk1551.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1c9g3a1cwk1551.exe
-
C:\Users\Admin\AppData\Local\Temp\1c9g3a1cwk1551.exe
-
C:\Users\Admin\AppData\Local\Temp\qqu95i7i.exe
-
C:\Users\Admin\AppData\Local\Temp\qqu95i7i.exe
-
C:\Users\Admin\AppData\Local\Temp\u7o511119kscw3_1.exe
-
C:\Users\Admin\AppData\Local\Temp\u7o511119kscw3_1.exe
-
memory/2140-8-0x0000000000000000-mapping.dmp
-
memory/2560-11-0x0000000000000000-mapping.dmp
-
memory/2560-14-0x00007FF88C2A0000-0x00007FF88CC40000-memory.dmpFilesize
9.6MB
-
memory/2984-7-0x00000000000B0000-0x00000000004F0000-memory.dmpFilesize
4.2MB
-
memory/2984-6-0x00000000000B0000-0x00000000004F0000-memory.dmpFilesize
4.2MB
-
memory/2984-5-0x0000000000000000-mapping.dmp
-
memory/4004-15-0x0000000000000000-mapping.dmp
-
memory/4004-18-0x00007FF88C2A0000-0x00007FF88CC40000-memory.dmpFilesize
9.6MB
-
memory/4048-0-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4048-4-0x0000000002B90000-0x0000000002FD0000-memory.dmpFilesize
4.2MB
-
memory/4048-3-0x0000000002740000-0x000000000284C000-memory.dmpFilesize
1.0MB
-
memory/4048-2-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4048-1-0x00000000004015C6-mapping.dmp