Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
08-10-2020 12:49
Static task
static1
Behavioral task
behavioral1
Sample
Notification from SARS, Defaulter letter.PDF.exe
Resource
win7
General
-
Target
Notification from SARS, Defaulter letter.PDF.exe
-
Size
308KB
-
MD5
3a34763afced1c015e7dbf36bccd545b
-
SHA1
2d4ac07c3d4ede47c08accf50d0dcbbf23725090
-
SHA256
c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd
-
SHA512
5fbb1ff88aa011ec845c069905f8e5c73876810134614e68ebe0814dc549dd12d894a8317fb6cca95f9da9ef2b83c1d51f7d3499d14cc341fafef408b2efd7bb
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\u1m5q7ig.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\u1m5q7ig.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\u1m5q7ig.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
Notification from SARS, Defaulter letter.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notification from SARS, Defaulter letter.PDF.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exepid process 896 Notification from SARS, Defaulter letter.PDF.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Notification from SARS, Defaulter letter.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Notification from SARS, Defaulter letter.PDF.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
explorer.exepid process 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exepid process 896 Notification from SARS, Defaulter letter.PDF.exe 896 Notification from SARS, Defaulter letter.PDF.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exepid process 896 Notification from SARS, Defaulter letter.PDF.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exedescription pid process Token: SeDebugPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeRestorePrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeBackupPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeLoadDriverPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeCreatePagefilePrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeShutdownPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeTakeOwnershipPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeChangeNotifyPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeCreateTokenPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeMachineAccountPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeSecurityPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeAssignPrimaryTokenPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeCreateGlobalPrivilege 896 Notification from SARS, Defaulter letter.PDF.exe Token: 33 896 Notification from SARS, Defaulter letter.PDF.exe Token: SeDebugPrivilege 1560 explorer.exe Token: SeRestorePrivilege 1560 explorer.exe Token: SeBackupPrivilege 1560 explorer.exe Token: SeLoadDriverPrivilege 1560 explorer.exe Token: SeCreatePagefilePrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeTakeOwnershipPrivilege 1560 explorer.exe Token: SeChangeNotifyPrivilege 1560 explorer.exe Token: SeCreateTokenPrivilege 1560 explorer.exe Token: SeMachineAccountPrivilege 1560 explorer.exe Token: SeSecurityPrivilege 1560 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1560 explorer.exe Token: SeCreateGlobalPrivilege 1560 explorer.exe Token: 33 1560 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exedescription pid process target process PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 896 wrote to memory of 1560 896 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 1560 wrote to memory of 1208 1560 explorer.exe Dwm.exe PID 1560 wrote to memory of 1208 1560 explorer.exe Dwm.exe PID 1560 wrote to memory of 1208 1560 explorer.exe Dwm.exe PID 1560 wrote to memory of 1208 1560 explorer.exe Dwm.exe PID 1560 wrote to memory of 1208 1560 explorer.exe Dwm.exe PID 1560 wrote to memory of 1208 1560 explorer.exe Dwm.exe PID 1560 wrote to memory of 1276 1560 explorer.exe Explorer.EXE PID 1560 wrote to memory of 1276 1560 explorer.exe Explorer.EXE PID 1560 wrote to memory of 1276 1560 explorer.exe Explorer.EXE PID 1560 wrote to memory of 1276 1560 explorer.exe Explorer.EXE PID 1560 wrote to memory of 1276 1560 explorer.exe Explorer.EXE PID 1560 wrote to memory of 1276 1560 explorer.exe Explorer.EXE PID 1560 wrote to memory of 2008 1560 explorer.exe DllHost.exe PID 1560 wrote to memory of 2008 1560 explorer.exe DllHost.exe PID 1560 wrote to memory of 2008 1560 explorer.exe DllHost.exe PID 1560 wrote to memory of 2008 1560 explorer.exe DllHost.exe PID 1560 wrote to memory of 2008 1560 explorer.exe DllHost.exe PID 1560 wrote to memory of 2008 1560 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Notification from SARS, Defaulter letter.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Notification from SARS, Defaulter letter.PDF.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/896-0-0x000000000029B000-0x000000000029C000-memory.dmpFilesize
4KB
-
memory/896-1-0x0000000004A80000-0x0000000004A91000-memory.dmpFilesize
68KB
-
memory/896-2-0x00000000053B0000-0x0000000005467000-memory.dmpFilesize
732KB
-
memory/896-3-0x0000000005770000-0x00000000058F1000-memory.dmpFilesize
1.5MB
-
memory/1560-4-0x0000000000000000-mapping.dmp
-
memory/2008-5-0x000007FEF68A0000-0x000007FEF6B1A000-memory.dmpFilesize
2.5MB