Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
08-10-2020 12:49
Static task
static1
Behavioral task
behavioral1
Sample
Notification from SARS, Defaulter letter.PDF.exe
Resource
win7
General
-
Target
Notification from SARS, Defaulter letter.PDF.exe
-
Size
308KB
-
MD5
3a34763afced1c015e7dbf36bccd545b
-
SHA1
2d4ac07c3d4ede47c08accf50d0dcbbf23725090
-
SHA256
c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd
-
SHA512
5fbb1ff88aa011ec845c069905f8e5c73876810134614e68ebe0814dc549dd12d894a8317fb6cca95f9da9ef2b83c1d51f7d3499d14cc341fafef408b2efd7bb
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\o51uom33.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\o51uom33.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\o51uom33.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
Notification from SARS, Defaulter letter.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Notification from SARS, Defaulter letter.PDF.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exepid process 2728 Notification from SARS, Defaulter letter.PDF.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Notification from SARS, Defaulter letter.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Notification from SARS, Defaulter letter.PDF.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe 1132 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exepid process 2728 Notification from SARS, Defaulter letter.PDF.exe 2728 Notification from SARS, Defaulter letter.PDF.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exepid process 2728 Notification from SARS, Defaulter letter.PDF.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeRestorePrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeBackupPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeLoadDriverPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeCreatePagefilePrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeShutdownPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeTakeOwnershipPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeChangeNotifyPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeCreateTokenPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeMachineAccountPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeSecurityPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeAssignPrimaryTokenPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeCreateGlobalPrivilege 2728 Notification from SARS, Defaulter letter.PDF.exe Token: 33 2728 Notification from SARS, Defaulter letter.PDF.exe Token: SeDebugPrivilege 1132 explorer.exe Token: SeRestorePrivilege 1132 explorer.exe Token: SeBackupPrivilege 1132 explorer.exe Token: SeLoadDriverPrivilege 1132 explorer.exe Token: SeCreatePagefilePrivilege 1132 explorer.exe Token: SeShutdownPrivilege 1132 explorer.exe Token: SeTakeOwnershipPrivilege 1132 explorer.exe Token: SeChangeNotifyPrivilege 1132 explorer.exe Token: SeCreateTokenPrivilege 1132 explorer.exe Token: SeMachineAccountPrivilege 1132 explorer.exe Token: SeSecurityPrivilege 1132 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1132 explorer.exe Token: SeCreateGlobalPrivilege 1132 explorer.exe Token: 33 1132 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Notification from SARS, Defaulter letter.PDF.exedescription pid process target process PID 2728 wrote to memory of 1132 2728 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 2728 wrote to memory of 1132 2728 Notification from SARS, Defaulter letter.PDF.exe explorer.exe PID 2728 wrote to memory of 1132 2728 Notification from SARS, Defaulter letter.PDF.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notification from SARS, Defaulter letter.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Notification from SARS, Defaulter letter.PDF.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1132-4-0x0000000000000000-mapping.dmp
-
memory/1132-5-0x0000000001200000-0x0000000001640000-memory.dmpFilesize
4.2MB
-
memory/1132-6-0x0000000001200000-0x0000000001640000-memory.dmpFilesize
4.2MB
-
memory/2728-0-0x0000000003346000-0x0000000003347000-memory.dmpFilesize
4KB
-
memory/2728-1-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/2728-2-0x0000000005540000-0x00000000055F7000-memory.dmpFilesize
732KB
-
memory/2728-3-0x0000000005990000-0x0000000005DD0000-memory.dmpFilesize
4.2MB