Analysis
-
max time kernel
148s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
09-10-2020 06:24
Static task
static1
Behavioral task
behavioral1
Sample
G-00923 SCHEMATIC DRAWING.exe
Resource
win7
General
-
Target
G-00923 SCHEMATIC DRAWING.exe
-
Size
394KB
-
MD5
b11bd28d54e471b569bf6a7c3667314b
-
SHA1
86a1f4a6dacfb53c209ec2c083b78927b9817386
-
SHA256
48ee79a7379d43d060969a9909836f4b3236c55ec551d1b33dd97c1c35f57a59
-
SHA512
9b4bae35e16a4effe56592d00d8633ee456a48164787440e71fd9da8bb973f2389b1e328cf3370012bba361fdb8977f1edf23056425b197126b4c96667683f35
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
G-00923 SCHEMATIC DRAWING.exerundll32.exepid process 3888 G-00923 SCHEMATIC DRAWING.exe 2060 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Chrome Updater = "\"C:\\ProgramData\\Chrome Updater\\7i1qyca1kew9.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Chrome Updater = "C:\\ProgramData\\Chrome Updater\\7i1qyca1kew9.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Updater = "\"C:\\ProgramData\\Chrome Updater\\7i1qyca1kew9.exe\"" explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Chrome Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 2216 cmd.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
rundll32.exeexplorer.exepid process 2060 rundll32.exe 2060 rundll32.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe 2420 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
rundll32.execmd.exepid process 2060 rundll32.exe 2060 rundll32.exe 2216 cmd.exe 2216 cmd.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
cmd.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2216 cmd.exe Token: SeRestorePrivilege 2216 cmd.exe Token: SeBackupPrivilege 2216 cmd.exe Token: SeLoadDriverPrivilege 2216 cmd.exe Token: SeCreatePagefilePrivilege 2216 cmd.exe Token: SeShutdownPrivilege 2216 cmd.exe Token: SeTakeOwnershipPrivilege 2216 cmd.exe Token: SeChangeNotifyPrivilege 2216 cmd.exe Token: SeCreateTokenPrivilege 2216 cmd.exe Token: SeMachineAccountPrivilege 2216 cmd.exe Token: SeSecurityPrivilege 2216 cmd.exe Token: SeAssignPrimaryTokenPrivilege 2216 cmd.exe Token: SeCreateGlobalPrivilege 2216 cmd.exe Token: 33 2216 cmd.exe Token: SeDebugPrivilege 2420 explorer.exe Token: SeRestorePrivilege 2420 explorer.exe Token: SeBackupPrivilege 2420 explorer.exe Token: SeLoadDriverPrivilege 2420 explorer.exe Token: SeCreatePagefilePrivilege 2420 explorer.exe Token: SeShutdownPrivilege 2420 explorer.exe Token: SeTakeOwnershipPrivilege 2420 explorer.exe Token: SeChangeNotifyPrivilege 2420 explorer.exe Token: SeCreateTokenPrivilege 2420 explorer.exe Token: SeMachineAccountPrivilege 2420 explorer.exe Token: SeSecurityPrivilege 2420 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2420 explorer.exe Token: SeCreateGlobalPrivilege 2420 explorer.exe Token: 33 2420 explorer.exe -
Suspicious use of WriteProcessMemory 90 IoCs
Processes:
G-00923 SCHEMATIC DRAWING.exerundll32.exedescription pid process target process PID 3888 wrote to memory of 2060 3888 G-00923 SCHEMATIC DRAWING.exe rundll32.exe PID 3888 wrote to memory of 2060 3888 G-00923 SCHEMATIC DRAWING.exe rundll32.exe PID 3888 wrote to memory of 2060 3888 G-00923 SCHEMATIC DRAWING.exe rundll32.exe PID 2060 wrote to memory of 2144 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2144 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2144 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2144 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe PID 2060 wrote to memory of 2216 2060 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\G-00923 SCHEMATIC DRAWING.exe"C:\Users\Admin\AppData\Local\Temp\G-00923 SCHEMATIC DRAWING.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe WestDermatology,Expectorator2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TitianMD5
0ac4fbc114e6d5d2920a813ddf0e8451
SHA1748078c6fd488f9f1c43e5e061232bafe38d8666
SHA25645831116f86f06b431e8489239d221df2b9c54957da1284035632eaf3082954a
SHA512083b6af275fb713b5b3df10f70824d28645bc25781d8223e3ee7ecf25ef5012a57252128772cc7b43bf100fa0f3ba736c53df4d0c170793667c94da73a8d4eaf
-
C:\Users\Admin\AppData\Local\Temp\WestDermatology.DLLMD5
1956599b160db4aaed23805288bfda5e
SHA10c18b70736b0a0dfcce6e15a5c96cd901e49a650
SHA256ac9e878bb0ae58e4930dd2ea7ad90b4db249e17d1ff3720138ff6dbe79b4b0ee
SHA5127aa7fae37db2e56566ce4101c7312b8ea6870e9637dd5720fc398e8187a9031689035e7bb803af550848be4a3f913ae65f456f6958e48a5b360e367a68e0b6da
-
\Users\Admin\AppData\Local\Temp\WestDermatology.dllMD5
1956599b160db4aaed23805288bfda5e
SHA10c18b70736b0a0dfcce6e15a5c96cd901e49a650
SHA256ac9e878bb0ae58e4930dd2ea7ad90b4db249e17d1ff3720138ff6dbe79b4b0ee
SHA5127aa7fae37db2e56566ce4101c7312b8ea6870e9637dd5720fc398e8187a9031689035e7bb803af550848be4a3f913ae65f456f6958e48a5b360e367a68e0b6da
-
\Users\Admin\AppData\Local\Temp\nsn4D6C.tmp\UserInfo.dllMD5
e167f9a565781a30c03ff10370033319
SHA11858758b076946073de375c6eb1bec9867aa3689
SHA256a912514823df595ba3a048099d3b89e925a4d41742afc67e772060952892f312
SHA51296d8f5ac8e2c0961ba71075de52d12515e7a058cddf3fa1ec14e77545b0b5f4e29324a13e2eb287a447f1d24dc9f09e0a70b0a25401b0ef8d90e6e4a96ce6c61
-
memory/2060-1-0x0000000000000000-mapping.dmp
-
memory/2060-5-0x0000000005370000-0x00000000053A5000-memory.dmpFilesize
212KB
-
memory/2216-6-0x0000000000000000-mapping.dmp
-
memory/2216-7-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2216-8-0x0000000004F80000-0x0000000005022000-memory.dmpFilesize
648KB
-
memory/2216-9-0x00000000053D0000-0x0000000005810000-memory.dmpFilesize
4.2MB
-
memory/2420-10-0x0000000000000000-mapping.dmp
-
memory/2420-11-0x0000000001300000-0x0000000001740000-memory.dmpFilesize
4.2MB
-
memory/2420-12-0x0000000001300000-0x0000000001740000-memory.dmpFilesize
4.2MB