Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10_x64 -
resource
win10 -
submitted
12-10-2020 06:09
Static task
static1
Behavioral task
behavioral1
Sample
Product_item.exe
Resource
win7
General
-
Target
Product_item.exe
-
Size
927KB
-
MD5
8a9aae01cda806a3da1bbb8bdb40da3f
-
SHA1
df95aa3ea7a3fbc66ced0615491ee7e656f09a52
-
SHA256
054b7c5d38a00ecfc40168d4dc21610139c5ab6a46d2a0e851ef100397d5e5e9
-
SHA512
781529a195356186c87507fd0e39368c6ca3ad35fc43b6ae4e547f6b24b399b1ac057a7c1f8765a9669f2363a8fab34ac17946de2a819e2d51c9892849c2d039
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\ksu35u3k533qcm.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ksu35u3k533qcm.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ksu35u3k533qcm.exe\"" explorer.exe -
Processes:
Product_item.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Product_item.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Product_item.exeexplorer.exepid process 2612 Product_item.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Product_item.exedescription pid process target process PID 3832 set thread context of 2612 3832 Product_item.exe Product_item.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Product_item.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Product_item.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Product_item.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Product_item.exeexplorer.exepid process 3832 Product_item.exe 3832 Product_item.exe 3832 Product_item.exe 3832 Product_item.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe 2512 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Product_item.exepid process 2612 Product_item.exe 2612 Product_item.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Product_item.exepid process 2612 Product_item.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
Product_item.exeProduct_item.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3832 Product_item.exe Token: SeDebugPrivilege 2612 Product_item.exe Token: SeRestorePrivilege 2612 Product_item.exe Token: SeBackupPrivilege 2612 Product_item.exe Token: SeLoadDriverPrivilege 2612 Product_item.exe Token: SeCreatePagefilePrivilege 2612 Product_item.exe Token: SeShutdownPrivilege 2612 Product_item.exe Token: SeTakeOwnershipPrivilege 2612 Product_item.exe Token: SeChangeNotifyPrivilege 2612 Product_item.exe Token: SeCreateTokenPrivilege 2612 Product_item.exe Token: SeMachineAccountPrivilege 2612 Product_item.exe Token: SeSecurityPrivilege 2612 Product_item.exe Token: SeAssignPrimaryTokenPrivilege 2612 Product_item.exe Token: SeCreateGlobalPrivilege 2612 Product_item.exe Token: 33 2612 Product_item.exe Token: SeDebugPrivilege 2512 explorer.exe Token: SeRestorePrivilege 2512 explorer.exe Token: SeBackupPrivilege 2512 explorer.exe Token: SeLoadDriverPrivilege 2512 explorer.exe Token: SeCreatePagefilePrivilege 2512 explorer.exe Token: SeShutdownPrivilege 2512 explorer.exe Token: SeTakeOwnershipPrivilege 2512 explorer.exe Token: SeChangeNotifyPrivilege 2512 explorer.exe Token: SeCreateTokenPrivilege 2512 explorer.exe Token: SeMachineAccountPrivilege 2512 explorer.exe Token: SeSecurityPrivilege 2512 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2512 explorer.exe Token: SeCreateGlobalPrivilege 2512 explorer.exe Token: 33 2512 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Product_item.exeProduct_item.exedescription pid process target process PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 3832 wrote to memory of 2612 3832 Product_item.exe Product_item.exe PID 2612 wrote to memory of 2512 2612 Product_item.exe explorer.exe PID 2612 wrote to memory of 2512 2612 Product_item.exe explorer.exe PID 2612 wrote to memory of 2512 2612 Product_item.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product_item.exe"C:\Users\Admin\AppData\Local\Temp\Product_item.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Product_item.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2512-19-0x0000000000030000-0x0000000000470000-memory.dmpFilesize
4.2MB
-
memory/2512-18-0x0000000000030000-0x0000000000470000-memory.dmpFilesize
4.2MB
-
memory/2512-17-0x0000000000000000-mapping.dmp
-
memory/2612-12-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2612-16-0x0000000003960000-0x0000000003DA0000-memory.dmpFilesize
4.2MB
-
memory/2612-15-0x0000000003510000-0x0000000003661000-memory.dmpFilesize
1.3MB
-
memory/2612-14-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2612-13-0x00000000004015C6-mapping.dmp
-
memory/3832-5-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3832-10-0x00000000080F0000-0x0000000008181000-memory.dmpFilesize
580KB
-
memory/3832-11-0x0000000007920000-0x000000000799B000-memory.dmpFilesize
492KB
-
memory/3832-9-0x0000000006280000-0x0000000006284000-memory.dmpFilesize
16KB
-
memory/3832-8-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB
-
memory/3832-7-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/3832-6-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/3832-0-0x0000000073D70000-0x000000007445E000-memory.dmpFilesize
6.9MB
-
memory/3832-4-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3832-3-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/3832-1-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB