Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
13-10-2020 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Completed Finance Application and Required Documents.DOC.exe
Resource
win7
General
-
Target
Completed Finance Application and Required Documents.DOC.exe
-
Size
299KB
-
MD5
9e6a523473b8b248169a7c012df77e71
-
SHA1
077d03bbe5c57015103583eb9a6dd3afbc8e45a9
-
SHA256
aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf
-
SHA512
3772fd8794801af0851c56bdbd3c6174aec3cd719e0a4bd2957bc38f4baaec80e8fee55e654856eed8c5962d8f4f66b01e380ae57bd8b801fabbe69a352610c6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\5uq5em71q9.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\5uq5em71q9.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\5uq5em71q9.exe\"" explorer.exe -
Processes:
Completed Finance Application and Required Documents.DOC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Completed Finance Application and Required Documents.DOC.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exepid process 1044 Completed Finance Application and Required Documents.DOC.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeCompleted Finance Application and Required Documents.DOC.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Completed Finance Application and Required Documents.DOC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Completed Finance Application and Required Documents.DOC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
explorer.exepid process 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exepid process 1044 Completed Finance Application and Required Documents.DOC.exe 1044 Completed Finance Application and Required Documents.DOC.exe 1744 explorer.exe 1744 explorer.exe 1744 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exepid process 1044 Completed Finance Application and Required Documents.DOC.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeRestorePrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeBackupPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeLoadDriverPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeCreatePagefilePrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeShutdownPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeTakeOwnershipPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeChangeNotifyPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeCreateTokenPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeMachineAccountPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeSecurityPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeAssignPrimaryTokenPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeCreateGlobalPrivilege 1044 Completed Finance Application and Required Documents.DOC.exe Token: 33 1044 Completed Finance Application and Required Documents.DOC.exe Token: SeDebugPrivilege 1744 explorer.exe Token: SeRestorePrivilege 1744 explorer.exe Token: SeBackupPrivilege 1744 explorer.exe Token: SeLoadDriverPrivilege 1744 explorer.exe Token: SeCreatePagefilePrivilege 1744 explorer.exe Token: SeShutdownPrivilege 1744 explorer.exe Token: SeTakeOwnershipPrivilege 1744 explorer.exe Token: SeChangeNotifyPrivilege 1744 explorer.exe Token: SeCreateTokenPrivilege 1744 explorer.exe Token: SeMachineAccountPrivilege 1744 explorer.exe Token: SeSecurityPrivilege 1744 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1744 explorer.exe Token: SeCreateGlobalPrivilege 1744 explorer.exe Token: 33 1744 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exedescription pid process target process PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1044 wrote to memory of 1744 1044 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 1744 wrote to memory of 1216 1744 explorer.exe Dwm.exe PID 1744 wrote to memory of 1216 1744 explorer.exe Dwm.exe PID 1744 wrote to memory of 1216 1744 explorer.exe Dwm.exe PID 1744 wrote to memory of 1216 1744 explorer.exe Dwm.exe PID 1744 wrote to memory of 1216 1744 explorer.exe Dwm.exe PID 1744 wrote to memory of 1216 1744 explorer.exe Dwm.exe PID 1744 wrote to memory of 1256 1744 explorer.exe Explorer.EXE PID 1744 wrote to memory of 1256 1744 explorer.exe Explorer.EXE PID 1744 wrote to memory of 1256 1744 explorer.exe Explorer.EXE PID 1744 wrote to memory of 1256 1744 explorer.exe Explorer.EXE PID 1744 wrote to memory of 1256 1744 explorer.exe Explorer.EXE PID 1744 wrote to memory of 1256 1744 explorer.exe Explorer.EXE PID 1744 wrote to memory of 1892 1744 explorer.exe DllHost.exe PID 1744 wrote to memory of 1892 1744 explorer.exe DllHost.exe PID 1744 wrote to memory of 1892 1744 explorer.exe DllHost.exe PID 1744 wrote to memory of 1892 1744 explorer.exe DllHost.exe PID 1744 wrote to memory of 1892 1744 explorer.exe DllHost.exe PID 1744 wrote to memory of 1892 1744 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Completed Finance Application and Required Documents.DOC.exe"C:\Users\Admin\AppData\Local\Temp\Completed Finance Application and Required Documents.DOC.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-0-0x000000000365B000-0x000000000365C000-memory.dmpFilesize
4KB
-
memory/1044-1-0x0000000004CF0000-0x0000000004D01000-memory.dmpFilesize
68KB
-
memory/1044-2-0x00000000054B0000-0x0000000005564000-memory.dmpFilesize
720KB
-
memory/1044-3-0x0000000005870000-0x00000000059F1000-memory.dmpFilesize
1.5MB
-
memory/1744-4-0x0000000000000000-mapping.dmp
-
memory/1892-5-0x000007FEF6430000-0x000007FEF66AA000-memory.dmpFilesize
2.5MB