Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
13-10-2020 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Completed Finance Application and Required Documents.DOC.exe
Resource
win7
General
-
Target
Completed Finance Application and Required Documents.DOC.exe
-
Size
299KB
-
MD5
9e6a523473b8b248169a7c012df77e71
-
SHA1
077d03bbe5c57015103583eb9a6dd3afbc8e45a9
-
SHA256
aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf
-
SHA512
3772fd8794801af0851c56bdbd3c6174aec3cd719e0a4bd2957bc38f4baaec80e8fee55e654856eed8c5962d8f4f66b01e380ae57bd8b801fabbe69a352610c6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3y9wyiw35.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\3y9wyiw35.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3y9wyiw35.exe\"" explorer.exe -
Processes:
Completed Finance Application and Required Documents.DOC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Completed Finance Application and Required Documents.DOC.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exepid process 408 Completed Finance Application and Required Documents.DOC.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Completed Finance Application and Required Documents.DOC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Completed Finance Application and Required Documents.DOC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
explorer.exepid process 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exepid process 408 Completed Finance Application and Required Documents.DOC.exe 408 Completed Finance Application and Required Documents.DOC.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exepid process 408 Completed Finance Application and Required Documents.DOC.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exeexplorer.exedescription pid process Token: SeDebugPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeRestorePrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeBackupPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeLoadDriverPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeCreatePagefilePrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeShutdownPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeTakeOwnershipPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeChangeNotifyPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeCreateTokenPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeMachineAccountPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeSecurityPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeAssignPrimaryTokenPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: SeCreateGlobalPrivilege 408 Completed Finance Application and Required Documents.DOC.exe Token: 33 408 Completed Finance Application and Required Documents.DOC.exe Token: SeDebugPrivilege 3492 explorer.exe Token: SeRestorePrivilege 3492 explorer.exe Token: SeBackupPrivilege 3492 explorer.exe Token: SeLoadDriverPrivilege 3492 explorer.exe Token: SeCreatePagefilePrivilege 3492 explorer.exe Token: SeShutdownPrivilege 3492 explorer.exe Token: SeTakeOwnershipPrivilege 3492 explorer.exe Token: SeChangeNotifyPrivilege 3492 explorer.exe Token: SeCreateTokenPrivilege 3492 explorer.exe Token: SeMachineAccountPrivilege 3492 explorer.exe Token: SeSecurityPrivilege 3492 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3492 explorer.exe Token: SeCreateGlobalPrivilege 3492 explorer.exe Token: 33 3492 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Completed Finance Application and Required Documents.DOC.exedescription pid process target process PID 408 wrote to memory of 3492 408 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 408 wrote to memory of 3492 408 Completed Finance Application and Required Documents.DOC.exe explorer.exe PID 408 wrote to memory of 3492 408 Completed Finance Application and Required Documents.DOC.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Completed Finance Application and Required Documents.DOC.exe"C:\Users\Admin\AppData\Local\Temp\Completed Finance Application and Required Documents.DOC.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/408-1-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/408-2-0x0000000005670000-0x0000000005724000-memory.dmpFilesize
720KB
-
memory/408-3-0x0000000005C50000-0x0000000006090000-memory.dmpFilesize
4.2MB
-
memory/3492-4-0x0000000000000000-mapping.dmp
-
memory/3492-5-0x0000000000170000-0x00000000005B0000-memory.dmpFilesize
4.2MB
-
memory/3492-6-0x0000000000170000-0x00000000005B0000-memory.dmpFilesize
4.2MB