Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
20-10-2020 15:01
Static task
static1
Behavioral task
behavioral1
Sample
CCMA Final Reminder Case CCMAKK1029873700.PDF.exe
Resource
win7
General
-
Target
CCMA Final Reminder Case CCMAKK1029873700.PDF.exe
-
Size
368KB
-
MD5
ea4acb06f594dde31f5bd4862932f1de
-
SHA1
d62f15f53bf1d55357e3aecd83d93de1043192d8
-
SHA256
a96869310ed26453df874d380555cc891068510413dd8702ef6ce850f8faef6a
-
SHA512
b5f65b06bbe08e19ae295df84d2cfb61f9967b725e4ae7f5359d1a56bdda55c57abeee472882d79ae4c92e710a52632250b6a61b2d0541e623f0921969578569
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\57yowiem5.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\57yowiem5.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exeexplorer.exepid process 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeCCMA Final Reminder Case CCMAKK1029873700.PDF.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
explorer.exepid process 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exeexplorer.exepid process 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exepid process 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeRestorePrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeBackupPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeLoadDriverPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeCreatePagefilePrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeShutdownPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeTakeOwnershipPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeChangeNotifyPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeCreateTokenPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeMachineAccountPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeSecurityPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeAssignPrimaryTokenPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeCreateGlobalPrivilege 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: 33 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeDebugPrivilege 1632 explorer.exe Token: SeRestorePrivilege 1632 explorer.exe Token: SeBackupPrivilege 1632 explorer.exe Token: SeLoadDriverPrivilege 1632 explorer.exe Token: SeCreatePagefilePrivilege 1632 explorer.exe Token: SeShutdownPrivilege 1632 explorer.exe Token: SeTakeOwnershipPrivilege 1632 explorer.exe Token: SeChangeNotifyPrivilege 1632 explorer.exe Token: SeCreateTokenPrivilege 1632 explorer.exe Token: SeMachineAccountPrivilege 1632 explorer.exe Token: SeSecurityPrivilege 1632 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1632 explorer.exe Token: SeCreateGlobalPrivilege 1632 explorer.exe Token: 33 1632 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exeexplorer.exedescription pid process target process PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1108 wrote to memory of 1632 1108 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 1632 wrote to memory of 1236 1632 explorer.exe Dwm.exe PID 1632 wrote to memory of 1236 1632 explorer.exe Dwm.exe PID 1632 wrote to memory of 1236 1632 explorer.exe Dwm.exe PID 1632 wrote to memory of 1236 1632 explorer.exe Dwm.exe PID 1632 wrote to memory of 1236 1632 explorer.exe Dwm.exe PID 1632 wrote to memory of 1236 1632 explorer.exe Dwm.exe PID 1632 wrote to memory of 1284 1632 explorer.exe Explorer.EXE PID 1632 wrote to memory of 1284 1632 explorer.exe Explorer.EXE PID 1632 wrote to memory of 1284 1632 explorer.exe Explorer.EXE PID 1632 wrote to memory of 1284 1632 explorer.exe Explorer.EXE PID 1632 wrote to memory of 1284 1632 explorer.exe Explorer.EXE PID 1632 wrote to memory of 1284 1632 explorer.exe Explorer.EXE PID 1632 wrote to memory of 2016 1632 explorer.exe DllHost.exe PID 1632 wrote to memory of 2016 1632 explorer.exe DllHost.exe PID 1632 wrote to memory of 2016 1632 explorer.exe DllHost.exe PID 1632 wrote to memory of 2016 1632 explorer.exe DllHost.exe PID 1632 wrote to memory of 2016 1632 explorer.exe DllHost.exe PID 1632 wrote to memory of 2016 1632 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\CCMA Final Reminder Case CCMAKK1029873700.PDF.exe"C:\Users\Admin\AppData\Local\Temp\CCMA Final Reminder Case CCMAKK1029873700.PDF.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-0-0x0000000000DA5000-0x0000000000DA6000-memory.dmpFilesize
4KB
-
memory/1108-1-0x0000000001070000-0x0000000001081000-memory.dmpFilesize
68KB
-
memory/1108-2-0x0000000002E40000-0x0000000002F06000-memory.dmpFilesize
792KB
-
memory/1108-3-0x0000000003210000-0x0000000003391000-memory.dmpFilesize
1.5MB
-
memory/1632-4-0x0000000000000000-mapping.dmp
-
memory/2016-5-0x000007FEF6C10000-0x000007FEF6E8A000-memory.dmpFilesize
2.5MB