Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20-10-2020 15:01
Static task
static1
Behavioral task
behavioral1
Sample
CCMA Final Reminder Case CCMAKK1029873700.PDF.exe
Resource
win7
General
-
Target
CCMA Final Reminder Case CCMAKK1029873700.PDF.exe
-
Size
368KB
-
MD5
ea4acb06f594dde31f5bd4862932f1de
-
SHA1
d62f15f53bf1d55357e3aecd83d93de1043192d8
-
SHA256
a96869310ed26453df874d380555cc891068510413dd8702ef6ce850f8faef6a
-
SHA512
b5f65b06bbe08e19ae295df84d2cfb61f9967b725e4ae7f5359d1a56bdda55c57abeee472882d79ae4c92e710a52632250b6a61b2d0541e623f0921969578569
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\1uq1131m77gq.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\1uq1131m77gq.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exeexplorer.exepid process 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1900 648 WerFault.exe CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeCCMA Final Reminder Case CCMAKK1029873700.PDF.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe 3296 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exepid process 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exepid process 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exeexplorer.exedescription pid process Token: SeDebugPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeRestorePrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeBackupPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeLoadDriverPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeCreatePagefilePrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeShutdownPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeTakeOwnershipPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeChangeNotifyPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeCreateTokenPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeMachineAccountPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeSecurityPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeAssignPrimaryTokenPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeCreateGlobalPrivilege 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: 33 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe Token: SeDebugPrivilege 3296 explorer.exe Token: SeRestorePrivilege 3296 explorer.exe Token: SeBackupPrivilege 3296 explorer.exe Token: SeLoadDriverPrivilege 3296 explorer.exe Token: SeCreatePagefilePrivilege 3296 explorer.exe Token: SeShutdownPrivilege 3296 explorer.exe Token: SeTakeOwnershipPrivilege 3296 explorer.exe Token: SeChangeNotifyPrivilege 3296 explorer.exe Token: SeCreateTokenPrivilege 3296 explorer.exe Token: SeMachineAccountPrivilege 3296 explorer.exe Token: SeSecurityPrivilege 3296 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3296 explorer.exe Token: SeCreateGlobalPrivilege 3296 explorer.exe Token: 33 3296 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
CCMA Final Reminder Case CCMAKK1029873700.PDF.exedescription pid process target process PID 648 wrote to memory of 3296 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 648 wrote to memory of 3296 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe PID 648 wrote to memory of 3296 648 CCMA Final Reminder Case CCMAKK1029873700.PDF.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CCMA Final Reminder Case CCMAKK1029873700.PDF.exe"C:\Users\Admin\AppData\Local\Temp\CCMA Final Reminder Case CCMAKK1029873700.PDF.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 5922⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-0-0x0000000000E3F000-0x0000000000E40000-memory.dmpFilesize
4KB
-
memory/648-1-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/648-6-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/648-7-0x0000000003090000-0x0000000003156000-memory.dmpFilesize
792KB
-
memory/648-8-0x00000000034E0000-0x0000000003920000-memory.dmpFilesize
4.2MB
-
memory/3296-9-0x0000000000000000-mapping.dmp
-
memory/3296-10-0x0000000000BD0000-0x0000000001010000-memory.dmpFilesize
4.2MB
-
memory/3296-11-0x0000000000BD0000-0x0000000001010000-memory.dmpFilesize
4.2MB