Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-10-2020 08:58
Static task
static1
Behavioral task
behavioral1
Sample
Autocarriers Overdue invoice.DOC.exe
Resource
win7v200722
General
-
Target
Autocarriers Overdue invoice.DOC.exe
-
Size
368KB
-
MD5
17ef122a938c2b1037623d089129fd7a
-
SHA1
8557619a89b8624f89ea116799a4374188312b00
-
SHA256
e5ac252a63c887a842ad2f14e60353f4dc4a7b976ad5adb20888c5b2f0bae151
-
SHA512
cbdb96661ca5d5393f0574c63f1c754a270afe85ff3be5ffa3ebe8069d963b3da7d54ac7983ea77b5b861037e3d152d0a927580b3d02176472e10ee4fb116233
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\7si19m1g11957s.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\7si19m1g11957s.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\7si19m1g11957s.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
Autocarriers Overdue invoice.DOC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Autocarriers Overdue invoice.DOC.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exepid process 1492 Autocarriers Overdue invoice.DOC.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autocarriers Overdue invoice.DOC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autocarriers Overdue invoice.DOC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
explorer.exepid process 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exepid process 1492 Autocarriers Overdue invoice.DOC.exe 1492 Autocarriers Overdue invoice.DOC.exe 1580 explorer.exe 1580 explorer.exe 1580 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exepid process 1492 Autocarriers Overdue invoice.DOC.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeRestorePrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeBackupPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeLoadDriverPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeCreatePagefilePrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeShutdownPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeTakeOwnershipPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeChangeNotifyPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeCreateTokenPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeMachineAccountPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeSecurityPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeAssignPrimaryTokenPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: SeCreateGlobalPrivilege 1492 Autocarriers Overdue invoice.DOC.exe Token: 33 1492 Autocarriers Overdue invoice.DOC.exe Token: SeDebugPrivilege 1580 explorer.exe Token: SeRestorePrivilege 1580 explorer.exe Token: SeBackupPrivilege 1580 explorer.exe Token: SeLoadDriverPrivilege 1580 explorer.exe Token: SeCreatePagefilePrivilege 1580 explorer.exe Token: SeShutdownPrivilege 1580 explorer.exe Token: SeTakeOwnershipPrivilege 1580 explorer.exe Token: SeChangeNotifyPrivilege 1580 explorer.exe Token: SeCreateTokenPrivilege 1580 explorer.exe Token: SeMachineAccountPrivilege 1580 explorer.exe Token: SeSecurityPrivilege 1580 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1580 explorer.exe Token: SeCreateGlobalPrivilege 1580 explorer.exe Token: 33 1580 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exedescription pid process target process PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1492 wrote to memory of 1580 1492 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 1580 wrote to memory of 1236 1580 explorer.exe Dwm.exe PID 1580 wrote to memory of 1236 1580 explorer.exe Dwm.exe PID 1580 wrote to memory of 1236 1580 explorer.exe Dwm.exe PID 1580 wrote to memory of 1236 1580 explorer.exe Dwm.exe PID 1580 wrote to memory of 1236 1580 explorer.exe Dwm.exe PID 1580 wrote to memory of 1236 1580 explorer.exe Dwm.exe PID 1580 wrote to memory of 1292 1580 explorer.exe Explorer.EXE PID 1580 wrote to memory of 1292 1580 explorer.exe Explorer.EXE PID 1580 wrote to memory of 1292 1580 explorer.exe Explorer.EXE PID 1580 wrote to memory of 1292 1580 explorer.exe Explorer.EXE PID 1580 wrote to memory of 1292 1580 explorer.exe Explorer.EXE PID 1580 wrote to memory of 1292 1580 explorer.exe Explorer.EXE PID 1580 wrote to memory of 1936 1580 explorer.exe DllHost.exe PID 1580 wrote to memory of 1936 1580 explorer.exe DllHost.exe PID 1580 wrote to memory of 1936 1580 explorer.exe DllHost.exe PID 1580 wrote to memory of 1936 1580 explorer.exe DllHost.exe PID 1580 wrote to memory of 1936 1580 explorer.exe DllHost.exe PID 1580 wrote to memory of 1936 1580 explorer.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Autocarriers Overdue invoice.DOC.exe"C:\Users\Admin\AppData\Local\Temp\Autocarriers Overdue invoice.DOC.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1492-0-0x0000000000D65000-0x0000000000D66000-memory.dmpFilesize
4KB
-
memory/1492-1-0x0000000000FB0000-0x0000000000FC1000-memory.dmpFilesize
68KB
-
memory/1492-2-0x0000000002E10000-0x0000000002ED6000-memory.dmpFilesize
792KB
-
memory/1492-3-0x00000000031E0000-0x0000000003361000-memory.dmpFilesize
1.5MB
-
memory/1580-16-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-19-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-6-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/1580-7-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-8-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-9-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-10-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-11-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-12-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-13-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-14-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-15-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-4-0x0000000000000000-mapping.dmp
-
memory/1580-17-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-18-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-32-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-20-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-21-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-22-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-23-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-24-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-25-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-26-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-27-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-28-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-29-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-30-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1580-31-0x0000000002540000-0x0000000002544000-memory.dmpFilesize
16KB
-
memory/1936-5-0x000007FEF6C10000-0x000007FEF6E8A000-memory.dmpFilesize
2.5MB