Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20-10-2020 08:58
Static task
static1
Behavioral task
behavioral1
Sample
Autocarriers Overdue invoice.DOC.exe
Resource
win7v200722
General
-
Target
Autocarriers Overdue invoice.DOC.exe
-
Size
368KB
-
MD5
17ef122a938c2b1037623d089129fd7a
-
SHA1
8557619a89b8624f89ea116799a4374188312b00
-
SHA256
e5ac252a63c887a842ad2f14e60353f4dc4a7b976ad5adb20888c5b2f0bae151
-
SHA512
cbdb96661ca5d5393f0574c63f1c754a270afe85ff3be5ffa3ebe8069d963b3da7d54ac7983ea77b5b861037e3d152d0a927580b3d02176472e10ee4fb116233
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\ge7513753g1.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ge7513753g1.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ge7513753g1.exe\"" explorer.exe -
Processes:
Autocarriers Overdue invoice.DOC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Autocarriers Overdue invoice.DOC.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exepid process 3056 Autocarriers Overdue invoice.DOC.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3860 3056 WerFault.exe Autocarriers Overdue invoice.DOC.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeAutocarriers Overdue invoice.DOC.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autocarriers Overdue invoice.DOC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autocarriers Overdue invoice.DOC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
explorer.exepid process 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe 1468 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exepid process 3056 Autocarriers Overdue invoice.DOC.exe 3056 Autocarriers Overdue invoice.DOC.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exepid process 3056 Autocarriers Overdue invoice.DOC.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeRestorePrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeBackupPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeLoadDriverPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeCreatePagefilePrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeShutdownPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeTakeOwnershipPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeChangeNotifyPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeCreateTokenPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeMachineAccountPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeSecurityPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeAssignPrimaryTokenPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: SeCreateGlobalPrivilege 3056 Autocarriers Overdue invoice.DOC.exe Token: 33 3056 Autocarriers Overdue invoice.DOC.exe Token: SeDebugPrivilege 1468 explorer.exe Token: SeRestorePrivilege 1468 explorer.exe Token: SeBackupPrivilege 1468 explorer.exe Token: SeLoadDriverPrivilege 1468 explorer.exe Token: SeCreatePagefilePrivilege 1468 explorer.exe Token: SeShutdownPrivilege 1468 explorer.exe Token: SeTakeOwnershipPrivilege 1468 explorer.exe Token: SeChangeNotifyPrivilege 1468 explorer.exe Token: SeCreateTokenPrivilege 1468 explorer.exe Token: SeMachineAccountPrivilege 1468 explorer.exe Token: SeSecurityPrivilege 1468 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1468 explorer.exe Token: SeCreateGlobalPrivilege 1468 explorer.exe Token: 33 1468 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Autocarriers Overdue invoice.DOC.exedescription pid process target process PID 3056 wrote to memory of 1468 3056 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 3056 wrote to memory of 1468 3056 Autocarriers Overdue invoice.DOC.exe explorer.exe PID 3056 wrote to memory of 1468 3056 Autocarriers Overdue invoice.DOC.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Autocarriers Overdue invoice.DOC.exe"C:\Users\Admin\AppData\Local\Temp\Autocarriers Overdue invoice.DOC.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 5882⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1468-4-0x0000000000000000-mapping.dmp
-
memory/1468-5-0x0000000000A30000-0x0000000000E70000-memory.dmpFilesize
4.2MB
-
memory/1468-6-0x0000000000A30000-0x0000000000E70000-memory.dmpFilesize
4.2MB
-
memory/3056-0-0x0000000000F9F000-0x0000000000FA0000-memory.dmpFilesize
4KB
-
memory/3056-1-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/3056-2-0x0000000003100000-0x00000000031C6000-memory.dmpFilesize
792KB
-
memory/3056-3-0x0000000003550000-0x0000000003990000-memory.dmpFilesize
4.2MB