Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-01-2021 18:42
Static task
static1
Behavioral task
behavioral1
Sample
CFDI__Manager__12365.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CFDI__Manager__12365.exe
Resource
win10v20201028
General
-
Target
CFDI__Manager__12365.exe
-
Size
809KB
-
MD5
5b7c3ff3556606c67a61527f81579eee
-
SHA1
75299ed8a21eebe1b1969e065e80f02ad21d4267
-
SHA256
82e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
-
SHA512
6484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
997us99sm_1.exe713mou1w.exegug5c795.exepid Process 964 997us99sm_1.exe 1056 713mou1w.exe 1656 gug5c795.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
explorer.exepid Process 320 explorer.exe 320 explorer.exe 320 explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\997us99sm.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\997us99sm.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\997us99sm.exe\"" explorer.exe -
Processes:
CFDI__Manager__12365.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFDI__Manager__12365.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exepid Process 1240 CFDI__Manager__12365.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CFDI__Manager__12365.exe997us99sm_1.exedescription pid Process procid_target PID 1340 set thread context of 1240 1340 CFDI__Manager__12365.exe 25 PID 964 set thread context of 0 964 997us99sm_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
CFDI__Manager__12365.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CFDI__Manager__12365.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CFDI__Manager__12365.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\997us99sm_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\997us99sm_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
explorer.exepid Process 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exepid Process 1240 CFDI__Manager__12365.exe 1240 CFDI__Manager__12365.exe 320 explorer.exe 320 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
CFDI__Manager__12365.exepid Process 1240 CFDI__Manager__12365.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
CFDI__Manager__12365.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 1240 CFDI__Manager__12365.exe Token: SeRestorePrivilege 1240 CFDI__Manager__12365.exe Token: SeBackupPrivilege 1240 CFDI__Manager__12365.exe Token: SeLoadDriverPrivilege 1240 CFDI__Manager__12365.exe Token: SeCreatePagefilePrivilege 1240 CFDI__Manager__12365.exe Token: SeShutdownPrivilege 1240 CFDI__Manager__12365.exe Token: SeTakeOwnershipPrivilege 1240 CFDI__Manager__12365.exe Token: SeChangeNotifyPrivilege 1240 CFDI__Manager__12365.exe Token: SeCreateTokenPrivilege 1240 CFDI__Manager__12365.exe Token: SeMachineAccountPrivilege 1240 CFDI__Manager__12365.exe Token: SeSecurityPrivilege 1240 CFDI__Manager__12365.exe Token: SeAssignPrimaryTokenPrivilege 1240 CFDI__Manager__12365.exe Token: SeCreateGlobalPrivilege 1240 CFDI__Manager__12365.exe Token: 33 1240 CFDI__Manager__12365.exe Token: SeDebugPrivilege 320 explorer.exe Token: SeRestorePrivilege 320 explorer.exe Token: SeBackupPrivilege 320 explorer.exe Token: SeLoadDriverPrivilege 320 explorer.exe Token: SeCreatePagefilePrivilege 320 explorer.exe Token: SeShutdownPrivilege 320 explorer.exe Token: SeTakeOwnershipPrivilege 320 explorer.exe Token: SeChangeNotifyPrivilege 320 explorer.exe Token: SeCreateTokenPrivilege 320 explorer.exe Token: SeMachineAccountPrivilege 320 explorer.exe Token: SeSecurityPrivilege 320 explorer.exe Token: SeAssignPrimaryTokenPrivilege 320 explorer.exe Token: SeCreateGlobalPrivilege 320 explorer.exe Token: 33 320 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gug5c795.exepid Process 1656 gug5c795.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
CFDI__Manager__12365.exeCFDI__Manager__12365.exeexplorer.exedescription pid Process procid_target PID 1340 wrote to memory of 1240 1340 CFDI__Manager__12365.exe 25 PID 1340 wrote to memory of 1240 1340 CFDI__Manager__12365.exe 25 PID 1340 wrote to memory of 1240 1340 CFDI__Manager__12365.exe 25 PID 1340 wrote to memory of 1240 1340 CFDI__Manager__12365.exe 25 PID 1340 wrote to memory of 1240 1340 CFDI__Manager__12365.exe 25 PID 1340 wrote to memory of 1240 1340 CFDI__Manager__12365.exe 25 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 1240 wrote to memory of 320 1240 CFDI__Manager__12365.exe 27 PID 320 wrote to memory of 1164 320 explorer.exe 15 PID 320 wrote to memory of 1164 320 explorer.exe 15 PID 320 wrote to memory of 1164 320 explorer.exe 15 PID 320 wrote to memory of 1164 320 explorer.exe 15 PID 320 wrote to memory of 1164 320 explorer.exe 15 PID 320 wrote to memory of 1164 320 explorer.exe 15 PID 320 wrote to memory of 1196 320 explorer.exe 12 PID 320 wrote to memory of 1196 320 explorer.exe 12 PID 320 wrote to memory of 1196 320 explorer.exe 12 PID 320 wrote to memory of 1196 320 explorer.exe 12 PID 320 wrote to memory of 1196 320 explorer.exe 12 PID 320 wrote to memory of 1196 320 explorer.exe 12 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 964 320 explorer.exe 32 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1056 320 explorer.exe 33 PID 320 wrote to memory of 1656 320 explorer.exe 35 PID 320 wrote to memory of 1656 320 explorer.exe 35 PID 320 wrote to memory of 1656 320 explorer.exe 35 PID 320 wrote to memory of 1656 320 explorer.exe 35 PID 320 wrote to memory of 1656 320 explorer.exe 35 PID 320 wrote to memory of 1656 320 explorer.exe 35 PID 320 wrote to memory of 1656 320 explorer.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"C:\Users\Admin\AppData\Local\Temp\CFDI__Manager__12365.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\997us99sm_1.exe/suac5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\713mou1w.exe"C:\Users\Admin\AppData\Local\Temp\713mou1w.exe"5⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\gug5c795.exe"C:\Users\Admin\AppData\Local\Temp\gug5c795.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dc9127dc898edcb166176abfc891ee59
SHA1400466e887170c260628143430d08335a88d5298
SHA2564490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074
SHA51285347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c
-
MD5
dc9127dc898edcb166176abfc891ee59
SHA1400466e887170c260628143430d08335a88d5298
SHA2564490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074
SHA51285347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c
-
MD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
MD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
MD5
4fd50d4173e873a52e7841fe2a3f921e
SHA14ffd734a7877f78fdf2b65b37e90b2db3be20fe3
SHA256456b6497adb103204e78b1888c75cc73a6e61e8aa1d5eec27eb594f98e0601ed
SHA5125c272aeb5a27d905251d4e41216d69060eebe2d978602f339776486bbb007ea294183921a7c57c8a8dafaf50080df08b411f45610dfebd6a61d7dc28658d8ab0
-
MD5
dc9127dc898edcb166176abfc891ee59
SHA1400466e887170c260628143430d08335a88d5298
SHA2564490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074
SHA51285347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c
-
MD5
5b7c3ff3556606c67a61527f81579eee
SHA175299ed8a21eebe1b1969e065e80f02ad21d4267
SHA25682e756b74e20e351fe5c695768d7849ebd1cf4f852c53bfafd2388dd5a5aa17f
SHA5126484459bd38bb1e5f6a1ec32f05f71c948431f3e2e08d15a90a1c8779ec9695e0f6a0f062e9a5c26b21ec4cf387dd5e0da47e3f32a04c6b6d9df4930b62e942c
-
MD5
4fd50d4173e873a52e7841fe2a3f921e
SHA14ffd734a7877f78fdf2b65b37e90b2db3be20fe3
SHA256456b6497adb103204e78b1888c75cc73a6e61e8aa1d5eec27eb594f98e0601ed
SHA5125c272aeb5a27d905251d4e41216d69060eebe2d978602f339776486bbb007ea294183921a7c57c8a8dafaf50080df08b411f45610dfebd6a61d7dc28658d8ab0