Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-03-2021 15:28
Static task
static1
Behavioral task
behavioral1
Sample
6A1B1BD71C348B1701B67555A2AC314D.exe
Resource
win7v20201028
General
-
Target
6A1B1BD71C348B1701B67555A2AC314D.exe
-
Size
829KB
-
MD5
6a1b1bd71c348b1701b67555a2ac314d
-
SHA1
cb6241cc299e72b22035b3a2d15063e93622c409
-
SHA256
4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1
-
SHA512
315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\13yc9k5mg3.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\13yc9k5mg3.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6A1B1BD71C348B1701B67555A2AC314D.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exepid Process 872 6A1B1BD71C348B1701B67555A2AC314D.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exedescription pid Process procid_target PID 892 set thread context of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1484 1884 WerFault.exe 31 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exe6A1B1BD71C348B1701B67555A2AC314D.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6A1B1BD71C348B1701B67555A2AC314D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6A1B1BD71C348B1701B67555A2AC314D.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
explorer.exeWerFault.exepid Process 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exepid Process 872 6A1B1BD71C348B1701B67555A2AC314D.exe 872 6A1B1BD71C348B1701B67555A2AC314D.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe 1520 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exepid Process 872 6A1B1BD71C348B1701B67555A2AC314D.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exeWerFault.exedescription pid Process Token: SeDebugPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeRestorePrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeBackupPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeLoadDriverPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeCreatePagefilePrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeShutdownPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeTakeOwnershipPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeChangeNotifyPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeCreateTokenPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeMachineAccountPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeSecurityPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeAssignPrimaryTokenPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeCreateGlobalPrivilege 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: 33 872 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeDebugPrivilege 1520 explorer.exe Token: SeRestorePrivilege 1520 explorer.exe Token: SeBackupPrivilege 1520 explorer.exe Token: SeLoadDriverPrivilege 1520 explorer.exe Token: SeCreatePagefilePrivilege 1520 explorer.exe Token: SeShutdownPrivilege 1520 explorer.exe Token: SeTakeOwnershipPrivilege 1520 explorer.exe Token: SeChangeNotifyPrivilege 1520 explorer.exe Token: SeCreateTokenPrivilege 1520 explorer.exe Token: SeMachineAccountPrivilege 1520 explorer.exe Token: SeSecurityPrivilege 1520 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1520 explorer.exe Token: SeCreateGlobalPrivilege 1520 explorer.exe Token: 33 1520 explorer.exe Token: SeDebugPrivilege 1484 WerFault.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exe6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exedescription pid Process procid_target PID 892 wrote to memory of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 PID 892 wrote to memory of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 PID 892 wrote to memory of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 PID 892 wrote to memory of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 PID 892 wrote to memory of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 PID 892 wrote to memory of 872 892 6A1B1BD71C348B1701B67555A2AC314D.exe 26 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 872 wrote to memory of 1520 872 6A1B1BD71C348B1701B67555A2AC314D.exe 30 PID 1520 wrote to memory of 1228 1520 explorer.exe 12 PID 1520 wrote to memory of 1228 1520 explorer.exe 12 PID 1520 wrote to memory of 1228 1520 explorer.exe 12 PID 1520 wrote to memory of 1228 1520 explorer.exe 12 PID 1520 wrote to memory of 1228 1520 explorer.exe 12 PID 1520 wrote to memory of 1228 1520 explorer.exe 12 PID 1520 wrote to memory of 1260 1520 explorer.exe 11 PID 1520 wrote to memory of 1260 1520 explorer.exe 11 PID 1520 wrote to memory of 1260 1520 explorer.exe 11 PID 1520 wrote to memory of 1260 1520 explorer.exe 11 PID 1520 wrote to memory of 1260 1520 explorer.exe 11 PID 1520 wrote to memory of 1260 1520 explorer.exe 11 PID 1520 wrote to memory of 1884 1520 explorer.exe 31 PID 1520 wrote to memory of 1884 1520 explorer.exe 31 PID 1520 wrote to memory of 1884 1520 explorer.exe 31 PID 1520 wrote to memory of 1884 1520 explorer.exe 31 PID 1520 wrote to memory of 1884 1520 explorer.exe 31 PID 1520 wrote to memory of 1884 1520 explorer.exe 31 PID 1520 wrote to memory of 1484 1520 explorer.exe 32 PID 1520 wrote to memory of 1484 1520 explorer.exe 32 PID 1520 wrote to memory of 1484 1520 explorer.exe 32 PID 1520 wrote to memory of 1484 1520 explorer.exe 32 PID 1520 wrote to memory of 1484 1520 explorer.exe 32 PID 1520 wrote to memory of 1484 1520 explorer.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1228
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1884
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1884 -s 4282⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-