Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-03-2021 15:28
Static task
static1
Behavioral task
behavioral1
Sample
6A1B1BD71C348B1701B67555A2AC314D.exe
Resource
win7v20201028
General
-
Target
6A1B1BD71C348B1701B67555A2AC314D.exe
-
Size
829KB
-
MD5
6a1b1bd71c348b1701b67555a2ac314d
-
SHA1
cb6241cc299e72b22035b3a2d15063e93622c409
-
SHA256
4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1
-
SHA512
315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
9e3my3i53m5m_1.exepid Process 2120 9e3my3i53m5m_1.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\9e3my3i53m5m.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\9e3my3i53m5m.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\9e3my3i53m5m.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6A1B1BD71C348B1701B67555A2AC314D.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exepid Process 3960 6A1B1BD71C348B1701B67555A2AC314D.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exe9e3my3i53m5m_1.exedescription pid Process procid_target PID 1404 set thread context of 3960 1404 6A1B1BD71C348B1701B67555A2AC314D.exe 74 PID 2120 set thread context of 0 2120 9e3my3i53m5m_1.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6A1B1BD71C348B1701B67555A2AC314D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6A1B1BD71C348B1701B67555A2AC314D.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\9e3my3i53m5m_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\9e3my3i53m5m_1.exe:14EDFC78 explorer.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
explorer.exepid Process 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe 1280 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exepid Process 3960 6A1B1BD71C348B1701B67555A2AC314D.exe 3960 6A1B1BD71C348B1701B67555A2AC314D.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exepid Process 3960 6A1B1BD71C348B1701B67555A2AC314D.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeRestorePrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeBackupPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeLoadDriverPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeCreatePagefilePrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeShutdownPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeTakeOwnershipPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeChangeNotifyPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeCreateTokenPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeMachineAccountPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeSecurityPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeAssignPrimaryTokenPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeCreateGlobalPrivilege 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: 33 3960 6A1B1BD71C348B1701B67555A2AC314D.exe Token: SeDebugPrivilege 1280 explorer.exe Token: SeRestorePrivilege 1280 explorer.exe Token: SeBackupPrivilege 1280 explorer.exe Token: SeLoadDriverPrivilege 1280 explorer.exe Token: SeCreatePagefilePrivilege 1280 explorer.exe Token: SeShutdownPrivilege 1280 explorer.exe Token: SeTakeOwnershipPrivilege 1280 explorer.exe Token: SeChangeNotifyPrivilege 1280 explorer.exe Token: SeCreateTokenPrivilege 1280 explorer.exe Token: SeMachineAccountPrivilege 1280 explorer.exe Token: SeSecurityPrivilege 1280 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1280 explorer.exe Token: SeCreateGlobalPrivilege 1280 explorer.exe Token: 33 1280 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6A1B1BD71C348B1701B67555A2AC314D.exe6A1B1BD71C348B1701B67555A2AC314D.exeexplorer.exedescription pid Process procid_target PID 1404 wrote to memory of 3960 1404 6A1B1BD71C348B1701B67555A2AC314D.exe 74 PID 1404 wrote to memory of 3960 1404 6A1B1BD71C348B1701B67555A2AC314D.exe 74 PID 1404 wrote to memory of 3960 1404 6A1B1BD71C348B1701B67555A2AC314D.exe 74 PID 1404 wrote to memory of 3960 1404 6A1B1BD71C348B1701B67555A2AC314D.exe 74 PID 1404 wrote to memory of 3960 1404 6A1B1BD71C348B1701B67555A2AC314D.exe 74 PID 3960 wrote to memory of 1280 3960 6A1B1BD71C348B1701B67555A2AC314D.exe 77 PID 3960 wrote to memory of 1280 3960 6A1B1BD71C348B1701B67555A2AC314D.exe 77 PID 3960 wrote to memory of 1280 3960 6A1B1BD71C348B1701B67555A2AC314D.exe 77 PID 1280 wrote to memory of 2120 1280 explorer.exe 81 PID 1280 wrote to memory of 2120 1280 explorer.exe 81 PID 1280 wrote to memory of 2120 1280 explorer.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"C:\Users\Admin\AppData\Local\Temp\6A1B1BD71C348B1701B67555A2AC314D.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\9e3my3i53m5m_1.exe/suac4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6a1b1bd71c348b1701b67555a2ac314d
SHA1cb6241cc299e72b22035b3a2d15063e93622c409
SHA2564241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1
SHA512315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022
-
MD5
6a1b1bd71c348b1701b67555a2ac314d
SHA1cb6241cc299e72b22035b3a2d15063e93622c409
SHA2564241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1
SHA512315cdc82eeb209c2b5f60b1c1b9b8827f9a8be81db633f832735347f5828d149d0559cd69be2891df333bd2b605dcc7c912d5772b0476b4e2250bcb92ed99022