Analysis
-
max time kernel
298s -
max time network
297s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-05-2021 08:21
Static task
static1
Behavioral task
behavioral1
Sample
CFDI_Manager_54704.exe
Resource
win10v20210410
General
-
Target
CFDI_Manager_54704.exe
-
Size
3.5MB
-
MD5
f7e4a28f1ed37123d6e0851e573cd640
-
SHA1
8068ea253bafbdbdf2647f264d5a8d5405e8772c
-
SHA256
3a2c441a96936c089c1444f4cd50436593fcd43a18c80a1699fc6b2d62dd6907
-
SHA512
5a370cb4c0e592141dea9c6b2494548105ad108666353f383e06253171df988781dab6c19bebafb5d1107348ffec92cd329cad4aef02ad974eda258b0d4f531d
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
csvr.exepsi.exepsi.exepid Process 2144 csvr.exe 3952 psi.exe 776 psi.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\a1siic1533933q.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\a1siic1533933q.exe\"" explorer.exe -
Processes:
psi.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
psi.exeexplorer.exepid Process 776 psi.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
psi.exedescription pid Process procid_target PID 3952 set thread context of 776 3952 psi.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
psi.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 psi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString psi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 944 timeout.exe 2836 timeout.exe 1440 timeout.exe 3668 timeout.exe 2100 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 2152 taskkill.exe 3976 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 2 IoCs
Processes:
CFDI_Manager_54704.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings CFDI_Manager_54704.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
explorer.exepid Process 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe 692 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
psi.exeexplorer.exepid Process 776 psi.exe 776 psi.exe 692 explorer.exe 692 explorer.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
psi.exetaskkill.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 776 psi.exe Token: SeRestorePrivilege 776 psi.exe Token: SeBackupPrivilege 776 psi.exe Token: SeLoadDriverPrivilege 776 psi.exe Token: SeCreatePagefilePrivilege 776 psi.exe Token: SeShutdownPrivilege 776 psi.exe Token: SeTakeOwnershipPrivilege 776 psi.exe Token: SeChangeNotifyPrivilege 776 psi.exe Token: SeCreateTokenPrivilege 776 psi.exe Token: SeMachineAccountPrivilege 776 psi.exe Token: SeSecurityPrivilege 776 psi.exe Token: SeAssignPrimaryTokenPrivilege 776 psi.exe Token: SeCreateGlobalPrivilege 776 psi.exe Token: 33 776 psi.exe Token: SeDebugPrivilege 2152 taskkill.exe Token: SeDebugPrivilege 3976 taskkill.exe Token: SeDebugPrivilege 692 explorer.exe Token: SeRestorePrivilege 692 explorer.exe Token: SeBackupPrivilege 692 explorer.exe Token: SeLoadDriverPrivilege 692 explorer.exe Token: SeCreatePagefilePrivilege 692 explorer.exe Token: SeShutdownPrivilege 692 explorer.exe Token: SeTakeOwnershipPrivilege 692 explorer.exe Token: SeChangeNotifyPrivilege 692 explorer.exe Token: SeCreateTokenPrivilege 692 explorer.exe Token: SeMachineAccountPrivilege 692 explorer.exe Token: SeSecurityPrivilege 692 explorer.exe Token: SeAssignPrimaryTokenPrivilege 692 explorer.exe Token: SeCreateGlobalPrivilege 692 explorer.exe Token: 33 692 explorer.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
CFDI_Manager_54704.exeWScript.execmd.exeWScript.execmd.exepsi.exepsi.exeexplorer.exedescription pid Process procid_target PID 1832 wrote to memory of 2116 1832 CFDI_Manager_54704.exe 76 PID 1832 wrote to memory of 2116 1832 CFDI_Manager_54704.exe 76 PID 1832 wrote to memory of 2116 1832 CFDI_Manager_54704.exe 76 PID 2116 wrote to memory of 2584 2116 WScript.exe 77 PID 2116 wrote to memory of 2584 2116 WScript.exe 77 PID 2116 wrote to memory of 2584 2116 WScript.exe 77 PID 2584 wrote to memory of 3668 2584 cmd.exe 79 PID 2584 wrote to memory of 3668 2584 cmd.exe 79 PID 2584 wrote to memory of 3668 2584 cmd.exe 79 PID 2584 wrote to memory of 3552 2584 cmd.exe 80 PID 2584 wrote to memory of 3552 2584 cmd.exe 80 PID 2584 wrote to memory of 3552 2584 cmd.exe 80 PID 2584 wrote to memory of 2144 2584 cmd.exe 84 PID 2584 wrote to memory of 2144 2584 cmd.exe 84 PID 2584 wrote to memory of 2144 2584 cmd.exe 84 PID 2584 wrote to memory of 2100 2584 cmd.exe 85 PID 2584 wrote to memory of 2100 2584 cmd.exe 85 PID 2584 wrote to memory of 2100 2584 cmd.exe 85 PID 2584 wrote to memory of 3336 2584 cmd.exe 86 PID 2584 wrote to memory of 3336 2584 cmd.exe 86 PID 2584 wrote to memory of 3336 2584 cmd.exe 86 PID 2584 wrote to memory of 944 2584 cmd.exe 87 PID 2584 wrote to memory of 944 2584 cmd.exe 87 PID 2584 wrote to memory of 944 2584 cmd.exe 87 PID 3336 wrote to memory of 2360 3336 WScript.exe 88 PID 3336 wrote to memory of 2360 3336 WScript.exe 88 PID 3336 wrote to memory of 2360 3336 WScript.exe 88 PID 2360 wrote to memory of 2756 2360 cmd.exe 90 PID 2360 wrote to memory of 2756 2360 cmd.exe 90 PID 2360 wrote to memory of 2756 2360 cmd.exe 90 PID 2360 wrote to memory of 2836 2360 cmd.exe 91 PID 2360 wrote to memory of 2836 2360 cmd.exe 91 PID 2360 wrote to memory of 2836 2360 cmd.exe 91 PID 2360 wrote to memory of 3952 2360 cmd.exe 92 PID 2360 wrote to memory of 3952 2360 cmd.exe 92 PID 2360 wrote to memory of 3952 2360 cmd.exe 92 PID 3952 wrote to memory of 776 3952 psi.exe 93 PID 3952 wrote to memory of 776 3952 psi.exe 93 PID 3952 wrote to memory of 776 3952 psi.exe 93 PID 3952 wrote to memory of 776 3952 psi.exe 93 PID 3952 wrote to memory of 776 3952 psi.exe 93 PID 2360 wrote to memory of 2152 2360 cmd.exe 94 PID 2360 wrote to memory of 2152 2360 cmd.exe 94 PID 2360 wrote to memory of 2152 2360 cmd.exe 94 PID 2360 wrote to memory of 3976 2360 cmd.exe 95 PID 2360 wrote to memory of 3976 2360 cmd.exe 95 PID 2360 wrote to memory of 3976 2360 cmd.exe 95 PID 776 wrote to memory of 692 776 psi.exe 97 PID 776 wrote to memory of 692 776 psi.exe 97 PID 776 wrote to memory of 692 776 psi.exe 97 PID 2360 wrote to memory of 2144 2360 cmd.exe 96 PID 2360 wrote to memory of 2144 2360 cmd.exe 96 PID 2360 wrote to memory of 2144 2360 cmd.exe 96 PID 2360 wrote to memory of 1440 2360 cmd.exe 98 PID 2360 wrote to memory of 1440 2360 cmd.exe 98 PID 2360 wrote to memory of 1440 2360 cmd.exe 98 PID 692 wrote to memory of 2584 692 explorer.exe 77 PID 692 wrote to memory of 2584 692 explorer.exe 77 PID 692 wrote to memory of 944 692 explorer.exe 87 PID 692 wrote to memory of 944 692 explorer.exe 87 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2756 attrib.exe 2144 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_54704.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_54704.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\site1\conf\pe.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\site1\conf\uiy.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
PID:3668
-
-
C:\Windows\SysWOW64\PING.EXEping dhgfg sgudy4⤵
- Runs ping.exe
PID:3552
-
-
C:\site1\conf\csvr.exe"csvr.exe" e -p1vartanderkoolermaster lol.rar4⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:2100
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\site1\conf\biling.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\site1\conf\site.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\site1\conf"6⤵
- Views/modifies file attributes
PID:2756
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:2836
-
-
C:\site1\conf\psi.exepsi.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\site1\conf\psi.exepsi.exe /start7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csvr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csvr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\site1\conf\psi.exe"6⤵
- Views/modifies file attributes
PID:2144
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:1440
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:944
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e349fbe030e2524e041f3f60d110b7c7
SHA1763bfa5803bda9d740ff2e31c350e745397308f9
SHA25647a1389daec3f031b2232e7e0dcec00b84f0e4e83bff64ccdcd6b9dbd41e64d8
SHA512ed583faa84bae3f70b0acf89f7b6da08b34633a0bcb766480375ce18c5a26bb15891406f3657eacbb6367d14c97a79bbbdddc39fcb6410eeec33735b34b10129
-
MD5
70f8a68b9e1e00708c64e1d1fec715f4
SHA163247e2afb4b30892d1d23a903393043abc5a214
SHA25604cff1c0dbbc09f19df77f4b1d2481440c7f408260e95e661ec33ee542bf3cd7
SHA512dd49ac3beefd21484a6e90d8a9d250e63cd2e78bd7fe3916a668316d6b84ec47bb3e6ba680e5a13200e68648d508da0fa5ee4294c425d3f041cee60e86ef4501
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
b022334d0c60338f90e47e2478873d7a
SHA119c094781ad40ef0efa617cb1fb92d127bdecb7b
SHA256c95053b468dd6b1623432f7676b81bbb43480959537da737fe270f4a8d195ca3
SHA51234e9bc989e52a53e96a6d0e9c11b5d3c8367f3c16ef73101d63dfc3a9464d559430717df109d32dd1dfcdc67763e8824699701785787cbf0a6a38fdf20a7b16c
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
8b653c0a3c307777b9cdc2ec28aac98b
SHA1936f2c75461b8a98b55e4d88ccc3e41088e2d584
SHA256f37a565dfd33a94efbb04d04bd8dd1f60b1d42bc9427d3fff4060b51fd318e2f
SHA51216ca9304fea272ec3b3539024df6496119d26774812f9b0119acef33b2837fa60a91ef0389c84718c51a3483339be671dc548904b39bc35057d868c7e0452cdf
-
MD5
f6eb567c6e72344762fe0f1e4223990b
SHA19a200a0c123c22cbca10e6d16f97eeb63835ab2d
SHA2562ab47d3082c64105d769c62bf96a8c5d05cd19dba6d7728da291041dbeea4a65
SHA5120f49fef4d52d192ece9d228df8fd3acdf9c801c9f6039c0aa6c717d8710a87c41593fbfe1aa2ce45806f5dcd4e8c12562e2a2a20734a16fab88dc661dacd4805