Analysis
-
max time kernel
600s -
max time network
594s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-05-2021 08:21
Static task
static1
Behavioral task
behavioral1
Sample
CFDI_Manager_54704.exe
Resource
win10v20210410
General
-
Target
CFDI_Manager_54704.exe
-
Size
3.5MB
-
MD5
f7e4a28f1ed37123d6e0851e573cd640
-
SHA1
8068ea253bafbdbdf2647f264d5a8d5405e8772c
-
SHA256
3a2c441a96936c089c1444f4cd50436593fcd43a18c80a1699fc6b2d62dd6907
-
SHA512
5a370cb4c0e592141dea9c6b2494548105ad108666353f383e06253171df988781dab6c19bebafb5d1107348ffec92cd329cad4aef02ad974eda258b0d4f531d
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
csvr.exepsi.exepsi.exepid Process 1128 csvr.exe 3792 psi.exe 500 psi.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\a39o1137.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\a39o1137.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
psi.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA psi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
psi.exeexplorer.exepid Process 500 psi.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
psi.exedescription pid Process procid_target PID 3792 set thread context of 500 3792 psi.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exepsi.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 psi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString psi.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 3952 timeout.exe 1960 timeout.exe 1568 timeout.exe 2316 timeout.exe 2052 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 3232 taskkill.exe 2232 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 2 IoCs
Processes:
CFDI_Manager_54704.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings CFDI_Manager_54704.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exepid Process 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
psi.exepid Process 500 psi.exe 500 psi.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
taskkill.exepsi.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 3232 taskkill.exe Token: SeDebugPrivilege 500 psi.exe Token: SeRestorePrivilege 500 psi.exe Token: SeBackupPrivilege 500 psi.exe Token: SeLoadDriverPrivilege 500 psi.exe Token: SeCreatePagefilePrivilege 500 psi.exe Token: SeShutdownPrivilege 500 psi.exe Token: SeTakeOwnershipPrivilege 500 psi.exe Token: SeChangeNotifyPrivilege 500 psi.exe Token: SeCreateTokenPrivilege 500 psi.exe Token: SeMachineAccountPrivilege 500 psi.exe Token: SeSecurityPrivilege 500 psi.exe Token: SeAssignPrimaryTokenPrivilege 500 psi.exe Token: SeCreateGlobalPrivilege 500 psi.exe Token: 33 500 psi.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 2204 explorer.exe Token: SeRestorePrivilege 2204 explorer.exe Token: SeBackupPrivilege 2204 explorer.exe Token: SeLoadDriverPrivilege 2204 explorer.exe Token: SeCreatePagefilePrivilege 2204 explorer.exe Token: SeShutdownPrivilege 2204 explorer.exe Token: SeTakeOwnershipPrivilege 2204 explorer.exe Token: SeChangeNotifyPrivilege 2204 explorer.exe Token: SeCreateTokenPrivilege 2204 explorer.exe Token: SeMachineAccountPrivilege 2204 explorer.exe Token: SeSecurityPrivilege 2204 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2204 explorer.exe Token: SeCreateGlobalPrivilege 2204 explorer.exe Token: 33 2204 explorer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
CFDI_Manager_54704.exeWScript.execmd.exeWScript.execmd.exepsi.exepsi.exedescription pid Process procid_target PID 1040 wrote to memory of 700 1040 CFDI_Manager_54704.exe 75 PID 1040 wrote to memory of 700 1040 CFDI_Manager_54704.exe 75 PID 1040 wrote to memory of 700 1040 CFDI_Manager_54704.exe 75 PID 700 wrote to memory of 200 700 WScript.exe 76 PID 700 wrote to memory of 200 700 WScript.exe 76 PID 700 wrote to memory of 200 700 WScript.exe 76 PID 200 wrote to memory of 2316 200 cmd.exe 78 PID 200 wrote to memory of 2316 200 cmd.exe 78 PID 200 wrote to memory of 2316 200 cmd.exe 78 PID 200 wrote to memory of 936 200 cmd.exe 79 PID 200 wrote to memory of 936 200 cmd.exe 79 PID 200 wrote to memory of 936 200 cmd.exe 79 PID 200 wrote to memory of 1128 200 cmd.exe 82 PID 200 wrote to memory of 1128 200 cmd.exe 82 PID 200 wrote to memory of 1128 200 cmd.exe 82 PID 200 wrote to memory of 2052 200 cmd.exe 83 PID 200 wrote to memory of 2052 200 cmd.exe 83 PID 200 wrote to memory of 2052 200 cmd.exe 83 PID 200 wrote to memory of 4072 200 cmd.exe 85 PID 200 wrote to memory of 4072 200 cmd.exe 85 PID 200 wrote to memory of 4072 200 cmd.exe 85 PID 200 wrote to memory of 3952 200 cmd.exe 86 PID 200 wrote to memory of 3952 200 cmd.exe 86 PID 200 wrote to memory of 3952 200 cmd.exe 86 PID 4072 wrote to memory of 3356 4072 WScript.exe 87 PID 4072 wrote to memory of 3356 4072 WScript.exe 87 PID 4072 wrote to memory of 3356 4072 WScript.exe 87 PID 3356 wrote to memory of 700 3356 cmd.exe 89 PID 3356 wrote to memory of 700 3356 cmd.exe 89 PID 3356 wrote to memory of 700 3356 cmd.exe 89 PID 3356 wrote to memory of 1960 3356 cmd.exe 90 PID 3356 wrote to memory of 1960 3356 cmd.exe 90 PID 3356 wrote to memory of 1960 3356 cmd.exe 90 PID 3356 wrote to memory of 3792 3356 cmd.exe 91 PID 3356 wrote to memory of 3792 3356 cmd.exe 91 PID 3356 wrote to memory of 3792 3356 cmd.exe 91 PID 3792 wrote to memory of 500 3792 psi.exe 92 PID 3792 wrote to memory of 500 3792 psi.exe 92 PID 3792 wrote to memory of 500 3792 psi.exe 92 PID 3792 wrote to memory of 500 3792 psi.exe 92 PID 3792 wrote to memory of 500 3792 psi.exe 92 PID 3356 wrote to memory of 3232 3356 cmd.exe 93 PID 3356 wrote to memory of 3232 3356 cmd.exe 93 PID 3356 wrote to memory of 3232 3356 cmd.exe 93 PID 3356 wrote to memory of 2232 3356 cmd.exe 94 PID 3356 wrote to memory of 2232 3356 cmd.exe 94 PID 3356 wrote to memory of 2232 3356 cmd.exe 94 PID 3356 wrote to memory of 2112 3356 cmd.exe 95 PID 3356 wrote to memory of 2112 3356 cmd.exe 95 PID 3356 wrote to memory of 2112 3356 cmd.exe 95 PID 3356 wrote to memory of 1568 3356 cmd.exe 96 PID 3356 wrote to memory of 1568 3356 cmd.exe 96 PID 3356 wrote to memory of 1568 3356 cmd.exe 96 PID 500 wrote to memory of 2204 500 psi.exe 97 PID 500 wrote to memory of 2204 500 psi.exe 97 PID 500 wrote to memory of 2204 500 psi.exe 97 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 700 attrib.exe 2112 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_54704.exe"C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_54704.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\site1\conf\pe.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\site1\conf\uiy.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Windows\SysWOW64\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
PID:2316
-
-
C:\Windows\SysWOW64\PING.EXEping dhgfg sgudy4⤵
- Runs ping.exe
PID:936
-
-
C:\site1\conf\csvr.exe"csvr.exe" e -p1vartanderkoolermaster lol.rar4⤵
- Executes dropped EXE
PID:1128
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:2052
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\site1\conf\biling.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\site1\conf\site.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\site1\conf"6⤵
- Views/modifies file attributes
PID:700
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:1960
-
-
C:\site1\conf\psi.exepsi.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\site1\conf\psi.exepsi.exe /start7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csvr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im csvr.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\site1\conf\psi.exe"6⤵
- Views/modifies file attributes
PID:2112
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:1568
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 74⤵
- Delays execution with timeout.exe
PID:3952
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e349fbe030e2524e041f3f60d110b7c7
SHA1763bfa5803bda9d740ff2e31c350e745397308f9
SHA25647a1389daec3f031b2232e7e0dcec00b84f0e4e83bff64ccdcd6b9dbd41e64d8
SHA512ed583faa84bae3f70b0acf89f7b6da08b34633a0bcb766480375ce18c5a26bb15891406f3657eacbb6367d14c97a79bbbdddc39fcb6410eeec33735b34b10129
-
MD5
70f8a68b9e1e00708c64e1d1fec715f4
SHA163247e2afb4b30892d1d23a903393043abc5a214
SHA25604cff1c0dbbc09f19df77f4b1d2481440c7f408260e95e661ec33ee542bf3cd7
SHA512dd49ac3beefd21484a6e90d8a9d250e63cd2e78bd7fe3916a668316d6b84ec47bb3e6ba680e5a13200e68648d508da0fa5ee4294c425d3f041cee60e86ef4501
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
b022334d0c60338f90e47e2478873d7a
SHA119c094781ad40ef0efa617cb1fb92d127bdecb7b
SHA256c95053b468dd6b1623432f7676b81bbb43480959537da737fe270f4a8d195ca3
SHA51234e9bc989e52a53e96a6d0e9c11b5d3c8367f3c16ef73101d63dfc3a9464d559430717df109d32dd1dfcdc67763e8824699701785787cbf0a6a38fdf20a7b16c
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
7c1588678299109e5bdf37f40102ef99
SHA1f1e513bef9fc691d5f2eba139c6805e32f5268ee
SHA256a760c1fe14b0202ba3ec08ea035a003600930a61672a1741210580807c7f2d78
SHA5126ba93ae483503abce54c013a31624d5b96b7bbf5726cdcb9a7665736732f8f68a498e336767609025595c685b793849571030f90e5690534c7d630c7c89931c7
-
MD5
8b653c0a3c307777b9cdc2ec28aac98b
SHA1936f2c75461b8a98b55e4d88ccc3e41088e2d584
SHA256f37a565dfd33a94efbb04d04bd8dd1f60b1d42bc9427d3fff4060b51fd318e2f
SHA51216ca9304fea272ec3b3539024df6496119d26774812f9b0119acef33b2837fa60a91ef0389c84718c51a3483339be671dc548904b39bc35057d868c7e0452cdf
-
MD5
f6eb567c6e72344762fe0f1e4223990b
SHA19a200a0c123c22cbca10e6d16f97eeb63835ab2d
SHA2562ab47d3082c64105d769c62bf96a8c5d05cd19dba6d7728da291041dbeea4a65
SHA5120f49fef4d52d192ece9d228df8fd3acdf9c801c9f6039c0aa6c717d8710a87c41593fbfe1aa2ce45806f5dcd4e8c12562e2a2a20734a16fab88dc661dacd4805