Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 07:01
Static task
static1
Behavioral task
behavioral1
Sample
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
Resource
win10-en-20211014
General
-
Target
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
-
Size
3.0MB
-
MD5
22ad4f47ce82a255765f2e96b61d78c8
-
SHA1
c260d25d8e49d342d86a3231ff112b9707dc8d8a
-
SHA256
cec4e2234a72035a6c3f4144cccf9ec49f34f56a2a212981606f979be1b85adf
-
SHA512
6eca6d26d8809415c410ca2343adc221dca9c996de4f81fd3765dc53605eb4793b0c655deed31b011382352a7b69370df4eeb239fbcdc474e1d4c876db1328a3
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe -
Downloads MZ/PE file
-
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" RegAsm.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe -
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RegAsm.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeRegAsm.exeiexplore.exedescription pid process target process PID 1332 set thread context of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 856 set thread context of 964 856 RegAsm.exe iexplore.exe PID 964 set thread context of 1964 964 iexplore.exe iexplore.exe PID 964 set thread context of 1780 964 iexplore.exe iexplore.exe PID 964 set thread context of 308 964 iexplore.exe iexplore.exe PID 964 set thread context of 1740 964 iexplore.exe iexplore.exe PID 964 set thread context of 1732 964 iexplore.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeRegAsm.exepid process 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe 856 RegAsm.exe 856 RegAsm.exe 856 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeiexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe Token: SeDebugPrivilege 964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exeiexplore.exepid process 856 RegAsm.exe 964 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeRegAsm.exeiexplore.exedescription pid process target process PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 1620 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 1332 wrote to memory of 856 1332 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 856 wrote to memory of 964 856 RegAsm.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1964 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1780 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 308 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe PID 964 wrote to memory of 1740 964 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj0.txt"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj2.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj4.txt"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj2.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\jvwupjsgj4.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/308-72-0x0000000000442F04-mapping.dmp
-
memory/856-61-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/856-67-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/856-68-0x0000000000160000-0x000000000016A000-memory.dmpFilesize
40KB
-
memory/856-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/856-64-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/856-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/856-65-0x00000000004010B8-mapping.dmp
-
memory/964-69-0x0000000000401364-mapping.dmp
-
memory/1332-55-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1332-60-0x00000000094D0000-0x0000000009688000-memory.dmpFilesize
1.7MB
-
memory/1332-59-0x00000000051C5000-0x00000000051D6000-memory.dmpFilesize
68KB
-
memory/1332-58-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/1332-57-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1732-75-0x000000000040C2A8-mapping.dmp
-
memory/1740-74-0x0000000000413750-mapping.dmp
-
memory/1780-71-0x0000000000411654-mapping.dmp
-
memory/1964-70-0x0000000000423BC0-mapping.dmp