Analysis
-
max time kernel
134s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-12-2021 07:01
Static task
static1
Behavioral task
behavioral1
Sample
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
Resource
win10-en-20211014
General
-
Target
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe
-
Size
3.0MB
-
MD5
22ad4f47ce82a255765f2e96b61d78c8
-
SHA1
c260d25d8e49d342d86a3231ff112b9707dc8d8a
-
SHA256
cec4e2234a72035a6c3f4144cccf9ec49f34f56a2a212981606f979be1b85adf
-
SHA512
6eca6d26d8809415c410ca2343adc221dca9c996de4f81fd3765dc53605eb4793b0c655deed31b011382352a7b69370df4eeb239fbcdc474e1d4c876db1328a3
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe -
Downloads MZ/PE file
-
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" RegAsm.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5 = "C:\\Users\\Admin\\AppData\\Roaming\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5\\N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe" iexplore.exe -
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeRegAsm.exedescription pid process target process PID 3020 set thread context of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 2084 set thread context of 416 2084 RegAsm.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegAsm.exepid process 2084 RegAsm.exe 2084 RegAsm.exe 2084 RegAsm.exe 2084 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeiexplore.exedescription pid process Token: SeDebugPrivilege 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe Token: SeDebugPrivilege 416 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exeiexplore.exepid process 2084 RegAsm.exe 416 iexplore.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exeRegAsm.exedescription pid process target process PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 3020 wrote to memory of 2084 3020 CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe RegAsm.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe PID 2084 wrote to memory of 416 2084 RegAsm.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe"C:\Users\Admin\AppData\Local\Temp\CPINV_DEC_02_0200202177199554_PY_2009545682211268563_Pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/416-127-0x0000000000401364-mapping.dmp
-
memory/2084-123-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2084-128-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2084-126-0x00000000012A0000-0x00000000012AA000-memory.dmpFilesize
40KB
-
memory/2084-125-0x00000000012A0000-0x00000000012A6000-memory.dmpFilesize
24KB
-
memory/2084-124-0x00000000004010B8-mapping.dmp
-
memory/3020-119-0x0000000005860000-0x0000000005D5E000-memory.dmpFilesize
5.0MB
-
memory/3020-122-0x000000000A510000-0x000000000A6C8000-memory.dmpFilesize
1.7MB
-
memory/3020-121-0x0000000005860000-0x0000000005D5E000-memory.dmpFilesize
5.0MB
-
memory/3020-120-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/3020-115-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/3020-118-0x0000000005900000-0x0000000005901000-memory.dmpFilesize
4KB
-
memory/3020-117-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB