Analysis
-
max time kernel
152s -
max time network
131s -
platform
windows10_x64 -
resource
win10-20220414-es -
resource tags
arch:x64arch:x86image:win10-20220414-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
18-07-2022 18:24
Static task
static1
General
-
Target
CFDI 826271 71074.exe
-
Size
334.4MB
-
MD5
7ac85137fd754a9a31f724c0c9883162
-
SHA1
26b5f8d21c2ead0eeda43ab571bf6ec1b672910c
-
SHA256
8b39ad4a31e74ca2ff52b3339230fab9793e86a8a7370b64ee63aac3825a0ea7
-
SHA512
957c9a6f9813b9df8275f7a9fc4bb65a56f2c7a653bf6853cc1deaebab0eaf9464c187ba6a3aa65b10f3d7fbefa04345574e752366035c28ae492bdd4c28ef00
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
SETUP_~2.EXESETUP_~2.EXEpid process 1032 SETUP_~2.EXE 1536 SETUP_~2.EXE -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
explorer.exeSETUP_~2.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "xik.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\31y731ug351gw7i.exe SETUP_~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\31y731ug351gw7i.exe\DisableExceptionChainValidation SETUP_~2.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
CFDI 826271 71074.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce CFDI 826271 71074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" CFDI 826271 71074.exe Key created \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java10 = "C:\\ProgramData\\Java10\\31y731ug351gw7i.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java10 = "\"C:\\ProgramData\\Java10\\31y731ug351gw7i.exe\"" explorer.exe -
Processes:
SETUP_~2.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SETUP_~2.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
SETUP_~2.EXEexplorer.exepid process 1536 SETUP_~2.EXE 3312 explorer.exe 3312 explorer.exe 3312 explorer.exe 3312 explorer.exe 3312 explorer.exe 3312 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SETUP_~2.EXEdescription pid process target process PID 1032 set thread context of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SETUP_~2.EXEexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SETUP_~2.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SETUP_~2.EXE -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exeSETUP_~2.EXEexplorer.exepid process 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe 1032 SETUP_~2.EXE 1032 SETUP_~2.EXE 3312 explorer.exe 3312 explorer.exe 3312 explorer.exe 3312 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
SETUP_~2.EXEpid process 1536 SETUP_~2.EXE 1536 SETUP_~2.EXE -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
SETUP_~2.EXEpowershell.exepowershell.exeSETUP_~2.EXEexplorer.exedescription pid process Token: SeDebugPrivilege 1032 SETUP_~2.EXE Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 1536 SETUP_~2.EXE Token: SeRestorePrivilege 1536 SETUP_~2.EXE Token: SeBackupPrivilege 1536 SETUP_~2.EXE Token: SeLoadDriverPrivilege 1536 SETUP_~2.EXE Token: SeCreatePagefilePrivilege 1536 SETUP_~2.EXE Token: SeShutdownPrivilege 1536 SETUP_~2.EXE Token: SeTakeOwnershipPrivilege 1536 SETUP_~2.EXE Token: SeChangeNotifyPrivilege 1536 SETUP_~2.EXE Token: SeCreateTokenPrivilege 1536 SETUP_~2.EXE Token: SeMachineAccountPrivilege 1536 SETUP_~2.EXE Token: SeSecurityPrivilege 1536 SETUP_~2.EXE Token: SeAssignPrimaryTokenPrivilege 1536 SETUP_~2.EXE Token: SeCreateGlobalPrivilege 1536 SETUP_~2.EXE Token: 33 1536 SETUP_~2.EXE Token: SeDebugPrivilege 3312 explorer.exe Token: SeRestorePrivilege 3312 explorer.exe Token: SeBackupPrivilege 3312 explorer.exe Token: SeLoadDriverPrivilege 3312 explorer.exe Token: SeCreatePagefilePrivilege 3312 explorer.exe Token: SeShutdownPrivilege 3312 explorer.exe Token: SeTakeOwnershipPrivilege 3312 explorer.exe Token: SeChangeNotifyPrivilege 3312 explorer.exe Token: SeCreateTokenPrivilege 3312 explorer.exe Token: SeMachineAccountPrivilege 3312 explorer.exe Token: SeSecurityPrivilege 3312 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3312 explorer.exe Token: SeCreateGlobalPrivilege 3312 explorer.exe Token: 33 3312 explorer.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
CFDI 826271 71074.exeSETUP_~2.EXESETUP_~2.EXEdescription pid process target process PID 1232 wrote to memory of 1032 1232 CFDI 826271 71074.exe SETUP_~2.EXE PID 1232 wrote to memory of 1032 1232 CFDI 826271 71074.exe SETUP_~2.EXE PID 1232 wrote to memory of 1032 1232 CFDI 826271 71074.exe SETUP_~2.EXE PID 1032 wrote to memory of 2796 1032 SETUP_~2.EXE powershell.exe PID 1032 wrote to memory of 2796 1032 SETUP_~2.EXE powershell.exe PID 1032 wrote to memory of 2796 1032 SETUP_~2.EXE powershell.exe PID 1032 wrote to memory of 4864 1032 SETUP_~2.EXE powershell.exe PID 1032 wrote to memory of 4864 1032 SETUP_~2.EXE powershell.exe PID 1032 wrote to memory of 4864 1032 SETUP_~2.EXE powershell.exe PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1032 wrote to memory of 1536 1032 SETUP_~2.EXE SETUP_~2.EXE PID 1536 wrote to memory of 3312 1536 SETUP_~2.EXE explorer.exe PID 1536 wrote to memory of 3312 1536 SETUP_~2.EXE explorer.exe PID 1536 wrote to memory of 3312 1536 SETUP_~2.EXE explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe"C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA3AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b42b8394f52b01b93879625688c3d79d
SHA13ed5877ab13e7655482c19e8b7511f8b2bfcdbb3
SHA256b7b0a0ab5e777b74a8d7ec285804091eb3a4c71fcc2c57cddfa8541d05409cdd
SHA51286357e54c29ee9c107b5655d457121f35117565fae4fdd018e56079eb7ca012e4afe0a5d5562bc2996b932b02450ad0fbb7f27047315b524138a0fe08c4f79c2
-
Filesize
45KB
MD55f640bd48e2547b4c1a7421f080f815f
SHA1a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e
-
Filesize
16KB
MD53091e669afaea28bddb5ecacae736cdf
SHA130bed888f86a67553184dd3231e31b81ce0267a3
SHA256037181cfc8fd9470761f9ee34e3dd40872c1980e943d88f393029d4b22887f88
SHA512068e2f6e69950884ac2edc8ccc3475c45862378a7746c2fd0bed093cc062ea2875b39bd8d3953b563f2e5729b24dafc2af4abf78c0b349e046a585bdb7ac822d
-
Filesize
333.9MB
MD5f51a742f76121dd26e772ddbd8ae7621
SHA15f7c14aca06c7d6a56fb33339fd6f118a68f5751
SHA2564703f4ade6f2469b9c785d4ebbca86bee3bb53405d58e553dbf70b9edc151a64
SHA512644522827ba22afd8db0c501c5ecdf9a14c9a1dbb33c8cc3c0a1ba02346f1266d5d75e4fdc0fff8c880acd889cad523377b3bfd158eb4e710fe338d49957b4e0
-
Filesize
333.9MB
MD5f51a742f76121dd26e772ddbd8ae7621
SHA15f7c14aca06c7d6a56fb33339fd6f118a68f5751
SHA2564703f4ade6f2469b9c785d4ebbca86bee3bb53405d58e553dbf70b9edc151a64
SHA512644522827ba22afd8db0c501c5ecdf9a14c9a1dbb33c8cc3c0a1ba02346f1266d5d75e4fdc0fff8c880acd889cad523377b3bfd158eb4e710fe338d49957b4e0
-
Filesize
272.5MB
MD55d6188c63f1575fce9fb4bee4340999c
SHA17abfc8cb3a48e18943ece9b0ebb2e7ad71386eeb
SHA25670e200068fe9e79c48e584232041d82dd29c7f5658f5cc1a2f69e839bc5addd0
SHA5129c3c452b4cc2f0ece75de7c2465e08c7ddc6501f5aed7db8c48d11c2475a43e553ac102e4eccab5ec73b163fdddd7f890a1858efc68a5182641e0865061f284a