Analysis
-
max time kernel
148s -
max time network
50s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
04-09-2020 05:26
Static task
static1
Behavioral task
behavioral1
Sample
div.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
div.exe
-
Size
476KB
-
MD5
1fab5b2e8a75f5e6d0ab336c75a45d3e
-
SHA1
a77526cc5cdf4ea8abb31a6324c2282f1db351c9
-
SHA256
973b3d66cf3f04d5be0e10dfa5ab24fbc8c5d2b58cc5728d81a448dbe079f4e6
-
SHA512
a47e0ad3700c1005064170964ae3e3e09d63f9a08e3723f1a880023f5333a53d85859ed866570e14e03283664514b35c3d588761d07413b1261de70ab5a52508
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1376 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\emm519ey95u55.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\emm519ey95u55.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\emm519ey95u55.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 1812 cmd.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
rundll32.exeexplorer.exepid process 1376 rundll32.exe 1376 rundll32.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 1376 rundll32.exe 1376 rundll32.exe 1812 cmd.exe 1812 cmd.exe 1588 explorer.exe 1588 explorer.exe 1588 explorer.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
cmd.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1812 cmd.exe Token: SeRestorePrivilege 1812 cmd.exe Token: SeBackupPrivilege 1812 cmd.exe Token: SeLoadDriverPrivilege 1812 cmd.exe Token: SeCreatePagefilePrivilege 1812 cmd.exe Token: SeShutdownPrivilege 1812 cmd.exe Token: SeTakeOwnershipPrivilege 1812 cmd.exe Token: SeChangeNotifyPrivilege 1812 cmd.exe Token: SeCreateTokenPrivilege 1812 cmd.exe Token: SeMachineAccountPrivilege 1812 cmd.exe Token: SeSecurityPrivilege 1812 cmd.exe Token: SeAssignPrimaryTokenPrivilege 1812 cmd.exe Token: SeCreateGlobalPrivilege 1812 cmd.exe Token: 33 1812 cmd.exe Token: SeDebugPrivilege 1588 explorer.exe Token: SeRestorePrivilege 1588 explorer.exe Token: SeBackupPrivilege 1588 explorer.exe Token: SeLoadDriverPrivilege 1588 explorer.exe Token: SeCreatePagefilePrivilege 1588 explorer.exe Token: SeShutdownPrivilege 1588 explorer.exe Token: SeTakeOwnershipPrivilege 1588 explorer.exe Token: SeChangeNotifyPrivilege 1588 explorer.exe Token: SeCreateTokenPrivilege 1588 explorer.exe Token: SeMachineAccountPrivilege 1588 explorer.exe Token: SeSecurityPrivilege 1588 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1588 explorer.exe Token: SeCreateGlobalPrivilege 1588 explorer.exe Token: 33 1588 explorer.exe -
Suspicious use of WriteProcessMemory 78 IoCs
Processes:
div.exerundll32.execmd.exeexplorer.exedescription pid process target process PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1508 wrote to memory of 1376 1508 div.exe rundll32.exe PID 1376 wrote to memory of 1820 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1820 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1820 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1820 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1820 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1376 wrote to memory of 1812 1376 rundll32.exe cmd.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1812 wrote to memory of 1588 1812 cmd.exe explorer.exe PID 1588 wrote to memory of 1176 1588 explorer.exe Dwm.exe PID 1588 wrote to memory of 1176 1588 explorer.exe Dwm.exe PID 1588 wrote to memory of 1176 1588 explorer.exe Dwm.exe PID 1588 wrote to memory of 1176 1588 explorer.exe Dwm.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\div.exe"C:\Users\Admin\AppData\Local\Temp\div.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe ShoonCataclysm,Uboats3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bonehead
-
C:\Users\Admin\AppData\Local\Temp\ShoonCataclysm.DLL
-
\Users\Admin\AppData\Local\Temp\ShoonCataclysm.dll
-
memory/1376-0-0x0000000000000000-mapping.dmp
-
memory/1376-4-0x0000000000450000-0x0000000000485000-memory.dmpFilesize
212KB
-
memory/1588-9-0x0000000000000000-mapping.dmp
-
memory/1812-5-0x0000000000000000-mapping.dmp
-
memory/1812-6-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1812-7-0x00000000023A0000-0x0000000002453000-memory.dmpFilesize
716KB
-
memory/1812-8-0x0000000002CD0000-0x0000000002E51000-memory.dmpFilesize
1.5MB
-
memory/2024-10-0x000007FEF8090000-0x000007FEF830A000-memory.dmpFilesize
2.5MB