Analysis
-
max time kernel
149s -
max time network
72s -
platform
windows10_x64 -
resource
win10 -
submitted
04-09-2020 05:26
Static task
static1
Behavioral task
behavioral1
Sample
div.exe
Resource
win7v200722
General
-
Target
div.exe
-
Size
476KB
-
MD5
1fab5b2e8a75f5e6d0ab336c75a45d3e
-
SHA1
a77526cc5cdf4ea8abb31a6324c2282f1db351c9
-
SHA256
973b3d66cf3f04d5be0e10dfa5ab24fbc8c5d2b58cc5728d81a448dbe079f4e6
-
SHA512
a47e0ad3700c1005064170964ae3e3e09d63f9a08e3723f1a880023f5333a53d85859ed866570e14e03283664514b35c3d588761d07413b1261de70ab5a52508
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 188 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\uimig5ce.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\uimig5ce.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\uimig5ce.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 2300 cmd.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 231c2b677b82d601 svchost.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
rundll32.exeexplorer.exepid process 188 rundll32.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe 1220 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
rundll32.execmd.exepid process 188 rundll32.exe 2300 cmd.exe 2300 cmd.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
svchost.execmd.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 3844 svchost.exe Token: SeCreatePagefilePrivilege 3844 svchost.exe Token: SeDebugPrivilege 2300 cmd.exe Token: SeRestorePrivilege 2300 cmd.exe Token: SeBackupPrivilege 2300 cmd.exe Token: SeLoadDriverPrivilege 2300 cmd.exe Token: SeCreatePagefilePrivilege 2300 cmd.exe Token: SeShutdownPrivilege 2300 cmd.exe Token: SeTakeOwnershipPrivilege 2300 cmd.exe Token: SeChangeNotifyPrivilege 2300 cmd.exe Token: SeCreateTokenPrivilege 2300 cmd.exe Token: SeMachineAccountPrivilege 2300 cmd.exe Token: SeSecurityPrivilege 2300 cmd.exe Token: SeAssignPrimaryTokenPrivilege 2300 cmd.exe Token: SeCreateGlobalPrivilege 2300 cmd.exe Token: 33 2300 cmd.exe Token: SeDebugPrivilege 1220 explorer.exe Token: SeRestorePrivilege 1220 explorer.exe Token: SeBackupPrivilege 1220 explorer.exe Token: SeLoadDriverPrivilege 1220 explorer.exe Token: SeCreatePagefilePrivilege 1220 explorer.exe Token: SeShutdownPrivilege 1220 explorer.exe Token: SeTakeOwnershipPrivilege 1220 explorer.exe Token: SeChangeNotifyPrivilege 1220 explorer.exe Token: SeCreateTokenPrivilege 1220 explorer.exe Token: SeMachineAccountPrivilege 1220 explorer.exe Token: SeSecurityPrivilege 1220 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1220 explorer.exe Token: SeCreateGlobalPrivilege 1220 explorer.exe Token: 33 1220 explorer.exe -
Suspicious use of WriteProcessMemory 86 IoCs
Processes:
div.exerundll32.exedescription pid process target process PID 2928 wrote to memory of 188 2928 div.exe rundll32.exe PID 2928 wrote to memory of 188 2928 div.exe rundll32.exe PID 2928 wrote to memory of 188 2928 div.exe rundll32.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe PID 188 wrote to memory of 2300 188 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\div.exe"C:\Users\Admin\AppData\Local\Temp\div.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe ShoonCataclysm,Uboats2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bonehead
-
C:\Users\Admin\AppData\Local\Temp\ShoonCataclysm.DLL
-
\Users\Admin\AppData\Local\Temp\ShoonCataclysm.dll
-
memory/188-0-0x0000000000000000-mapping.dmp
-
memory/188-4-0x0000000004B90000-0x0000000004BC5000-memory.dmpFilesize
212KB
-
memory/1220-9-0x0000000000000000-mapping.dmp
-
memory/1220-10-0x0000000000950000-0x0000000000D90000-memory.dmpFilesize
4.2MB
-
memory/1220-11-0x0000000000950000-0x0000000000D90000-memory.dmpFilesize
4.2MB
-
memory/2300-5-0x0000000000000000-mapping.dmp
-
memory/2300-6-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2300-7-0x0000000004D20000-0x0000000004DC2000-memory.dmpFilesize
648KB
-
memory/2300-8-0x00000000052B0000-0x00000000056F0000-memory.dmpFilesize
4.2MB