Analysis
-
max time kernel
149s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
08-09-2020 07:14
Static task
static1
Behavioral task
behavioral1
Sample
md.exe
Resource
win7
General
-
Target
md.exe
-
Size
440KB
-
MD5
027cb4041c42ee1d56cd02830960fcc4
-
SHA1
5bff076221b7934b331384f02cb250dc51b59cea
-
SHA256
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
-
SHA512
c01a01d5af3fec7d0c7b15d739fec3cbeb27740cee33327bf15214ef6e0e14e70922abce5f405e68ec063d9bf5e31d5886fc0fc07852154d01c96aa142b24251
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3868 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\5y9a3793eqq.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\5y9a3793eqq.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\5y9a3793eqq.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 3068 cmd.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 888afde7c085d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
rundll32.exeexplorer.exepid process 3868 rundll32.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe 3776 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
rundll32.execmd.exepid process 3868 rundll32.exe 3068 cmd.exe 3068 cmd.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
svchost.execmd.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 904 svchost.exe Token: SeCreatePagefilePrivilege 904 svchost.exe Token: SeDebugPrivilege 3068 cmd.exe Token: SeRestorePrivilege 3068 cmd.exe Token: SeBackupPrivilege 3068 cmd.exe Token: SeLoadDriverPrivilege 3068 cmd.exe Token: SeCreatePagefilePrivilege 3068 cmd.exe Token: SeShutdownPrivilege 3068 cmd.exe Token: SeTakeOwnershipPrivilege 3068 cmd.exe Token: SeChangeNotifyPrivilege 3068 cmd.exe Token: SeCreateTokenPrivilege 3068 cmd.exe Token: SeMachineAccountPrivilege 3068 cmd.exe Token: SeSecurityPrivilege 3068 cmd.exe Token: SeAssignPrimaryTokenPrivilege 3068 cmd.exe Token: SeCreateGlobalPrivilege 3068 cmd.exe Token: 33 3068 cmd.exe Token: SeDebugPrivilege 3776 explorer.exe Token: SeRestorePrivilege 3776 explorer.exe Token: SeBackupPrivilege 3776 explorer.exe Token: SeLoadDriverPrivilege 3776 explorer.exe Token: SeCreatePagefilePrivilege 3776 explorer.exe Token: SeShutdownPrivilege 3776 explorer.exe Token: SeTakeOwnershipPrivilege 3776 explorer.exe Token: SeChangeNotifyPrivilege 3776 explorer.exe Token: SeCreateTokenPrivilege 3776 explorer.exe Token: SeMachineAccountPrivilege 3776 explorer.exe Token: SeSecurityPrivilege 3776 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3776 explorer.exe Token: SeCreateGlobalPrivilege 3776 explorer.exe Token: 33 3776 explorer.exe -
Suspicious use of WriteProcessMemory 86 IoCs
Processes:
md.exerundll32.exedescription pid process target process PID 3488 wrote to memory of 3868 3488 md.exe rundll32.exe PID 3488 wrote to memory of 3868 3488 md.exe rundll32.exe PID 3488 wrote to memory of 3868 3488 md.exe rundll32.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe PID 3868 wrote to memory of 3068 3868 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\md.exe"C:\Users\Admin\AppData\Local\Temp\md.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe CuminFettucine,Uboats2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CuminFettucine.DLL
-
C:\Users\Admin\AppData\Local\Temp\Influenza
-
\Users\Admin\AppData\Local\Temp\CuminFettucine.dll
-
memory/3068-5-0x0000000000000000-mapping.dmp
-
memory/3068-6-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3068-7-0x0000000005580000-0x0000000005622000-memory.dmpFilesize
648KB
-
memory/3068-8-0x00000000059D0000-0x0000000005E10000-memory.dmpFilesize
4.2MB
-
memory/3776-9-0x0000000000000000-mapping.dmp
-
memory/3776-10-0x0000000000C30000-0x0000000001070000-memory.dmpFilesize
4.2MB
-
memory/3776-11-0x0000000000C30000-0x0000000001070000-memory.dmpFilesize
4.2MB
-
memory/3868-0-0x0000000000000000-mapping.dmp
-
memory/3868-4-0x0000000004660000-0x0000000004695000-memory.dmpFilesize
212KB