Analysis
-
max time kernel
149s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
10-09-2020 05:45
Static task
static1
Behavioral task
behavioral1
Sample
c684fc46858558ec39fbd7500d86ac10.exe
Resource
win7v200722
General
-
Target
c684fc46858558ec39fbd7500d86ac10.exe
-
Size
488KB
-
MD5
c684fc46858558ec39fbd7500d86ac10
-
SHA1
ca83afe0c8c2ccd7fc9dc0b02b196c5e8b05969f
-
SHA256
4af7c93f154aff7489fa923d76328ef0ec16027b578b24f1ae40f2172f6e246c
-
SHA512
447055a81a2ec1804d9820c323f4954e336e785e1df4498198fb04ede0dc13290523ab90cd7e5b0a91dcae7b3cc5daa27923d5a6ccc3704c9fdd65b6607eeced
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3888 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\7kaue771wy.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\7kaue771wy.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\7kaue771wy.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 812 cmd.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = c21dc50c3587d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
rundll32.exeexplorer.exepid process 3888 rundll32.exe 3888 rundll32.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe 1876 explorer.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
rundll32.execmd.exepid process 3888 rundll32.exe 3888 rundll32.exe 812 cmd.exe 812 cmd.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
svchost.execmd.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 3312 svchost.exe Token: SeCreatePagefilePrivilege 3312 svchost.exe Token: SeDebugPrivilege 812 cmd.exe Token: SeRestorePrivilege 812 cmd.exe Token: SeBackupPrivilege 812 cmd.exe Token: SeLoadDriverPrivilege 812 cmd.exe Token: SeCreatePagefilePrivilege 812 cmd.exe Token: SeShutdownPrivilege 812 cmd.exe Token: SeTakeOwnershipPrivilege 812 cmd.exe Token: SeChangeNotifyPrivilege 812 cmd.exe Token: SeCreateTokenPrivilege 812 cmd.exe Token: SeMachineAccountPrivilege 812 cmd.exe Token: SeSecurityPrivilege 812 cmd.exe Token: SeAssignPrimaryTokenPrivilege 812 cmd.exe Token: SeCreateGlobalPrivilege 812 cmd.exe Token: 33 812 cmd.exe Token: SeDebugPrivilege 1876 explorer.exe Token: SeRestorePrivilege 1876 explorer.exe Token: SeBackupPrivilege 1876 explorer.exe Token: SeLoadDriverPrivilege 1876 explorer.exe Token: SeCreatePagefilePrivilege 1876 explorer.exe Token: SeShutdownPrivilege 1876 explorer.exe Token: SeTakeOwnershipPrivilege 1876 explorer.exe Token: SeChangeNotifyPrivilege 1876 explorer.exe Token: SeCreateTokenPrivilege 1876 explorer.exe Token: SeMachineAccountPrivilege 1876 explorer.exe Token: SeSecurityPrivilege 1876 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1876 explorer.exe Token: SeCreateGlobalPrivilege 1876 explorer.exe Token: 33 1876 explorer.exe -
Suspicious use of WriteProcessMemory 90 IoCs
Processes:
c684fc46858558ec39fbd7500d86ac10.exerundll32.exedescription pid process target process PID 2600 wrote to memory of 3888 2600 c684fc46858558ec39fbd7500d86ac10.exe rundll32.exe PID 2600 wrote to memory of 3888 2600 c684fc46858558ec39fbd7500d86ac10.exe rundll32.exe PID 2600 wrote to memory of 3888 2600 c684fc46858558ec39fbd7500d86ac10.exe rundll32.exe PID 3888 wrote to memory of 2388 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 2388 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 2388 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 2388 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe PID 3888 wrote to memory of 812 3888 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c684fc46858558ec39fbd7500d86ac10.exe"C:\Users\Admin\AppData\Local\Temp\c684fc46858558ec39fbd7500d86ac10.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe PartiShikari,Hurley2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Capercaillie
-
C:\Users\Admin\AppData\Local\Temp\PartiShikari.DLL
-
\Users\Admin\AppData\Local\Temp\PartiShikari.dll
-
memory/812-5-0x0000000000000000-mapping.dmp
-
memory/812-6-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/812-7-0x0000000005090000-0x0000000005132000-memory.dmpFilesize
648KB
-
memory/812-8-0x00000000054E0000-0x0000000005920000-memory.dmpFilesize
4.2MB
-
memory/1876-9-0x0000000000000000-mapping.dmp
-
memory/1876-10-0x00000000013A0000-0x00000000017E0000-memory.dmpFilesize
4.2MB
-
memory/1876-11-0x00000000013A0000-0x00000000017E0000-memory.dmpFilesize
4.2MB
-
memory/3888-0-0x0000000000000000-mapping.dmp
-
memory/3888-4-0x0000000005770000-0x00000000057A5000-memory.dmpFilesize
212KB