Analysis
-
max time kernel
151s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
10-09-2020 05:45
Static task
static1
Behavioral task
behavioral1
Sample
24ebc21fbcba3e741fccf8586855c711.exe
Resource
win7
General
-
Target
24ebc21fbcba3e741fccf8586855c711.exe
-
Size
489KB
-
MD5
24ebc21fbcba3e741fccf8586855c711
-
SHA1
3104e6dcb1f22ebf25e8d68a69f288ab3f9e7fc7
-
SHA256
c021395bee57f945cfcd348ddc3d589b004c8575afa1718bd9a60774fde7c2a9
-
SHA512
a9ef0e80a14884c94906f7ebf8b526373ef249091ee1cd3e42e98987254e224e8f68e90d4576b565f9faf26fa85341a165fe9245289cacf68de20cf88be51453
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2760 rundll32.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\y7w3sw13uy.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\y7w3sw13uy.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\y7w3sw13uy.exe\"" explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\ProgramData\Google Updater 2.0\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 3856 cmd.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 9ed9ded14687d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
rundll32.exeexplorer.exepid process 2760 rundll32.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
rundll32.execmd.exepid process 2760 rundll32.exe 3856 cmd.exe 3856 cmd.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
svchost.execmd.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 1824 svchost.exe Token: SeCreatePagefilePrivilege 1824 svchost.exe Token: SeDebugPrivilege 3856 cmd.exe Token: SeRestorePrivilege 3856 cmd.exe Token: SeBackupPrivilege 3856 cmd.exe Token: SeLoadDriverPrivilege 3856 cmd.exe Token: SeCreatePagefilePrivilege 3856 cmd.exe Token: SeShutdownPrivilege 3856 cmd.exe Token: SeTakeOwnershipPrivilege 3856 cmd.exe Token: SeChangeNotifyPrivilege 3856 cmd.exe Token: SeCreateTokenPrivilege 3856 cmd.exe Token: SeMachineAccountPrivilege 3856 cmd.exe Token: SeSecurityPrivilege 3856 cmd.exe Token: SeAssignPrimaryTokenPrivilege 3856 cmd.exe Token: SeCreateGlobalPrivilege 3856 cmd.exe Token: 33 3856 cmd.exe Token: SeDebugPrivilege 1720 explorer.exe Token: SeRestorePrivilege 1720 explorer.exe Token: SeBackupPrivilege 1720 explorer.exe Token: SeLoadDriverPrivilege 1720 explorer.exe Token: SeCreatePagefilePrivilege 1720 explorer.exe Token: SeShutdownPrivilege 1720 explorer.exe Token: SeTakeOwnershipPrivilege 1720 explorer.exe Token: SeChangeNotifyPrivilege 1720 explorer.exe Token: SeCreateTokenPrivilege 1720 explorer.exe Token: SeMachineAccountPrivilege 1720 explorer.exe Token: SeSecurityPrivilege 1720 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1720 explorer.exe Token: SeCreateGlobalPrivilege 1720 explorer.exe Token: 33 1720 explorer.exe -
Suspicious use of WriteProcessMemory 86 IoCs
Processes:
24ebc21fbcba3e741fccf8586855c711.exerundll32.exedescription pid process target process PID 2080 wrote to memory of 2760 2080 24ebc21fbcba3e741fccf8586855c711.exe rundll32.exe PID 2080 wrote to memory of 2760 2080 24ebc21fbcba3e741fccf8586855c711.exe rundll32.exe PID 2080 wrote to memory of 2760 2080 24ebc21fbcba3e741fccf8586855c711.exe rundll32.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe PID 2760 wrote to memory of 3856 2760 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24ebc21fbcba3e741fccf8586855c711.exe"C:\Users\Admin\AppData\Local\Temp\24ebc21fbcba3e741fccf8586855c711.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe PartiShikari,Hurley2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Capercaillie
-
C:\Users\Admin\AppData\Local\Temp\PartiShikari.DLL
-
\Users\Admin\AppData\Local\Temp\PartiShikari.dll
-
memory/1720-9-0x0000000000000000-mapping.dmp
-
memory/1720-10-0x0000000001180000-0x00000000015C0000-memory.dmpFilesize
4.2MB
-
memory/1720-11-0x0000000001180000-0x00000000015C0000-memory.dmpFilesize
4.2MB
-
memory/2760-0-0x0000000000000000-mapping.dmp
-
memory/2760-4-0x00000000029E0000-0x0000000002A15000-memory.dmpFilesize
212KB
-
memory/3856-5-0x0000000000000000-mapping.dmp
-
memory/3856-6-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3856-7-0x0000000004EE0000-0x0000000004F82000-memory.dmpFilesize
648KB
-
memory/3856-8-0x0000000005410000-0x0000000005850000-memory.dmpFilesize
4.2MB