Analysis
-
max time kernel
152s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:26
Static task
static1
Behavioral task
behavioral1
Sample
uncategorized_1.2.4.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
uncategorized_1.2.4.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
uncategorized_1.2.4.0.vir.exe
-
Size
677KB
-
MD5
8773b8aecd2979784c4b93ee890bd11d
-
SHA1
739bee3b3bbbf920f1483875ca880c8e49326448
-
SHA256
6c759b96dca08330cce6b7787e69b286d3b1a22a618f81409fd674ef720eb6dd
-
SHA512
2feb6cd4e6c0b9cc98580eb5fade79386b076fb3a62220dc64f212b0fadf8c6d9852d10053510c48e3b5d8b26d380b50bca921d559deb4b08ca2d1007525e84c
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
ymuv.exeexplorer.exepid process 1156 ymuv.exe 1156 ymuv.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe -
Suspicious behavior: EnumeratesProcesses 282 IoCs
Processes:
explorer.exepid process 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe 1032 explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1516 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\ihyteg = "C:\\Users\\Admin\\AppData\\Roaming\\Okvi\\ymuv.exe" explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
uncategorized_1.2.4.0.vir.exedescription pid process Token: SeSecurityPrivilege 804 uncategorized_1.2.4.0.vir.exe Token: SeSecurityPrivilege 804 uncategorized_1.2.4.0.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
uncategorized_1.2.4.0.vir.exepid process 804 uncategorized_1.2.4.0.vir.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
uncategorized_1.2.4.0.vir.exeymuv.exedescription pid process target process PID 804 wrote to memory of 1156 804 uncategorized_1.2.4.0.vir.exe ymuv.exe PID 804 wrote to memory of 1156 804 uncategorized_1.2.4.0.vir.exe ymuv.exe PID 804 wrote to memory of 1156 804 uncategorized_1.2.4.0.vir.exe ymuv.exe PID 804 wrote to memory of 1156 804 uncategorized_1.2.4.0.vir.exe ymuv.exe PID 1156 wrote to memory of 1032 1156 ymuv.exe explorer.exe PID 1156 wrote to memory of 1032 1156 ymuv.exe explorer.exe PID 1156 wrote to memory of 1032 1156 ymuv.exe explorer.exe PID 1156 wrote to memory of 1032 1156 ymuv.exe explorer.exe PID 804 wrote to memory of 1516 804 uncategorized_1.2.4.0.vir.exe cmd.exe PID 804 wrote to memory of 1516 804 uncategorized_1.2.4.0.vir.exe cmd.exe PID 804 wrote to memory of 1516 804 uncategorized_1.2.4.0.vir.exe cmd.exe PID 804 wrote to memory of 1516 804 uncategorized_1.2.4.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ymuv.exepid process 1156 ymuv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.4.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.4.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe"C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe" -r2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE >> NUL if exist C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE goto repeat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe
-
C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe
-
\Users\Admin\AppData\Roaming\Okvi\ymuv.exe
-
memory/804-0-0x00000000021C0000-0x0000000002361000-memory.dmpFilesize
1.6MB
-
memory/1032-6-0x0000000000000000-mapping.dmp
-
memory/1032-7-0x0000000000070000-0x00000000002F1000-memory.dmpFilesize
2.5MB
-
memory/1156-2-0x0000000000000000-mapping.dmp
-
memory/1156-4-0x00000000021C0000-0x0000000002361000-memory.dmpFilesize
1.6MB
-
memory/1516-8-0x0000000000000000-mapping.dmp