6c759b96dca08330cce6b7787e69b286d3b1a22a618f81409fd674ef720eb6dd

General

Target

uncategorized_1.2.4.0.vir.exe
Size

677KB
MD5

8773b8aecd2979784c4b93ee890bd11d
SHA1

739bee3b3bbbf920f1483875ca880c8e49326448
SHA256

6c759b96dca08330cce6b7787e69b286d3b1a22a618f81409fd674ef720eb6dd
SHA512

2feb6cd4e6c0b9cc98580eb5fade79386b076fb3a62220dc64f212b0fadf8c6d9852d10053510c48e3b5d8b26d380b50bca921d559deb4b08ca2d1007525e84c

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

ymuv.exeexplorer.exe

pid process

1156 ymuv.exe
1156 ymuv.exe
1032 explorer.exe
1032 explorer.exe
1032 explorer.exe
1032 explorer.exe
1032 explorer.exe
1032 explorer.exe
1032 explorer.exe

pid	process
1156	ymuv.exe
1156	ymuv.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe

Suspicious behavior: EnumeratesProcesses 282 IoCs

Processes:

explorer.exe

pid	process
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe
1032	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1516 cmd.exe

pid	process
1516	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\ihyteg = "C:\\Users\\Admin\\AppData\\Roaming\\Okvi\\ymuv.exe"	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uncategorized_1.2.4.0.vir.exe

description pid process

Token: SeSecurityPrivilege 804 uncategorized_1.2.4.0.vir.exe
Token: SeSecurityPrivilege 804 uncategorized_1.2.4.0.vir.exe
Loads dropped DLL 1 IoCs

Processes:

uncategorized_1.2.4.0.vir.exe

pid process

804 uncategorized_1.2.4.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	804	uncategorized_1.2.4.0.vir.exe
Token: SeSecurityPrivilege	804	uncategorized_1.2.4.0.vir.exe

pid	process
804	uncategorized_1.2.4.0.vir.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

uncategorized_1.2.4.0.vir.exeymuv.exe

description	pid	process	target process
PID 804 wrote to memory of 1156	804	uncategorized_1.2.4.0.vir.exe	ymuv.exe
PID 804 wrote to memory of 1156	804	uncategorized_1.2.4.0.vir.exe	ymuv.exe
PID 804 wrote to memory of 1156	804	uncategorized_1.2.4.0.vir.exe	ymuv.exe
PID 804 wrote to memory of 1156	804	uncategorized_1.2.4.0.vir.exe	ymuv.exe
PID 1156 wrote to memory of 1032	1156	ymuv.exe	explorer.exe
PID 1156 wrote to memory of 1032	1156	ymuv.exe	explorer.exe
PID 1156 wrote to memory of 1032	1156	ymuv.exe	explorer.exe
PID 1156 wrote to memory of 1032	1156	ymuv.exe	explorer.exe
PID 804 wrote to memory of 1516	804	uncategorized_1.2.4.0.vir.exe	cmd.exe
PID 804 wrote to memory of 1516	804	uncategorized_1.2.4.0.vir.exe	cmd.exe
PID 804 wrote to memory of 1516	804	uncategorized_1.2.4.0.vir.exe	cmd.exe
PID 804 wrote to memory of 1516	804	uncategorized_1.2.4.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

ymuv.exe

pid process

1156 ymuv.exe

pid	process
1156	ymuv.exe

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.4.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.4.0.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe
"C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe" -r
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE >> NUL if exist C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE goto repeat
2⤵
- Deletes itself
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Okvi\ymuv.exe

Download Submit
\Users\Admin\AppData\Roaming\Okvi\ymuv.exe

Download Submit
memory/804-0-0x00000000021C0000-0x0000000002361000-memory.dmp

Filesize
1.6MB

Download
memory/1032-6-0x0000000000000000-mapping.dmp

Download
memory/1032-7-0x0000000000070000-0x00000000002F1000-memory.dmp

Filesize
2.5MB

Download
memory/1156-2-0x0000000000000000-mapping.dmp

Download
memory/1156-4-0x00000000021C0000-0x0000000002361000-memory.dmp

Filesize
1.6MB

Download
memory/1516-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads