Overview

overview

8

Static

static

uncategori...ir.exe

windows7_x64

8

uncategori...ir.exe

windows10_x64

5

Analysis

  • max time kernel
    151s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19-07-2020 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uncategorized_0.5.4.3.vir.exe

  • Size

    139KB

  • MD5

    4645ee774d4191213ba90469f765b200

  • SHA1

    b3510f9c344145c10c10117f56e30ebd534b425e

  • SHA256

    a45341621c1e3e058096ae5b6829202aadb5bfd4b06dfa4a9e66249d2db500c9

  • SHA512

    affb42ce81b55a7744f325b32c8c8c733fa2446e5debcb63a429ddd5290ca73f108744a00a555b8dc714ec1a3b659e372581390e9978b9b4f6382c49ff309fef

Score
8/10
spywarepersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Deletes itself 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of WriteProcessMemory 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Loads dropped DLL 2 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1172
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1260
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1296
          • C:\Users\Admin\AppData\Local\Temp\uncategorized_0.5.4.3.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\uncategorized_0.5.4.3.vir.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            PID:1068
            • C:\Users\Admin\AppData\Local\Temp\uncategorized_0.5.4.3.vir.exe
              C:\Users\Admin\AppData\Local\Temp\uncategorized_0.5.4.3.vir.exe
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of WriteProcessMemory
              • Suspicious use of AdjustPrivilegeToken
              • Loads dropped DLL
              PID:1328
              • C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe
                "C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                • Suspicious use of SetThreadContext
                PID:752
                • C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe
                  C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe
                  5⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  • Adds Run key to start application
                  PID:1640
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc4c28423.bat"
                4⤵
                • Deletes itself
                PID:1100
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
          1⤵
            PID:1700
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1760

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpc4c28423.bat
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Viarx\yfar.exe
              Download Submit
            • \Users\Admin\AppData\Roaming\Viarx\yfar.exe
              Download Submit
            • \Users\Admin\AppData\Roaming\Viarx\yfar.exe
              Download Submit
            • memory/752-5-0x0000000000000000-mapping.dmp
              Download
            • memory/1100-13-0x0000000000000000-mapping.dmp
              Download
            • memory/1100-14-0x0000000000000000-mapping.dmp
              Download
            • memory/1328-0-0x0000000000400000-0x0000000000428000-memory.dmp
              Filesize

              160KB

              Download
            • memory/1328-2-0x0000000000400000-0x0000000000428000-memory.dmp
              Filesize

              160KB

              Download
            • memory/1328-12-0x00000000004177F2-mapping.dmp
              Download
            • memory/1328-1-0x00000000004177F2-mapping.dmp
              Download
            • memory/1640-9-0x00000000004177F2-mapping.dmp
              Download
            • memory/1640-16-0x0000000003080000-0x0000000003081000-memory.dmp
              Filesize

              4KB

              Download