Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
tasks_184.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_184.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_184.vir.exe
-
Size
212KB
-
MD5
b39e62bc394874ceaa28fcaa1b236ec8
-
SHA1
bc32d211d743ebf25b1b85aa2b1d064c774d5982
-
SHA256
e731b927c5495ac3c0255b048dd5c0df742658beaab3051acc077e751cefd024
-
SHA512
ee509a26a13d4fb7b24182f2ae1dd7b69ac3d8bac99949728a5a1927c0351ccb900402cb6c424f5ad63e570e1f8d307ff23cb54e4b485ff819e5815d4189eac0
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
tasks_184.vir.exeusilf.exeusilf.exedescription pid process target process PID 1144 wrote to memory of 1464 1144 tasks_184.vir.exe usilf.exe PID 1144 wrote to memory of 1464 1144 tasks_184.vir.exe usilf.exe PID 1144 wrote to memory of 1464 1144 tasks_184.vir.exe usilf.exe PID 1144 wrote to memory of 1464 1144 tasks_184.vir.exe usilf.exe PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 1144 wrote to memory of 784 1144 tasks_184.vir.exe cmd.exe PID 1144 wrote to memory of 784 1144 tasks_184.vir.exe cmd.exe PID 1144 wrote to memory of 784 1144 tasks_184.vir.exe cmd.exe PID 1144 wrote to memory of 784 1144 tasks_184.vir.exe cmd.exe PID 1464 wrote to memory of 540 1464 usilf.exe usilf.exe PID 1464 wrote to memory of 540 1464 usilf.exe usilf.exe PID 1464 wrote to memory of 540 1464 usilf.exe usilf.exe PID 1464 wrote to memory of 540 1464 usilf.exe usilf.exe PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 1464 wrote to memory of 1276 1464 usilf.exe Explorer.EXE PID 540 wrote to memory of 1780 540 usilf.exe ctfmon.exe PID 540 wrote to memory of 1780 540 usilf.exe ctfmon.exe PID 540 wrote to memory of 1780 540 usilf.exe ctfmon.exe PID 540 wrote to memory of 1780 540 usilf.exe ctfmon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
usilf.exepid process 540 usilf.exe 540 usilf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
tasks_184.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 1867008100.job tasks_184.vir.exe -
Suspicious behavior: EnumeratesProcesses 84 IoCs
Processes:
usilf.exeusilf.exepid process 1464 usilf.exe 1464 usilf.exe 1464 usilf.exe 1464 usilf.exe 1464 usilf.exe 1464 usilf.exe 1464 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe 540 usilf.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
winsec32.exeExplorer.EXEusilf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ulkidaemyhp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Xaesqu\\usilf.exe\"" winsec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ulkidaemyhp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Xaesqu\\usilf.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run usilf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ulkidaemyhp = "C:\\Users\\Admin\\AppData\\Roaming\\Xaesqu\\usilf.exe" usilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ulkidaemyhp = "C:\\Users\\Admin\\AppData\\Roaming\\Xaesqu\\usilf.exe" usilf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winsec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ulkidaemyhp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Xaesqu\\usilf.exe\"" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run usilf.exe -
Processes:
usilf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main usilf.exe -
Executes dropped EXE 3 IoCs
Processes:
winsec32.exeusilf.exeusilf.exepid process 1120 winsec32.exe 1464 usilf.exe 540 usilf.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Drops file in System32 directory 2 IoCs
Processes:
tasks_184.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec32.exe tasks_184.vir.exe File opened for modification C:\Windows\SysWOW64\winsec32.exe tasks_184.vir.exe -
Loads dropped DLL 1 IoCs
Processes:
tasks_184.vir.exepid process 1144 tasks_184.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 784 cmd.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\tasks_184.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_184.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Drops file in System32 directory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe"C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe"C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe" -child4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf2613ac4.bat"3⤵
- Deletes itself
-
C:\Windows\SysWOW64\winsec32.exe"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe"1⤵
- Adds Run key to start application
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpf2613ac4.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H9ETUR54.txt
-
C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe
-
C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe
-
C:\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
\Users\Admin\AppData\Roaming\Xaesqu\usilf.exe
-
memory/540-9-0x0000000000000000-mapping.dmp
-
memory/784-8-0x0000000000000000-mapping.dmp
-
memory/1276-6-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/1464-4-0x0000000000000000-mapping.dmp
-
memory/1780-16-0x0000000000000000-mapping.dmp