Analysis
-
max time kernel
151s -
max time network
32s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:32
Static task
static1
Behavioral task
behavioral1
Sample
uncategorized_1.2.0.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
uncategorized_1.2.0.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
uncategorized_1.2.0.0.vir.exe
-
Size
368KB
-
MD5
182bbd5dccd1470d10e6b062d39c95d7
-
SHA1
fc0f485b4e178293c3b3eb26c87a38172cf6ccbb
-
SHA256
85e0ff2f0c03b8d8ce1d32b446dcef0e32b79fa581a9c27dcf4d0bb92c6b167f
-
SHA512
edf99f5982240fc22d40c3bceef2f2146122bfa46806c0de320eebe8ef7631d71e4a85fdfe054dca835982adb852cfe138ff798af1341cc9dd891f8b79edfd36
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\edewilw = "C:\\Users\\Admin\\AppData\\Roaming\\Egsef\\goed.exe" explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
uncategorized_1.2.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 1400 uncategorized_1.2.0.0.vir.exe Token: SeSecurityPrivilege 1400 uncategorized_1.2.0.0.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
uncategorized_1.2.0.0.vir.exepid process 1400 uncategorized_1.2.0.0.vir.exe 1400 uncategorized_1.2.0.0.vir.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
uncategorized_1.2.0.0.vir.exegoed.exedescription pid process target process PID 1400 wrote to memory of 1456 1400 uncategorized_1.2.0.0.vir.exe goed.exe PID 1400 wrote to memory of 1456 1400 uncategorized_1.2.0.0.vir.exe goed.exe PID 1400 wrote to memory of 1456 1400 uncategorized_1.2.0.0.vir.exe goed.exe PID 1400 wrote to memory of 1456 1400 uncategorized_1.2.0.0.vir.exe goed.exe PID 1456 wrote to memory of 1012 1456 goed.exe explorer.exe PID 1456 wrote to memory of 1012 1456 goed.exe explorer.exe PID 1456 wrote to memory of 1012 1456 goed.exe explorer.exe PID 1456 wrote to memory of 1012 1456 goed.exe explorer.exe PID 1400 wrote to memory of 1508 1400 uncategorized_1.2.0.0.vir.exe cmd.exe PID 1400 wrote to memory of 1508 1400 uncategorized_1.2.0.0.vir.exe cmd.exe PID 1400 wrote to memory of 1508 1400 uncategorized_1.2.0.0.vir.exe cmd.exe PID 1400 wrote to memory of 1508 1400 uncategorized_1.2.0.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
goed.exepid process 1456 goed.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
goed.exeexplorer.exepid process 1456 goed.exe 1456 goed.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe -
Suspicious behavior: EnumeratesProcesses 288 IoCs
Processes:
explorer.exepid process 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1508 cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Egsef\goed.exe"C:\Users\Admin\AppData\Roaming\Egsef\goed.exe" -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE >> NUL if exist C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE goto repeat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Egsef\goed.exe
-
C:\Users\Admin\AppData\Roaming\Egsef\goed.exe
-
\Users\Admin\AppData\Roaming\Egsef\goed.exe
-
\Users\Admin\AppData\Roaming\Egsef\goed.exe
-
memory/1012-7-0x0000000000000000-mapping.dmp
-
memory/1012-8-0x00000000007E0000-0x0000000000A61000-memory.dmpFilesize
2.5MB
-
memory/1400-0-0x00000000021A0000-0x00000000022BD000-memory.dmpFilesize
1.1MB
-
memory/1456-3-0x0000000000000000-mapping.dmp
-
memory/1456-5-0x00000000006F0000-0x000000000080D000-memory.dmpFilesize
1.1MB
-
memory/1508-9-0x0000000000000000-mapping.dmp
-
memory/1508-10-0x0000000000000000-mapping.dmp