85e0ff2f0c03b8d8ce1d32b446dcef0e32b79fa581a9c27dcf4d0bb92c6b167f

General

Target

uncategorized_1.2.0.0.vir.exe
Size

368KB
MD5

182bbd5dccd1470d10e6b062d39c95d7
SHA1

fc0f485b4e178293c3b3eb26c87a38172cf6ccbb
SHA256

85e0ff2f0c03b8d8ce1d32b446dcef0e32b79fa581a9c27dcf4d0bb92c6b167f
SHA512

edf99f5982240fc22d40c3bceef2f2146122bfa46806c0de320eebe8ef7631d71e4a85fdfe054dca835982adb852cfe138ff798af1341cc9dd891f8b79edfd36

Score

8^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\edewilw = "C:\\Users\\Admin\\AppData\\Roaming\\Egsef\\goed.exe"	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uncategorized_1.2.0.0.vir.exe

description pid process

Token: SeSecurityPrivilege 1400 uncategorized_1.2.0.0.vir.exe
Token: SeSecurityPrivilege 1400 uncategorized_1.2.0.0.vir.exe
Loads dropped DLL 2 IoCs

Processes:

uncategorized_1.2.0.0.vir.exe

pid process

1400 uncategorized_1.2.0.0.vir.exe
1400 uncategorized_1.2.0.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1400	uncategorized_1.2.0.0.vir.exe
Token: SeSecurityPrivilege	1400	uncategorized_1.2.0.0.vir.exe

pid	process
1400	uncategorized_1.2.0.0.vir.exe
1400	uncategorized_1.2.0.0.vir.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

uncategorized_1.2.0.0.vir.exegoed.exe

description	pid	process	target process
PID 1400 wrote to memory of 1456	1400	uncategorized_1.2.0.0.vir.exe	goed.exe
PID 1400 wrote to memory of 1456	1400	uncategorized_1.2.0.0.vir.exe	goed.exe
PID 1400 wrote to memory of 1456	1400	uncategorized_1.2.0.0.vir.exe	goed.exe
PID 1400 wrote to memory of 1456	1400	uncategorized_1.2.0.0.vir.exe	goed.exe
PID 1456 wrote to memory of 1012	1456	goed.exe	explorer.exe
PID 1456 wrote to memory of 1012	1456	goed.exe	explorer.exe
PID 1456 wrote to memory of 1012	1456	goed.exe	explorer.exe
PID 1456 wrote to memory of 1012	1456	goed.exe	explorer.exe
PID 1400 wrote to memory of 1508	1400	uncategorized_1.2.0.0.vir.exe	cmd.exe
PID 1400 wrote to memory of 1508	1400	uncategorized_1.2.0.0.vir.exe	cmd.exe
PID 1400 wrote to memory of 1508	1400	uncategorized_1.2.0.0.vir.exe	cmd.exe
PID 1400 wrote to memory of 1508	1400	uncategorized_1.2.0.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

goed.exe

pid process

1456 goed.exe
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

goed.exeexplorer.exe

pid process

1456 goed.exe
1456 goed.exe
1012 explorer.exe
1012 explorer.exe
1012 explorer.exe
1012 explorer.exe
1012 explorer.exe
1012 explorer.exe
1012 explorer.exe

pid	process
1456	goed.exe

pid	process
1456	goed.exe
1456	goed.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe

Suspicious behavior: EnumeratesProcesses 288 IoCs

Processes:

explorer.exe

pid	process
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1508 cmd.exe

pid	process
1508	cmd.exe

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.2.0.0.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Egsef\goed.exe
"C:\Users\Admin\AppData\Roaming\Egsef\goed.exe" -r
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1456

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE >> NUL if exist C:\Users\Admin\AppData\Local\Temp\UNCATE~1.EXE goto repeat
2⤵
- Deletes itself
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Egsef\goed.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Egsef\goed.exe

Download Submit
\Users\Admin\AppData\Roaming\Egsef\goed.exe

Download Submit
\Users\Admin\AppData\Roaming\Egsef\goed.exe

Download Submit
memory/1012-7-0x0000000000000000-mapping.dmp

Download
memory/1012-8-0x00000000007E0000-0x0000000000A61000-memory.dmp

Filesize
2.5MB

Download
memory/1400-0-0x00000000021A0000-0x00000000022BD000-memory.dmp

Filesize
1.1MB

Download
memory/1456-3-0x0000000000000000-mapping.dmp

Download
memory/1456-5-0x00000000006F0000-0x000000000080D000-memory.dmp

Filesize
1.1MB

Download
memory/1508-9-0x0000000000000000-mapping.dmp

Download
memory/1508-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads