Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:52
Static task
static1
Behavioral task
behavioral1
Sample
tasks_196.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_196.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_196.vir.exe
-
Size
229KB
-
MD5
5bfda10184fb2ea0246db7f121bb9b22
-
SHA1
b22541ca672cb19b440e222133da6f220fa9027e
-
SHA256
6771d8d0431034fdd65f892475bfb38597457ccb65a7b2d46dd37579e22ebd4d
-
SHA512
08bfa9e2ac0ae48186fb7705da0a4ac80a9d10e131d4cccee1624f93cdc2d3c6878e81130c173171c8decc4ec8db4d46bfa225c513f518cf6d51b33907f1dbb0
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
yqzan.exepid process 1128 yqzan.exe 1128 yqzan.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
Explorer.EXEyqzan.exewinsec32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gotaukreawwyasu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ekludu\\yqzan.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run yqzan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run yqzan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winsec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gotaukreawwyasu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ekludu\\yqzan.exe\"" winsec32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gotaukreawwyasu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ekludu\\yqzan.exe\"" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gotaukreawwyasu = "C:\\Users\\Admin\\AppData\\Roaming\\Ekludu\\yqzan.exe" yqzan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gotaukreawwyasu = "C:\\Users\\Admin\\AppData\\Roaming\\Ekludu\\yqzan.exe" yqzan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
tasks_196.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 1632517818.job tasks_196.vir.exe -
Drops file in System32 directory 2 IoCs
Processes:
tasks_196.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec32.exe tasks_196.vir.exe File opened for modification C:\Windows\SysWOW64\winsec32.exe tasks_196.vir.exe -
Executes dropped EXE 3 IoCs
Processes:
winsec32.exeyqzan.exeyqzan.exepid process 3636 winsec32.exe 516 yqzan.exe 1128 yqzan.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
tasks_196.vir.exeyqzan.exeyqzan.exedescription pid process target process PID 1008 wrote to memory of 516 1008 tasks_196.vir.exe yqzan.exe PID 1008 wrote to memory of 516 1008 tasks_196.vir.exe yqzan.exe PID 1008 wrote to memory of 516 1008 tasks_196.vir.exe yqzan.exe PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 516 wrote to memory of 2992 516 yqzan.exe Explorer.EXE PID 1008 wrote to memory of 1000 1008 tasks_196.vir.exe cmd.exe PID 1008 wrote to memory of 1000 1008 tasks_196.vir.exe cmd.exe PID 1008 wrote to memory of 1000 1008 tasks_196.vir.exe cmd.exe PID 516 wrote to memory of 1128 516 yqzan.exe yqzan.exe PID 516 wrote to memory of 1128 516 yqzan.exe yqzan.exe PID 516 wrote to memory of 1128 516 yqzan.exe yqzan.exe PID 1128 wrote to memory of 1552 1128 yqzan.exe ctfmon.exe PID 1128 wrote to memory of 1552 1128 yqzan.exe ctfmon.exe PID 1128 wrote to memory of 1552 1128 yqzan.exe ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 104 IoCs
Processes:
yqzan.exeyqzan.exepid process 516 yqzan.exe 516 yqzan.exe 516 yqzan.exe 516 yqzan.exe 516 yqzan.exe 516 yqzan.exe 516 yqzan.exe 516 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe 1128 yqzan.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\tasks_196.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_196.vir.exe"2⤵
- Drops file in Windows directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe"C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe"3⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe"C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe" -child4⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfcf0d1a9.bat"3⤵
-
C:\Windows\SysWOW64\winsec32.exe"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe"1⤵
- Adds Run key to start application
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FW1FAYFO.cookie
-
C:\Users\Admin\AppData\Local\Temp\tmpfcf0d1a9.bat
-
C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe
-
C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe
-
C:\Users\Admin\AppData\Roaming\Ekludu\yqzan.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
memory/516-3-0x0000000000000000-mapping.dmp
-
memory/1000-11-0x0000000000000000-mapping.dmp
-
memory/1128-13-0x0000000000000000-mapping.dmp
-
memory/1552-15-0x0000000000000000-mapping.dmp
-
memory/2992-5-0x0000000000E10000-0x0000000000E11000-memory.dmpFilesize
4KB