Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:38
Static task
static1
Behavioral task
behavioral1
Sample
tasks_137.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_137.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_137.vir.exe
-
Size
137KB
-
MD5
54a79ec504774ba90fdb75e361ab8273
-
SHA1
5f9a3d9c66b2a77fc81d6e9b330aa5a8e87b00e4
-
SHA256
970720560dfd7943751a84cc89c6361800abb98cb23e9daa66c459cacebd3e92
-
SHA512
00ab17a16a1ca2dab7ea0a0f65d81945e456a4b0653aa49942dfe67b4916491f4b6885b59fffc35adc756b795526ba1a6ef77a48185c917f71702c83ebeb9275
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
tasks_137.vir.exeseuvke.exeseuvke.exedescription pid process target process PID 992 wrote to memory of 1548 992 tasks_137.vir.exe seuvke.exe PID 992 wrote to memory of 1548 992 tasks_137.vir.exe seuvke.exe PID 992 wrote to memory of 1548 992 tasks_137.vir.exe seuvke.exe PID 992 wrote to memory of 1816 992 tasks_137.vir.exe cmd.exe PID 992 wrote to memory of 1816 992 tasks_137.vir.exe cmd.exe PID 992 wrote to memory of 1816 992 tasks_137.vir.exe cmd.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 1548 wrote to memory of 2128 1548 seuvke.exe seuvke.exe PID 2128 wrote to memory of 3972 2128 seuvke.exe ctfmon.exe PID 2128 wrote to memory of 3972 2128 seuvke.exe ctfmon.exe PID 2128 wrote to memory of 3972 2128 seuvke.exe ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
seuvke.exepid process 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe 2128 seuvke.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
seuvke.exepid process 2128 seuvke.exe 2128 seuvke.exe -
Drops file in Windows directory 1 IoCs
Processes:
tasks_137.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 2216425076.job tasks_137.vir.exe -
Drops file in System32 directory 2 IoCs
Processes:
tasks_137.vir.exedescription ioc process File opened for modification C:\Windows\SysWOW64\winsec.exe tasks_137.vir.exe File created C:\Windows\SysWOW64\winsec.exe tasks_137.vir.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
seuvke.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run seuvke.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\3657703220 = "C:\\Users\\Admin\\AppData\\Roaming\\Yncazel\\seuvke.exe" seuvke.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run seuvke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3657703220 = "C:\\Users\\Admin\\AppData\\Roaming\\Yncazel\\seuvke.exe" seuvke.exe -
Executes dropped EXE 3 IoCs
Processes:
winsec.exeseuvke.exeseuvke.exepid process 1072 winsec.exe 1548 seuvke.exe 2128 seuvke.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tasks_137.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_137.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe"C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe"2⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe"C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe" -child3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmped67d3ad.bat"2⤵
-
C:\Windows\SysWOW64\winsec.exe"C:\Windows\SysWOW64\winsec.exe" -service "C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XLNG8L02.cookie
-
C:\Users\Admin\AppData\Local\Temp\tmped67d3ad.bat
-
C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe
-
C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe
-
C:\Users\Admin\AppData\Roaming\Yncazel\seuvke.exe
-
C:\Windows\SysWOW64\winsec.exe
-
C:\Windows\SysWOW64\winsec.exe
-
memory/1548-3-0x0000000000000000-mapping.dmp
-
memory/1816-5-0x0000000000000000-mapping.dmp
-
memory/2128-6-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2128-11-0x0000000000000000-mapping.dmp
-
memory/2128-10-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2128-9-0x00000000001E0000-0x00000000001E0002-memory.dmpFilesize
2B
-
memory/2128-7-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3972-14-0x0000000000000000-mapping.dmp