Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 17:21
Static task
static1
Behavioral task
behavioral1
Sample
tasks_188.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_188.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_188.vir.exe
-
Size
226KB
-
MD5
d36d308b43b5451c72203b2e0c99d9b0
-
SHA1
d34ff4e2491da20f2a982fa73d0d6ab9e2102b0b
-
SHA256
10da9cfc721819a55d159253469b7a88c803241d8eda417854d5348bbaf12d60
-
SHA512
07a2cfe21e62ecb8286edff7be2e9e20146354b491f8e202aee6189af490ec0591293da88e7d97d45ad4c693b09127278958631182ac265cfef45b553f8d1a66
Score
8/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
tasks_188.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec32.exe tasks_188.vir.exe File opened for modification C:\Windows\SysWOW64\winsec32.exe tasks_188.vir.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
winsec32.exeExplorer.EXEvuvehy.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winsec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Baaratcyer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tycief\\vuvehy.exe\"" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Baaratcyer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tycief\\vuvehy.exe\"" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vuvehy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Baaratcyer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tycief\\vuvehy.exe\"" winsec32.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vuvehy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Baaratcyer = "C:\\Users\\Admin\\AppData\\Roaming\\Tycief\\vuvehy.exe" vuvehy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Baaratcyer = "C:\\Users\\Admin\\AppData\\Roaming\\Tycief\\vuvehy.exe" vuvehy.exe -
Drops file in Windows directory 1 IoCs
Processes:
tasks_188.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 3176150108.job tasks_188.vir.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
tasks_188.vir.exevuvehy.exevuvehy.exedescription pid process target process PID 3100 wrote to memory of 3856 3100 tasks_188.vir.exe vuvehy.exe PID 3100 wrote to memory of 3856 3100 tasks_188.vir.exe vuvehy.exe PID 3100 wrote to memory of 3856 3100 tasks_188.vir.exe vuvehy.exe PID 3100 wrote to memory of 3820 3100 tasks_188.vir.exe cmd.exe PID 3100 wrote to memory of 3820 3100 tasks_188.vir.exe cmd.exe PID 3100 wrote to memory of 3820 3100 tasks_188.vir.exe cmd.exe PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3856 wrote to memory of 3932 3856 vuvehy.exe vuvehy.exe PID 3856 wrote to memory of 3932 3856 vuvehy.exe vuvehy.exe PID 3856 wrote to memory of 3932 3856 vuvehy.exe vuvehy.exe PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3856 wrote to memory of 3020 3856 vuvehy.exe Explorer.EXE PID 3932 wrote to memory of 2600 3932 vuvehy.exe ctfmon.exe PID 3932 wrote to memory of 2600 3932 vuvehy.exe ctfmon.exe PID 3932 wrote to memory of 2600 3932 vuvehy.exe ctfmon.exe -
Suspicious behavior: EnumeratesProcesses 104 IoCs
Processes:
vuvehy.exevuvehy.exepid process 3856 vuvehy.exe 3856 vuvehy.exe 3856 vuvehy.exe 3856 vuvehy.exe 3856 vuvehy.exe 3856 vuvehy.exe 3856 vuvehy.exe 3856 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe 3932 vuvehy.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vuvehy.exepid process 3932 vuvehy.exe 3932 vuvehy.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Executes dropped EXE 3 IoCs
Processes:
winsec32.exevuvehy.exevuvehy.exepid process 3064 winsec32.exe 3856 vuvehy.exe 3932 vuvehy.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\tasks_188.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_188.vir.exe"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe"C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe"C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe" -child4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1d17c8e3.bat"3⤵
-
C:\Windows\SysWOW64\winsec32.exe"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe"1⤵
- Adds Run key to start application
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1FN90P84.cookie
-
C:\Users\Admin\AppData\Local\Temp\tmp1d17c8e3.bat
-
C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe
-
C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe
-
C:\Users\Admin\AppData\Roaming\Tycief\vuvehy.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
memory/2600-15-0x0000000000000000-mapping.dmp
-
memory/3020-6-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/3820-5-0x0000000000000000-mapping.dmp
-
memory/3856-3-0x0000000000000000-mapping.dmp
-
memory/3932-7-0x0000000000000000-mapping.dmp