068edc2dfe9430a15b84d3f941d2c9afbf95221e92580668d03dfeca2401b8ca

General

Target

tasks_166.vir.exe
Size

169KB
MD5

ef7f0c98fba6735e559b5190705a5116
SHA1

b29f63f03879b4dedefdd10f4c651c69506831e7
SHA256

068edc2dfe9430a15b84d3f941d2c9afbf95221e92580668d03dfeca2401b8ca
SHA512

1cd9f7446b91aac57cfdc057fc98e178d3b4a8d96033a4791ba6f13137c5c05097624d79ad5ba1c5a441d4906dd4174d2573697a8409e1b15d00f1b63692bc30

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

ipceca.exe

pid	process
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe
304	ipceca.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

792 cmd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ipceca.exe

pid process

304 ipceca.exe
304 ipceca.exe

pid	process
792	cmd.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

tasks_166.vir.exewinsec32.exeipceca.exeipceca.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tasks_166.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winsec32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ipceca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ipceca.exe

Drops file in Windows directory 1 IoCs

Processes:

tasks_166.vir.exe

description ioc process

File created C:\Windows\Tasks\Security Center Update - 195747346.job tasks_166.vir.exe

description	ioc	process
File created	C:\Windows\Tasks\Security Center Update - 195747346.job	tasks_166.vir.exe

Drops file in System32 directory 2 IoCs

Processes:

tasks_166.vir.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsec32.exe	tasks_166.vir.exe
File opened for modification	C:\Windows\SysWOW64\winsec32.exe	tasks_166.vir.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipceca.exewinsec32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\2741916052 = "C:\\Users\\Admin\\AppData\\Roaming\\Ewrytaf\\ipceca.exe"	ipceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ipceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2741916052 = "C:\\Users\\Admin\\AppData\\Roaming\\Ewrytaf\\ipceca.exe"	ipceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winsec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1567415885 = "C:\\Users\\Admin\\AppData\\Roaming\\Ewrytaf\\ipceca.exe"	winsec32.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ipceca.exe

Loads dropped DLL 1 IoCs

Processes:

tasks_166.vir.exe

pid process

1088 tasks_166.vir.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

ipceca.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main ipceca.exe

pid	process
1088	tasks_166.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	ipceca.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

tasks_166.vir.exeipceca.exeipceca.exe

description	pid	process	target process
PID 1088 wrote to memory of 1428	1088	tasks_166.vir.exe	ipceca.exe
PID 1088 wrote to memory of 1428	1088	tasks_166.vir.exe	ipceca.exe
PID 1088 wrote to memory of 1428	1088	tasks_166.vir.exe	ipceca.exe
PID 1088 wrote to memory of 1428	1088	tasks_166.vir.exe	ipceca.exe
PID 1428 wrote to memory of 304	1428	ipceca.exe	ipceca.exe
PID 1428 wrote to memory of 304	1428	ipceca.exe	ipceca.exe
PID 1428 wrote to memory of 304	1428	ipceca.exe	ipceca.exe
PID 1428 wrote to memory of 304	1428	ipceca.exe	ipceca.exe
PID 1088 wrote to memory of 792	1088	tasks_166.vir.exe	cmd.exe
PID 1088 wrote to memory of 792	1088	tasks_166.vir.exe	cmd.exe
PID 1088 wrote to memory of 792	1088	tasks_166.vir.exe	cmd.exe
PID 1088 wrote to memory of 792	1088	tasks_166.vir.exe	cmd.exe
PID 304 wrote to memory of 1520	304	ipceca.exe	ctfmon.exe
PID 304 wrote to memory of 1520	304	ipceca.exe	ctfmon.exe
PID 304 wrote to memory of 1520	304	ipceca.exe	ctfmon.exe
PID 304 wrote to memory of 1520	304	ipceca.exe	ctfmon.exe

Executes dropped EXE 3 IoCs

Processes:

winsec32.exeipceca.exeipceca.exe

pid process

612 winsec32.exe
1428 ipceca.exe
304 ipceca.exe

pid	process
612	winsec32.exe
1428	ipceca.exe
304	ipceca.exe

C:\Users\Admin\AppData\Local\Temp\tasks_166.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_166.vir.exe"
1⤵
- Enumerates system info in registry
- Drops file in Windows directory
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe
"C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe"
2⤵
- Enumerates system info in registry
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1428

C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe
"C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe" -child
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:304

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4a8f634f.bat"
2⤵
- Deletes itself
PID:792

C:\Windows\SysWOW64\winsec32.exe
"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe"
1⤵
- Enumerates system info in registry
- Adds Run key to start application
- Executes dropped EXE
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4a8f634f.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4GVH3P9A.txt

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe

Download Submit
memory/304-6-0x0000000000000000-mapping.dmp

Download
memory/792-8-0x0000000000000000-mapping.dmp

Download
memory/1428-4-0x0000000000000000-mapping.dmp

Download
memory/1520-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads