Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:16
Static task
static1
Behavioral task
behavioral1
Sample
tasks_166.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_166.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_166.vir.exe
-
Size
169KB
-
MD5
ef7f0c98fba6735e559b5190705a5116
-
SHA1
b29f63f03879b4dedefdd10f4c651c69506831e7
-
SHA256
068edc2dfe9430a15b84d3f941d2c9afbf95221e92580668d03dfeca2401b8ca
-
SHA512
1cd9f7446b91aac57cfdc057fc98e178d3b4a8d96033a4791ba6f13137c5c05097624d79ad5ba1c5a441d4906dd4174d2573697a8409e1b15d00f1b63692bc30
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
ipceca.exepid process 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe 304 ipceca.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 792 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ipceca.exepid process 304 ipceca.exe 304 ipceca.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
tasks_166.vir.exewinsec32.exeipceca.exeipceca.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier tasks_166.vir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winsec32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ipceca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ipceca.exe -
Drops file in Windows directory 1 IoCs
Processes:
tasks_166.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 195747346.job tasks_166.vir.exe -
Drops file in System32 directory 2 IoCs
Processes:
tasks_166.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec32.exe tasks_166.vir.exe File opened for modification C:\Windows\SysWOW64\winsec32.exe tasks_166.vir.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
ipceca.exewinsec32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\2741916052 = "C:\\Users\\Admin\\AppData\\Roaming\\Ewrytaf\\ipceca.exe" ipceca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ipceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2741916052 = "C:\\Users\\Admin\\AppData\\Roaming\\Ewrytaf\\ipceca.exe" ipceca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winsec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1567415885 = "C:\\Users\\Admin\\AppData\\Roaming\\Ewrytaf\\ipceca.exe" winsec32.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ipceca.exe -
Loads dropped DLL 1 IoCs
Processes:
tasks_166.vir.exepid process 1088 tasks_166.vir.exe -
Processes:
ipceca.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main ipceca.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
tasks_166.vir.exeipceca.exeipceca.exedescription pid process target process PID 1088 wrote to memory of 1428 1088 tasks_166.vir.exe ipceca.exe PID 1088 wrote to memory of 1428 1088 tasks_166.vir.exe ipceca.exe PID 1088 wrote to memory of 1428 1088 tasks_166.vir.exe ipceca.exe PID 1088 wrote to memory of 1428 1088 tasks_166.vir.exe ipceca.exe PID 1428 wrote to memory of 304 1428 ipceca.exe ipceca.exe PID 1428 wrote to memory of 304 1428 ipceca.exe ipceca.exe PID 1428 wrote to memory of 304 1428 ipceca.exe ipceca.exe PID 1428 wrote to memory of 304 1428 ipceca.exe ipceca.exe PID 1088 wrote to memory of 792 1088 tasks_166.vir.exe cmd.exe PID 1088 wrote to memory of 792 1088 tasks_166.vir.exe cmd.exe PID 1088 wrote to memory of 792 1088 tasks_166.vir.exe cmd.exe PID 1088 wrote to memory of 792 1088 tasks_166.vir.exe cmd.exe PID 304 wrote to memory of 1520 304 ipceca.exe ctfmon.exe PID 304 wrote to memory of 1520 304 ipceca.exe ctfmon.exe PID 304 wrote to memory of 1520 304 ipceca.exe ctfmon.exe PID 304 wrote to memory of 1520 304 ipceca.exe ctfmon.exe -
Executes dropped EXE 3 IoCs
Processes:
winsec32.exeipceca.exeipceca.exepid process 612 winsec32.exe 1428 ipceca.exe 304 ipceca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tasks_166.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_166.vir.exe"1⤵
- Enumerates system info in registry
- Drops file in Windows directory
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe"C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe"2⤵
- Enumerates system info in registry
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe"C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe" -child3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4a8f634f.bat"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\winsec32.exe"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe"1⤵
- Enumerates system info in registry
- Adds Run key to start application
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4a8f634f.bat
-
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe
-
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe
-
C:\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4GVH3P9A.txt
-
C:\Windows\SysWOW64\winsec32.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
\Users\Admin\AppData\Roaming\Ewrytaf\ipceca.exe
-
memory/304-6-0x0000000000000000-mapping.dmp
-
memory/792-8-0x0000000000000000-mapping.dmp
-
memory/1428-4-0x0000000000000000-mapping.dmp
-
memory/1520-10-0x0000000000000000-mapping.dmp