eb2c107397eb09a6f016e839b4b9794fe73d91e4a913764a853adf44bc4c3f8e

General

Target

uncategorized_1.6.0.1.vir.exe
Size

124KB
MD5

81b8e2036cd6400033eabea5b0f51ce3
SHA1

b2c87245123436f53509e4309b202d50b72dfc38
SHA256

eb2c107397eb09a6f016e839b4b9794fe73d91e4a913764a853adf44bc4c3f8e
SHA512

bcfb682ee4a8b663865be5ec8341e94f7f27130b6b169d6b652ec2224958a31456d95abafbdf0491c89b9bda51771e67b4ec7799c454256687e90db1fc74c581

Score

8^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uncategorized_1.6.0.1.vir.exe

description pid process

Token: SeSecurityPrivilege 304 uncategorized_1.6.0.1.vir.exe
Loads dropped DLL 2 IoCs

Processes:

uncategorized_1.6.0.1.vir.exe

pid process

304 uncategorized_1.6.0.1.vir.exe
304 uncategorized_1.6.0.1.vir.exe
Executes dropped EXE 2 IoCs

Processes:

bisoe.exebisoe.exe

pid process

1100 bisoe.exe
1644 bisoe.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe

description	pid	process
Token: SeSecurityPrivilege	304	uncategorized_1.6.0.1.vir.exe

pid	process
304	uncategorized_1.6.0.1.vir.exe
304	uncategorized_1.6.0.1.vir.exe

pid	process
1100	bisoe.exe
1644	bisoe.exe

pid	process
1784	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

uncategorized_1.6.0.1.vir.exeuncategorized_1.6.0.1.vir.exebisoe.exe

description	pid	process	target process
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 284 wrote to memory of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 304 wrote to memory of 1100	304	uncategorized_1.6.0.1.vir.exe	bisoe.exe
PID 304 wrote to memory of 1100	304	uncategorized_1.6.0.1.vir.exe	bisoe.exe
PID 304 wrote to memory of 1100	304	uncategorized_1.6.0.1.vir.exe	bisoe.exe
PID 304 wrote to memory of 1100	304	uncategorized_1.6.0.1.vir.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 1100 wrote to memory of 1644	1100	bisoe.exe	bisoe.exe
PID 304 wrote to memory of 1784	304	uncategorized_1.6.0.1.vir.exe	cmd.exe
PID 304 wrote to memory of 1784	304	uncategorized_1.6.0.1.vir.exe	cmd.exe
PID 304 wrote to memory of 1784	304	uncategorized_1.6.0.1.vir.exe	cmd.exe
PID 304 wrote to memory of 1784	304	uncategorized_1.6.0.1.vir.exe	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

uncategorized_1.6.0.1.vir.exebisoe.exe

description	pid	process	target process
PID 284 set thread context of 304	284	uncategorized_1.6.0.1.vir.exe	uncategorized_1.6.0.1.vir.exe
PID 1100 set thread context of 1644	1100	bisoe.exe	bisoe.exe

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:284

C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
"C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1100

C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
"C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe"
4⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7f574e02.bat"
3⤵
- Deletes itself
PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7f574e02.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe

Download Submit
\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe

Download Submit
\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe

Download Submit
memory/304-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/304-1-0x0000000000415BD2-mapping.dmp

Download
memory/304-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-5-0x0000000000000000-mapping.dmp

Download
memory/1644-8-0x0000000000015BD2-mapping.dmp

Download
memory/1784-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing