Analysis
-
max time kernel
116s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
uncategorized_1.6.0.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
uncategorized_1.6.0.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
uncategorized_1.6.0.1.vir.exe
-
Size
124KB
-
MD5
81b8e2036cd6400033eabea5b0f51ce3
-
SHA1
b2c87245123436f53509e4309b202d50b72dfc38
-
SHA256
eb2c107397eb09a6f016e839b4b9794fe73d91e4a913764a853adf44bc4c3f8e
-
SHA512
bcfb682ee4a8b663865be5ec8341e94f7f27130b6b169d6b652ec2224958a31456d95abafbdf0491c89b9bda51771e67b4ec7799c454256687e90db1fc74c581
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uncategorized_1.6.0.1.vir.exedescription pid process Token: SeSecurityPrivilege 304 uncategorized_1.6.0.1.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
uncategorized_1.6.0.1.vir.exepid process 304 uncategorized_1.6.0.1.vir.exe 304 uncategorized_1.6.0.1.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
bisoe.exebisoe.exepid process 1100 bisoe.exe 1644 bisoe.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1784 cmd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
uncategorized_1.6.0.1.vir.exeuncategorized_1.6.0.1.vir.exebisoe.exedescription pid process target process PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 284 wrote to memory of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 304 wrote to memory of 1100 304 uncategorized_1.6.0.1.vir.exe bisoe.exe PID 304 wrote to memory of 1100 304 uncategorized_1.6.0.1.vir.exe bisoe.exe PID 304 wrote to memory of 1100 304 uncategorized_1.6.0.1.vir.exe bisoe.exe PID 304 wrote to memory of 1100 304 uncategorized_1.6.0.1.vir.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 1100 wrote to memory of 1644 1100 bisoe.exe bisoe.exe PID 304 wrote to memory of 1784 304 uncategorized_1.6.0.1.vir.exe cmd.exe PID 304 wrote to memory of 1784 304 uncategorized_1.6.0.1.vir.exe cmd.exe PID 304 wrote to memory of 1784 304 uncategorized_1.6.0.1.vir.exe cmd.exe PID 304 wrote to memory of 1784 304 uncategorized_1.6.0.1.vir.exe cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
uncategorized_1.6.0.1.vir.exebisoe.exedescription pid process target process PID 284 set thread context of 304 284 uncategorized_1.6.0.1.vir.exe uncategorized_1.6.0.1.vir.exe PID 1100 set thread context of 1644 1100 bisoe.exe bisoe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\uncategorized_1.6.0.1.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe"C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe"C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7f574e02.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7f574e02.bat
-
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
-
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
-
C:\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
-
\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
-
\Users\Admin\AppData\Roaming\Ybewuq\bisoe.exe
-
memory/304-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/304-1-0x0000000000415BD2-mapping.dmp
-
memory/304-2-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1100-5-0x0000000000000000-mapping.dmp
-
memory/1644-8-0x0000000000015BD2-mapping.dmp
-
memory/1784-10-0x0000000000000000-mapping.dmp