f990daf6364d6aeb0a8482a8fdab098b5790f29f2f34dd38ef4a83ac36827fe9

General

Target

uncategorized_3.0.0.0b.vir.exe
Size

1.2MB
MD5

8e326a09b93cc447d0ea9a3992bb4962
SHA1

0a57892f4f92507f0f3405228274c5bfeb1103c5
SHA256

f990daf6364d6aeb0a8482a8fdab098b5790f29f2f34dd38ef4a83ac36827fe9
SHA512

1d4bf0071adef111a8166220f2089e6c4b4eace02a82eb306920cac9d12460173932bc76a83aba57db9331fa473a59035ba8ad05d9a748ceb6d7abc32e992c2a

Score

8^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

uncategorized_3.0.0.0b.vir.exevique.exe

pid process

1820 uncategorized_3.0.0.0b.vir.exe
3692 vique.exe

pid	process
1820	uncategorized_3.0.0.0b.vir.exe
3692	vique.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

uncategorized_3.0.0.0b.vir.exeuncategorized_3.0.0.0b.vir.exevique.exevique.exe

description	pid	process	target process
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 1820 wrote to memory of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 2784 wrote to memory of 3692	2784	uncategorized_3.0.0.0b.vir.exe	vique.exe
PID 2784 wrote to memory of 3692	2784	uncategorized_3.0.0.0b.vir.exe	vique.exe
PID 2784 wrote to memory of 3692	2784	uncategorized_3.0.0.0b.vir.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 3692 wrote to memory of 2556	3692	vique.exe	vique.exe
PID 2784 wrote to memory of 3960	2784	uncategorized_3.0.0.0b.vir.exe	cmd.exe
PID 2784 wrote to memory of 3960	2784	uncategorized_3.0.0.0b.vir.exe	cmd.exe
PID 2784 wrote to memory of 3960	2784	uncategorized_3.0.0.0b.vir.exe	cmd.exe
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3012	2556	vique.exe	Explorer.EXE
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe
PID 2556 wrote to memory of 3960	2556	vique.exe	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

uncategorized_3.0.0.0b.vir.exevique.exe

description	pid	process	target process
PID 1820 set thread context of 2784	1820	uncategorized_3.0.0.0b.vir.exe	uncategorized_3.0.0.0b.vir.exe
PID 3692 set thread context of 2556	3692	vique.exe	vique.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

uncategorized_3.0.0.0b.vir.exeExplorer.EXE

description	pid	process
Token: SeSecurityPrivilege	2784	uncategorized_3.0.0.0b.vir.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE

Executes dropped EXE 2 IoCs

Processes:

vique.exevique.exe

pid process

3692 vique.exe
2556 vique.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vique.exe

pid process

2556 vique.exe
2556 vique.exe
2556 vique.exe
2556 vique.exe

pid	process
3692	vique.exe
2556	vique.exe

pid	process
2556	vique.exe
2556	vique.exe
2556	vique.exe
2556	vique.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.0b.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.0b.vir.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1820

C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.0b.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_3.0.0.0b.vir.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe
"C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe"
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:3692

C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe
"C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9ab831e6.bat"
4⤵
PID:3960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9ab831e6.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Anhyzo\vique.exe

Download Submit
memory/2556-11-0x00000000004FE533-mapping.dmp

Download
memory/2784-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2784-3-0x00000000004FE533-mapping.dmp

Download
memory/2784-4-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3692-5-0x0000000000000000-mapping.dmp

Download
memory/3960-14-0x0000000000000000-mapping.dmp

Download
memory/3960-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads