5c3bde59fa48471670841beba658fc9cfe707fac64b4b7f8446dd51a7706d133

General

Target

uncategorized_2.2.0.0.vir.exe
Size

281KB
MD5

d1a9338fc86ea88c1e8408d736ba13ec
SHA1

01e9ec2d7a136aff0a98842fa876588c564809a7
SHA256

5c3bde59fa48471670841beba658fc9cfe707fac64b4b7f8446dd51a7706d133
SHA512

18b5177c0ffeac359a9f19d670b28eab66ef6bcd0184c005fbfedd2b060f6972ae8da4a06261bf479db06a9e1c7f017388cbaf9a934c090a652eaf107a0ccf27

Score

8^/10

upx persistence

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1756 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1756 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1756 WinMail.exe

pid	process
1756	WinMail.exe

pid	process
1756	WinMail.exe

pid	process
1756	WinMail.exe

Suspicious use of WriteProcessMemory 69 IoCs

Processes:

uncategorized_2.2.0.0.vir.exeuncategorized_2.2.0.0.vir.exekiyx.exekiyx.exe

description	pid	process	target process
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 1496 wrote to memory of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 884 wrote to memory of 752	884	uncategorized_2.2.0.0.vir.exe	kiyx.exe
PID 884 wrote to memory of 752	884	uncategorized_2.2.0.0.vir.exe	kiyx.exe
PID 884 wrote to memory of 752	884	uncategorized_2.2.0.0.vir.exe	kiyx.exe
PID 884 wrote to memory of 752	884	uncategorized_2.2.0.0.vir.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 752 wrote to memory of 1636	752	kiyx.exe	kiyx.exe
PID 884 wrote to memory of 1520	884	uncategorized_2.2.0.0.vir.exe	cmd.exe
PID 884 wrote to memory of 1520	884	uncategorized_2.2.0.0.vir.exe	cmd.exe
PID 884 wrote to memory of 1520	884	uncategorized_2.2.0.0.vir.exe	cmd.exe
PID 884 wrote to memory of 1520	884	uncategorized_2.2.0.0.vir.exe	cmd.exe
PID 1636 wrote to memory of 1080	1636	kiyx.exe	taskhost.exe
PID 1636 wrote to memory of 1080	1636	kiyx.exe	taskhost.exe
PID 1636 wrote to memory of 1080	1636	kiyx.exe	taskhost.exe
PID 1636 wrote to memory of 1080	1636	kiyx.exe	taskhost.exe
PID 1636 wrote to memory of 1080	1636	kiyx.exe	taskhost.exe
PID 1636 wrote to memory of 1188	1636	kiyx.exe	Dwm.exe
PID 1636 wrote to memory of 1188	1636	kiyx.exe	Dwm.exe
PID 1636 wrote to memory of 1188	1636	kiyx.exe	Dwm.exe
PID 1636 wrote to memory of 1188	1636	kiyx.exe	Dwm.exe
PID 1636 wrote to memory of 1188	1636	kiyx.exe	Dwm.exe
PID 1636 wrote to memory of 1228	1636	kiyx.exe	Explorer.EXE
PID 1636 wrote to memory of 1228	1636	kiyx.exe	Explorer.EXE
PID 1636 wrote to memory of 1228	1636	kiyx.exe	Explorer.EXE
PID 1636 wrote to memory of 1228	1636	kiyx.exe	Explorer.EXE
PID 1636 wrote to memory of 1228	1636	kiyx.exe	Explorer.EXE
PID 1636 wrote to memory of 1560	1636	kiyx.exe	iexplore.exe
PID 1636 wrote to memory of 1560	1636	kiyx.exe	iexplore.exe
PID 1636 wrote to memory of 1560	1636	kiyx.exe	iexplore.exe
PID 1636 wrote to memory of 1560	1636	kiyx.exe	iexplore.exe
PID 1636 wrote to memory of 1560	1636	kiyx.exe	iexplore.exe
PID 1636 wrote to memory of 1756	1636	kiyx.exe	WinMail.exe
PID 1636 wrote to memory of 1756	1636	kiyx.exe	WinMail.exe
PID 1636 wrote to memory of 1756	1636	kiyx.exe	WinMail.exe
PID 1636 wrote to memory of 1756	1636	kiyx.exe	WinMail.exe
PID 1636 wrote to memory of 1756	1636	kiyx.exe	WinMail.exe
PID 1636 wrote to memory of 1748	1636	kiyx.exe	DllHost.exe
PID 1636 wrote to memory of 1748	1636	kiyx.exe	DllHost.exe
PID 1636 wrote to memory of 1748	1636	kiyx.exe	DllHost.exe
PID 1636 wrote to memory of 1748	1636	kiyx.exe	DllHost.exe
PID 1636 wrote to memory of 1748	1636	kiyx.exe	DllHost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

uncategorized_2.2.0.0.vir.exeiexplore.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	884	uncategorized_2.2.0.0.vir.exe
Token: SeSecurityPrivilege	1560	iexplore.exe
Token: SeSecurityPrivilege	1560	iexplore.exe
Token: SeManageVolumePrivilege	1756	WinMail.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	iexplore.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\314A72B5-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

uncategorized_2.2.0.0.vir.exekiyx.exekiyx.exe

pid	process
1496	uncategorized_2.2.0.0.vir.exe
752	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe
1636	kiyx.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1520 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

kiyx.exekiyx.exe

pid process

752 kiyx.exe
1636 kiyx.exe

pid	process
1520	cmd.exe

pid	process
752	kiyx.exe
1636	kiyx.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1560-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1560-3-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1560-4-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kiyx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F6AB1A8B-37BD-AD9A-DC81-58113F2D4939} = "C:\\Users\\Admin\\AppData\\Roaming\\Imaf\\kiyx.exe"	kiyx.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	kiyx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uncategorized_2.2.0.0.vir.exekiyx.exe

description	pid	process	target process
PID 1496 set thread context of 1560	1496	uncategorized_2.2.0.0.vir.exe	iexplore.exe
PID 1496 set thread context of 884	1496	uncategorized_2.2.0.0.vir.exe	uncategorized_2.2.0.0.vir.exe
PID 752 set thread context of 1636	752	kiyx.exe	kiyx.exe

Loads dropped DLL 2 IoCs

Processes:

uncategorized_2.2.0.0.vir.exe

pid process

884 uncategorized_2.2.0.0.vir.exe
884 uncategorized_2.2.0.0.vir.exe

pid	process
884	uncategorized_2.2.0.0.vir.exe
884	uncategorized_2.2.0.0.vir.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\uncategorized_2.2.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\uncategorized_2.2.0.0.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1496

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
PID:1560

C:\Users\Admin\AppData\Local\Temp\uncategorized_2.2.0.0.vir.exe
C:\Users\Admin\AppData\Local\Temp\uncategorized_2.2.0.0.vir.exe
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
PID:884

C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe
"C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:752

C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe
C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Adds Run key to start application
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp983e0432.bat"
4⤵
- Deletes itself
PID:1520

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- NTFS ADS
PID:1756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp983e0432.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Gutie\esuba.uwa

Download Submit
C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Imaf\kiyx.exe

Download Submit
\Users\Admin\AppData\Roaming\Imaf\kiyx.exe

Download Submit
\Users\Admin\AppData\Roaming\Imaf\kiyx.exe

Download Submit
memory/752-9-0x0000000000000000-mapping.dmp

Download
memory/884-2-0x0000000000400000-0x0000000006800000-memory.dmp

Filesize
100.0MB

Download
memory/884-6-0x0000000000400000-0x0000000006800000-memory.dmp

Filesize
100.0MB

Download
memory/884-5-0x000000000041733B-mapping.dmp

Download
memory/1520-16-0x0000000000000000-mapping.dmp

Download
memory/1560-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-17-0x0000000000412110-mapping.dmp

Download
memory/1560-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-1-0x0000000000412110-mapping.dmp

Download
memory/1636-13-0x000000000041733B-mapping.dmp

Download
memory/1756-37-0x0000000003E80000-0x0000000003E82000-memory.dmp

Filesize
8KB

Download
memory/1756-46-0x0000000003C00000-0x0000000003C02000-memory.dmp

Filesize
8KB

Download
memory/1756-24-0x0000000003950000-0x0000000003A50000-memory.dmp

Filesize
1024KB

Download
memory/1756-25-0x0000000003950000-0x0000000003B50000-memory.dmp

Filesize
2.0MB

Download
memory/1756-26-0x0000000003A50000-0x0000000003B50000-memory.dmp

Filesize
1024KB

Download
memory/1756-30-0x0000000003650000-0x0000000003652000-memory.dmp

Filesize
8KB

Download
memory/1756-31-0x0000000003670000-0x0000000003672000-memory.dmp

Filesize
8KB

Download
memory/1756-32-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1756-33-0x0000000004230000-0x0000000004232000-memory.dmp

Filesize
8KB

Download
memory/1756-34-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/1756-35-0x0000000003E80000-0x0000000003E82000-memory.dmp

Filesize
8KB

Download
memory/1756-36-0x0000000003650000-0x0000000003652000-memory.dmp

Filesize
8KB

Download
memory/1756-20-0x0000000003950000-0x0000000003A50000-memory.dmp

Filesize
1024KB

Download
memory/1756-38-0x0000000003FD0000-0x0000000003FD2000-memory.dmp

Filesize
8KB

Download
memory/1756-39-0x0000000004050000-0x0000000004052000-memory.dmp

Filesize
8KB

Download
memory/1756-40-0x0000000004230000-0x0000000004232000-memory.dmp

Filesize
8KB

Download
memory/1756-41-0x0000000004240000-0x0000000004242000-memory.dmp

Filesize
8KB

Download
memory/1756-42-0x0000000004960000-0x0000000004962000-memory.dmp

Filesize
8KB

Download
memory/1756-43-0x0000000004B90000-0x0000000004B92000-memory.dmp

Filesize
8KB

Download
memory/1756-44-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1756-45-0x0000000003FD0000-0x0000000003FD2000-memory.dmp

Filesize
8KB

Download
memory/1756-22-0x0000000003950000-0x0000000003B50000-memory.dmp

Filesize
2.0MB

Download
memory/1756-47-0x0000000004050000-0x0000000004052000-memory.dmp

Filesize
8KB

Download
memory/1756-48-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1756-49-0x0000000004230000-0x0000000004232000-memory.dmp

Filesize
8KB

Download
memory/1756-50-0x0000000004A00000-0x0000000004A02000-memory.dmp

Filesize
8KB

Download
memory/1756-51-0x0000000004A20000-0x0000000004A22000-memory.dmp

Filesize
8KB

Download
memory/1756-52-0x0000000004240000-0x0000000004242000-memory.dmp

Filesize
8KB

Download
memory/1756-53-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/1756-54-0x0000000003C10000-0x0000000003C12000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x0000000003FF0000-0x0000000003FF2000-memory.dmp

Filesize
8KB

Download
memory/1756-56-0x0000000004280000-0x0000000004282000-memory.dmp

Filesize
8KB

Download
memory/1756-57-0x0000000003FD0000-0x0000000003FD2000-memory.dmp

Filesize
8KB

Download
memory/1756-58-0x0000000004030000-0x0000000004032000-memory.dmp

Filesize
8KB

Download
memory/1756-59-0x0000000004010000-0x0000000004012000-memory.dmp

Filesize
8KB

Download
memory/1756-60-0x0000000004B60000-0x0000000004B62000-memory.dmp

Filesize
8KB

Download
memory/1756-61-0x0000000003C20000-0x0000000003C22000-memory.dmp

Filesize
8KB

Download
memory/1756-62-0x0000000004AD0000-0x0000000004AD2000-memory.dmp

Filesize
8KB

Download
memory/1756-63-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

Filesize
8KB

Download
memory/1756-64-0x0000000004AB0000-0x0000000004AB2000-memory.dmp

Filesize
8KB

Download
memory/1756-65-0x0000000003950000-0x0000000003A50000-memory.dmp

Filesize
1024KB

Download
memory/1756-67-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/1756-73-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads