Overview

overview

8

Static

static

tasks_200.vir.exe

windows7_x64

8

tasks_200.vir.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    19-07-2020 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tasks_200.vir.exe

  • Size

    327KB

  • MD5

    804bedbfe6ecd3d1e07b2b19ba6db60c

  • SHA1

    9d37abde24f9781638bc7de50b484389804bd728

  • SHA256

    afe94e4b048e0030099c67010dce2fd79461eb050dcf1a441b3d5486ce8821ca

  • SHA512

    eb45fa0e60ca37466493333d9cfaf8c2502ef9c120000e9e91510775fffb16b76cafa1d649887f5d41a65df966198bb805be44307586e46653a8f31df3713b3f

Score
8/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 104 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    • Suspicious use of FindShellTrayWindow
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\tasks_200.vir.exe
      "C:\Users\Admin\AppData\Local\Temp\tasks_200.vir.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • Drops file in System32 directory
      PID:3868
      • C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe
        "C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3852
        • C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe
          "C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe" -child
          4⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3956
          • C:\Windows\SysWOW64\ctfmon.exe
            ctfmon.exe
            5⤵
              PID:3000
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp980edbd3.bat"
          3⤵
            PID:3240
      • C:\Windows\SysWOW64\winsec32.exe
        "C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe"
        1⤵
        • Adds Run key to start application
        • Executes dropped EXE
        PID:4048

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\H0BPI275.cookie
        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp980edbd3.bat
        Download Submit
      • C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe
        Download Submit
      • C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe
        Download Submit
      • C:\Users\Admin\AppData\Roaming\Zesihiel\rinypef.exe
        Download Submit
      • C:\Windows\SysWOW64\winsec32.exe
        Download Submit
      • C:\Windows\SysWOW64\winsec32.exe
        Download Submit
      • memory/3000-15-0x0000000000000000-mapping.dmp
        Download
      • memory/3020-6-0x0000000002FF0000-0x0000000002FF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3240-5-0x0000000000000000-mapping.dmp
        Download
      • memory/3852-3-0x0000000000000000-mapping.dmp
        Download
      • memory/3956-7-0x0000000000000000-mapping.dmp
        Download