Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 16:48
Static task
static1
Behavioral task
behavioral1
Sample
tasks_206.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_206.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_206.vir.exe
-
Size
329KB
-
MD5
daaf84966d5d348ba931443dc34e697e
-
SHA1
c2d2f357706d48017f2f6abef992f9fc38964bc8
-
SHA256
ab4b88ea37d6cfd5f6510acb73a14c27b5ef89f3a0103ac9f36cc465579c16c5
-
SHA512
47606574a02e293476f4069e0ca2eba597a832a45668f8bb05de77c88b6f5d5d46895ca64ade3c8f2277aee50f55415138784ad210191d84ee25dd3767d786a9
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winsec32.exeulneiwc.exeulneiwc.exepid process 3020 winsec32.exe 3864 ulneiwc.exe 3340 ulneiwc.exe -
Suspicious behavior: EnumeratesProcesses 104 IoCs
Processes:
ulneiwc.exeulneiwc.exepid process 3864 ulneiwc.exe 3864 ulneiwc.exe 3864 ulneiwc.exe 3864 ulneiwc.exe 3864 ulneiwc.exe 3864 ulneiwc.exe 3864 ulneiwc.exe 3864 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe 3340 ulneiwc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 2976 Explorer.EXE Token: SeCreatePagefilePrivilege 2976 Explorer.EXE Token: SeShutdownPrivilege 2976 Explorer.EXE Token: SeCreatePagefilePrivilege 2976 Explorer.EXE Token: SeShutdownPrivilege 2976 Explorer.EXE Token: SeCreatePagefilePrivilege 2976 Explorer.EXE -
Drops file in System32 directory 2 IoCs
Processes:
tasks_206.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec32.exe tasks_206.vir.exe File opened for modification C:\Windows\SysWOW64\winsec32.exe tasks_206.vir.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
ulneiwc.exewinsec32.exeExplorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ulneiwc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winsec32.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ikiwyhhuxevaog = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ylvyrie\\ulneiwc.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ulneiwc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ikiwyhhuxevaog = "C:\\Users\\Admin\\AppData\\Roaming\\Ylvyrie\\ulneiwc.exe" ulneiwc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ikiwyhhuxevaog = "C:\\Users\\Admin\\AppData\\Roaming\\Ylvyrie\\ulneiwc.exe" ulneiwc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ikiwyhhuxevaog = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ylvyrie\\ulneiwc.exe\"" winsec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ikiwyhhuxevaog = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ylvyrie\\ulneiwc.exe\"" Explorer.EXE -
Processes:
ulneiwc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ulneiwc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ulneiwc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
tasks_206.vir.exeulneiwc.exeulneiwc.exedescription pid process target process PID 3888 wrote to memory of 3864 3888 tasks_206.vir.exe ulneiwc.exe PID 3888 wrote to memory of 3864 3888 tasks_206.vir.exe ulneiwc.exe PID 3888 wrote to memory of 3864 3888 tasks_206.vir.exe ulneiwc.exe PID 3888 wrote to memory of 3324 3888 tasks_206.vir.exe cmd.exe PID 3888 wrote to memory of 3324 3888 tasks_206.vir.exe cmd.exe PID 3888 wrote to memory of 3324 3888 tasks_206.vir.exe cmd.exe PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3864 wrote to memory of 3340 3864 ulneiwc.exe ulneiwc.exe PID 3864 wrote to memory of 3340 3864 ulneiwc.exe ulneiwc.exe PID 3864 wrote to memory of 3340 3864 ulneiwc.exe ulneiwc.exe PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3864 wrote to memory of 2976 3864 ulneiwc.exe Explorer.EXE PID 3340 wrote to memory of 2972 3340 ulneiwc.exe ctfmon.exe PID 3340 wrote to memory of 2972 3340 ulneiwc.exe ctfmon.exe PID 3340 wrote to memory of 2972 3340 ulneiwc.exe ctfmon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ulneiwc.exepid process 3340 ulneiwc.exe 3340 ulneiwc.exe -
Drops file in Windows directory 1 IoCs
Processes:
tasks_206.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 826859586.job tasks_206.vir.exe -
Processes:
ulneiwc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 ulneiwc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ulneiwc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 ulneiwc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b060105050703030b000000010000003a0000005300650063007400690067006f002000280066006f0072006d00650072006c007900200043006f006d006f0064006f002000430041002900000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c062000000010000002000000052f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41d0000000100000010000000cb39c3d4272cdf63774e1db810c5a89e030000000100000014000000afe5d244a8d1194230ff479fe2f897bbcd7a8cb42000000001000000dc050000308205d8308203c0a00302010202104caaf9cadb636fe01ff74ed85b03869d300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3130303131393030303030305a170d3338303131383233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a3423040301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201000af1d54684b7ae51bb6cb24d411400934c9ccbe5c054cfa0258e02f9fdb0a20df520983c132dac56a2b0d67e1192e92eba9e2e9a72b1bd19446c6135a29ab41612695a8ce1d73ea41ae82f03f4ae611d101b2aa48b7ac5fe05a6e1c0d6c8fe9eae8f2bba3d99f8d8730958466ea69cf4d727d395da3783721cd373e0a2479903385dd5497900291cc7ec9b201c0724695778b239fc3a84a0b59c7c8dbf2e936227b739da1718aebd3c0968ff849b3cd5d60b03e3579e14f7d1eb4fc8bd8723b7b6494379855cbaeb920ba1c6e868a84c16b11a990ae8532c92bba10918750c65a87bcb23b71ac22885c31bffd02b62efa47b099198678c1401cd68066a6321750380888a6e81c685f2a9a42de7f4a524104783cacdf48d7958b1069be71a2ad99d01d7947ded034acaf0dbe8a9013ef55699c91e8e493dbbe509b9e04f49923d168240cccc59c6e63aed122e693c6c95b1fdaa1d7b7f86be1e0e3246fbfb138f757f4c8b4b4663fe00344070c1c3b9a1dda670e204b341bce98091ea649c7ae12203a99c6e6f0e654f6c87875ef36ea0f975a59b40e853b2279d4ab9c077218dff87f2debc8cef17dfb7490bd1f26e300b1a0e4e76ed11fcf5e956b27dbfc76d0a938ca5d0c0b61dbe3a4e94a2d76e6c0bc28a7cfa20f3c4e4e5cd0da8cb9192b17c85ecb51469660e82e7cdcec82da6517f21c1355385064a5d9fadbb1b5f74 ulneiwc.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\tasks_206.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_206.vir.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe"C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe"C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe" -child4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Modifies system certificate store
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp58b3d438.bat"3⤵
-
C:\Windows\SysWOW64\winsec32.exe"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\CJKDNYMY.cookie
-
C:\Users\Admin\AppData\Local\Temp\tmp58b3d438.bat
-
C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe
-
C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe
-
C:\Users\Admin\AppData\Roaming\Ylvyrie\ulneiwc.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
memory/2972-15-0x0000000000000000-mapping.dmp
-
memory/2976-6-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/3324-5-0x0000000000000000-mapping.dmp
-
memory/3340-8-0x0000000000000000-mapping.dmp
-
memory/3864-3-0x0000000000000000-mapping.dmp