Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 17:27
Static task
static1
Behavioral task
behavioral1
Sample
gameover_0.0.0.20.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
gameover_0.0.0.20.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
gameover_0.0.0.20.vir.exe
-
Size
256KB
-
MD5
7a816c84601a3766a2b2412c74d65a2d
-
SHA1
31947062310747d6068a52998b50de40dd117288
-
SHA256
d7c1fc3ccb794a45e2d26267ee537ed174773f7d67114e23585e2b2c565257cb
-
SHA512
e135255cca25e3f3d91f96e1bd498c378ecbd60a328fe22a556fd7beda37922308def0de1e45a2eb6128815320b009e341aa5dc37c8afe5a4d11dba52616632e
Score
8/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
gameover_0.0.0.20.vir.exepid process 112 gameover_0.0.0.20.vir.exe 112 gameover_0.0.0.20.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gameover_0.0.0.20.vir.exedescription pid process target process PID 112 set thread context of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Processes:
gameover_0.0.0.20.vir.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" gameover_0.0.0.20.vir.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy gameover_0.0.0.20.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
uwpuf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run uwpuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B32BE588-FA87-AD4A-B43F-706FBDDA5372} = "C:\\Users\\Admin\\AppData\\Roaming\\Ircuor\\uwpuf.exe" uwpuf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
gameover_0.0.0.20.vir.exedescription pid process Token: SeSecurityPrivilege 112 gameover_0.0.0.20.vir.exe Token: SeSecurityPrivilege 112 gameover_0.0.0.20.vir.exe Token: SeSecurityPrivilege 112 gameover_0.0.0.20.vir.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
gameover_0.0.0.20.vir.exeuwpuf.exedescription pid process target process PID 112 wrote to memory of 596 112 gameover_0.0.0.20.vir.exe uwpuf.exe PID 112 wrote to memory of 596 112 gameover_0.0.0.20.vir.exe uwpuf.exe PID 112 wrote to memory of 596 112 gameover_0.0.0.20.vir.exe uwpuf.exe PID 112 wrote to memory of 596 112 gameover_0.0.0.20.vir.exe uwpuf.exe PID 596 wrote to memory of 1180 596 uwpuf.exe taskhost.exe PID 596 wrote to memory of 1180 596 uwpuf.exe taskhost.exe PID 596 wrote to memory of 1180 596 uwpuf.exe taskhost.exe PID 596 wrote to memory of 1180 596 uwpuf.exe taskhost.exe PID 596 wrote to memory of 1180 596 uwpuf.exe taskhost.exe PID 596 wrote to memory of 1256 596 uwpuf.exe Dwm.exe PID 596 wrote to memory of 1256 596 uwpuf.exe Dwm.exe PID 596 wrote to memory of 1256 596 uwpuf.exe Dwm.exe PID 596 wrote to memory of 1256 596 uwpuf.exe Dwm.exe PID 596 wrote to memory of 1256 596 uwpuf.exe Dwm.exe PID 596 wrote to memory of 1300 596 uwpuf.exe Explorer.EXE PID 596 wrote to memory of 1300 596 uwpuf.exe Explorer.EXE PID 596 wrote to memory of 1300 596 uwpuf.exe Explorer.EXE PID 596 wrote to memory of 1300 596 uwpuf.exe Explorer.EXE PID 596 wrote to memory of 1300 596 uwpuf.exe Explorer.EXE PID 596 wrote to memory of 112 596 uwpuf.exe gameover_0.0.0.20.vir.exe PID 596 wrote to memory of 112 596 uwpuf.exe gameover_0.0.0.20.vir.exe PID 596 wrote to memory of 112 596 uwpuf.exe gameover_0.0.0.20.vir.exe PID 596 wrote to memory of 112 596 uwpuf.exe gameover_0.0.0.20.vir.exe PID 596 wrote to memory of 112 596 uwpuf.exe gameover_0.0.0.20.vir.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe PID 112 wrote to memory of 1072 112 gameover_0.0.0.20.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
uwpuf.exepid process 596 uwpuf.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
uwpuf.exepid process 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe 596 uwpuf.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\gameover_0.0.0.20.vir.exe"C:\Users\Admin\AppData\Local\Temp\gameover_0.0.0.20.vir.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ircuor\uwpuf.exe"C:\Users\Admin\AppData\Roaming\Ircuor\uwpuf.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe15ee242.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpe15ee242.bat
-
C:\Users\Admin\AppData\Roaming\Ircuor\uwpuf.exe
-
C:\Users\Admin\AppData\Roaming\Ircuor\uwpuf.exe
-
C:\Users\Admin\AppData\Roaming\Tujy\leoju.ims
-
\Users\Admin\AppData\Roaming\Ircuor\uwpuf.exe
-
\Users\Admin\AppData\Roaming\Ircuor\uwpuf.exe
-
memory/596-2-0x0000000000000000-mapping.dmp
-
memory/1072-6-0x0000000000170000-0x00000000001A5000-memory.dmpFilesize
212KB
-
memory/1072-7-0x0000000000176B22-mapping.dmp