a07a151e7a4e4514a55d3053b5e5238d36d9763920489d26d3f545134e806739

General

Target

tasks_152.vir.exe
Size

157KB
MD5

f8465c2e372762b793e3e7fbfd7b324b
SHA1

c13c715e34744c2edc2ccc053a4674bc6dd630fa
SHA256

a07a151e7a4e4514a55d3053b5e5238d36d9763920489d26d3f545134e806739
SHA512

0ffb1a0cefa035c1e3463bfa71c107e8ca5291529f3e35ef29ad80536556e5975fec71fd27199d8a3190dc4c9e322e4cf9c73f41a82cb317d0d15071cf402f78

Score

8^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

tasks_152.vir.exe

pid process

1460 tasks_152.vir.exe

pid	process
1460	tasks_152.vir.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

feikege.exe

pid	process
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe
1048	feikege.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

feikege.exe

pid process

1048 feikege.exe
1048 feikege.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

feikege.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main feikege.exe
Executes dropped EXE 3 IoCs

Processes:

winsec.exefeikege.exefeikege.exe

pid process

1564 winsec.exe
1012 feikege.exe
1048 feikege.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1644 cmd.exe
Drops file in Windows directory 1 IoCs

Processes:

tasks_152.vir.exe

description ioc process

File created C:\Windows\Tasks\Security Center Update - 1629615579.job tasks_152.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	feikege.exe

pid	process
1564	winsec.exe
1012	feikege.exe
1048	feikege.exe

pid	process
1644	cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\Security Center Update - 1629615579.job	tasks_152.vir.exe

Drops file in System32 directory 2 IoCs

Processes:

tasks_152.vir.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsec.exe	tasks_152.vir.exe
File opened for modification	C:\Windows\SysWOW64\winsec.exe	tasks_152.vir.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

feikege.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	feikege.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\3787377976 = "C:\\Users\\Admin\\AppData\\Roaming\\Wymekag\\feikege.exe"	feikege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	feikege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3787377976 = "C:\\Users\\Admin\\AppData\\Roaming\\Wymekag\\feikege.exe"	feikege.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

tasks_152.vir.exefeikege.exefeikege.exe

description	pid	process	target process
PID 1460 wrote to memory of 1012	1460	tasks_152.vir.exe	feikege.exe
PID 1460 wrote to memory of 1012	1460	tasks_152.vir.exe	feikege.exe
PID 1460 wrote to memory of 1012	1460	tasks_152.vir.exe	feikege.exe
PID 1460 wrote to memory of 1012	1460	tasks_152.vir.exe	feikege.exe
PID 1012 wrote to memory of 1048	1012	feikege.exe	feikege.exe
PID 1012 wrote to memory of 1048	1012	feikege.exe	feikege.exe
PID 1012 wrote to memory of 1048	1012	feikege.exe	feikege.exe
PID 1012 wrote to memory of 1048	1012	feikege.exe	feikege.exe
PID 1460 wrote to memory of 1644	1460	tasks_152.vir.exe	cmd.exe
PID 1460 wrote to memory of 1644	1460	tasks_152.vir.exe	cmd.exe
PID 1460 wrote to memory of 1644	1460	tasks_152.vir.exe	cmd.exe
PID 1460 wrote to memory of 1644	1460	tasks_152.vir.exe	cmd.exe
PID 1048 wrote to memory of 1780	1048	feikege.exe	ctfmon.exe
PID 1048 wrote to memory of 1780	1048	feikege.exe	ctfmon.exe
PID 1048 wrote to memory of 1780	1048	feikege.exe	ctfmon.exe
PID 1048 wrote to memory of 1780	1048	feikege.exe	ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\tasks_152.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_152.vir.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe
"C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe
"C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe" -child
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpced96ff7.bat"
2⤵
- Deletes itself
PID:1644

C:\Windows\SysWOW64\winsec.exe
"C:\Windows\SysWOW64\winsec.exe" -service "C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe"
1⤵
- Executes dropped EXE
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpced96ff7.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8KXVPQF9.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe

Download Submit
C:\Windows\SysWOW64\winsec.exe

Download Submit
C:\Windows\SysWOW64\winsec.exe

Download Submit
\Users\Admin\AppData\Roaming\Wymekag\feikege.exe

Download Submit
memory/1012-4-0x0000000000000000-mapping.dmp

Download
memory/1048-6-0x0000000000000000-mapping.dmp

Download
memory/1644-8-0x0000000000000000-mapping.dmp

Download
memory/1780-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads