Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
tasks_152.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_152.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_152.vir.exe
-
Size
157KB
-
MD5
f8465c2e372762b793e3e7fbfd7b324b
-
SHA1
c13c715e34744c2edc2ccc053a4674bc6dd630fa
-
SHA256
a07a151e7a4e4514a55d3053b5e5238d36d9763920489d26d3f545134e806739
-
SHA512
0ffb1a0cefa035c1e3463bfa71c107e8ca5291529f3e35ef29ad80536556e5975fec71fd27199d8a3190dc4c9e322e4cf9c73f41a82cb317d0d15071cf402f78
Score
8/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
tasks_152.vir.exepid process 1460 tasks_152.vir.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
feikege.exepid process 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe 1048 feikege.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
feikege.exepid process 1048 feikege.exe 1048 feikege.exe -
Processes:
feikege.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main feikege.exe -
Executes dropped EXE 3 IoCs
Processes:
winsec.exefeikege.exefeikege.exepid process 1564 winsec.exe 1012 feikege.exe 1048 feikege.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
tasks_152.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 1629615579.job tasks_152.vir.exe -
Drops file in System32 directory 2 IoCs
Processes:
tasks_152.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec.exe tasks_152.vir.exe File opened for modification C:\Windows\SysWOW64\winsec.exe tasks_152.vir.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
feikege.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run feikege.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\3787377976 = "C:\\Users\\Admin\\AppData\\Roaming\\Wymekag\\feikege.exe" feikege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run feikege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3787377976 = "C:\\Users\\Admin\\AppData\\Roaming\\Wymekag\\feikege.exe" feikege.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
tasks_152.vir.exefeikege.exefeikege.exedescription pid process target process PID 1460 wrote to memory of 1012 1460 tasks_152.vir.exe feikege.exe PID 1460 wrote to memory of 1012 1460 tasks_152.vir.exe feikege.exe PID 1460 wrote to memory of 1012 1460 tasks_152.vir.exe feikege.exe PID 1460 wrote to memory of 1012 1460 tasks_152.vir.exe feikege.exe PID 1012 wrote to memory of 1048 1012 feikege.exe feikege.exe PID 1012 wrote to memory of 1048 1012 feikege.exe feikege.exe PID 1012 wrote to memory of 1048 1012 feikege.exe feikege.exe PID 1012 wrote to memory of 1048 1012 feikege.exe feikege.exe PID 1460 wrote to memory of 1644 1460 tasks_152.vir.exe cmd.exe PID 1460 wrote to memory of 1644 1460 tasks_152.vir.exe cmd.exe PID 1460 wrote to memory of 1644 1460 tasks_152.vir.exe cmd.exe PID 1460 wrote to memory of 1644 1460 tasks_152.vir.exe cmd.exe PID 1048 wrote to memory of 1780 1048 feikege.exe ctfmon.exe PID 1048 wrote to memory of 1780 1048 feikege.exe ctfmon.exe PID 1048 wrote to memory of 1780 1048 feikege.exe ctfmon.exe PID 1048 wrote to memory of 1780 1048 feikege.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tasks_152.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_152.vir.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe"C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe"C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe" -child3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpced96ff7.bat"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\winsec.exe"C:\Windows\SysWOW64\winsec.exe" -service "C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpced96ff7.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8KXVPQF9.txt
-
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe
-
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe
-
C:\Users\Admin\AppData\Roaming\Wymekag\feikege.exe
-
C:\Windows\SysWOW64\winsec.exe
-
C:\Windows\SysWOW64\winsec.exe
-
\Users\Admin\AppData\Roaming\Wymekag\feikege.exe
-
memory/1012-4-0x0000000000000000-mapping.dmp
-
memory/1048-6-0x0000000000000000-mapping.dmp
-
memory/1644-8-0x0000000000000000-mapping.dmp
-
memory/1780-10-0x0000000000000000-mapping.dmp