Overview

overview

8

Static

static

uncategori...ir.exe

windows7_x64

8

uncategori...ir.exe

windows10_x64

3

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uncategorized_2.0.2.1.vir.exe

  • Size

    129KB

  • MD5

    b2dc0bf15f4334f8a6fa26a7b42cd371

  • SHA1

    9718e1ce431f1a7e460d4e48c9ba9fd3bcf8e0f9

  • SHA256

    5d29cc33d90b21321625dca2d097b4d5015b1f4ff955422ea0c51442ac27e1e3

  • SHA512

    13cd5fddfd5acea0b194dc53d18e6f183edf4da105130f0183f13d3241dd07ebd54171b541340a71caec082bf2793ee64fb4f195cfad57def7d9a1540f6931a6

Score
8/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of SetThreadContext 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1180
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1256
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1300
          • C:\Users\Admin\AppData\Local\Temp\uncategorized_2.0.2.1.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\uncategorized_2.0.2.1.vir.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Loads dropped DLL
            • Modifies Internet Explorer settings
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            PID:112
            • C:\Users\Admin\AppData\Roaming\Gula\codeq.exe
              "C:\Users\Admin\AppData\Roaming\Gula\codeq.exe"
              3⤵
              • Adds Run key to start application
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              • Suspicious behavior: EnumeratesProcesses
              PID:596
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp865f95f3.bat"
              3⤵
              • Deletes itself
              PID:1048
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
          1⤵
            PID:1808
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1856
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1912
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:1100
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  1⤵
                    PID:268

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  2
                  T1112

                  Credential Access

                  Discovery

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmp865f95f3.bat
                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Gula\codeq.exe
                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Gula\codeq.exe
                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Wiod\byib.beu
                    Download Submit
                  • \Users\Admin\AppData\Roaming\Gula\codeq.exe
                    Download Submit
                  • memory/596-1-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1048-4-0x0000000000050000-0x000000000006E000-memory.dmp
                    Filesize

                    120KB

                    Download
                  • memory/1048-6-0x000000000005BE78-mapping.dmp
                    Download