Overview

overview

8

Static

static

8

uncategori...ir.exe

windows7_x64

8

uncategori...ir.exe

windows10_x64

5

Analysis

  • max time kernel
    117s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uncategorized_9.0.0.2.vir.exe

  • Size

    224KB

  • MD5

    3706da30e1fc51212ae95aff2fae57ad

  • SHA1

    72029dca348d3fa4faa43d9999fa1b744bb559cd

  • SHA256

    19d32c1fc7c6fa9a5924aeb6ce69d8e5211c3e458eb51178171e0c75f129c48a

  • SHA512

    0d8ae837a6e0a0f9ad582fb94b5a997d30066194f8428e77bdfa2cbe2669dbaa3784752ea41e354c9806bde1792392d930c0d365522f4f0cc762595e00b16897

Score
8/10
ransomwarebootkitpersistencespyware

Malware Config

Signatures

  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks whether UAC is enabled 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 875 IoCs
  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of WriteProcessMemory 76 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1092
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1180
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1228
          • C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1464
            • C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe
              C:\Users\Admin\AppData\Local\Temp\uncategorized_9.0.0.2.vir.exe
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1496
              • C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
                "C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1044
                • C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
                  C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
                  5⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:928
                  • C:\Program Files (x86)\internet explorer\iexplore.exe
                    iexplore.exe -k "about:blank"
                    6⤵
                    • Checks whether UAC is enabled
                    • Suspicious use of WriteProcessMemory
                    PID:1900
                    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -k "about:blank"
                      7⤵
                      • Checks whether UAC is enabled
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:1340
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:2
                        8⤵
                          PID:1660
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpba3a5369.bat"
                  4⤵
                  • Deletes itself
                  PID:1484
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:784
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
                PID:1844
              • C:\Windows\system32\csrss.exe
                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                1⤵
                • Enumerates system info in registry
                • Suspicious use of WriteProcessMemory
                PID:2032
              • C:\Windows\system32\winlogon.exe
                winlogon.exe
                1⤵
                • Modifies data under HKEY_USERS
                PID:328
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x0
                  2⤵
                  • Modifies WinLogon to allow AutoLogon
                  • Suspicious use of AdjustPrivilegeToken
                  PID:924

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Winlogon Helper DLL

              1
              T1004

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              3
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmpba3a5369.bat
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Rihano\dyis.exe
                Download Submit
              • \Users\Admin\AppData\Roaming\Rihano\dyis.exe
                Download Submit
              • \Users\Admin\AppData\Roaming\Rihano\dyis.exe
                Download Submit
              • memory/328-21-0x0000000001DB0000-0x0000000001DB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/924-19-0x0000000000000000-mapping.dmp
                Download
              • memory/928-9-0x0000000000410440-mapping.dmp
                Download
              • memory/1044-5-0x0000000000000000-mapping.dmp
                Download
              • memory/1340-16-0x0000000000000000-mapping.dmp
                Download
              • memory/1484-12-0x0000000000000000-mapping.dmp
                Download
              • memory/1484-14-0x0000000000000000-mapping.dmp
                Download
              • memory/1496-0-0x0000000000400000-0x0000000000429000-memory.dmp
                Filesize

                164KB

                Download
              • memory/1496-2-0x0000000000400000-0x0000000000429000-memory.dmp
                Filesize

                164KB

                Download
              • memory/1496-1-0x0000000000410440-mapping.dmp
                Download
              • memory/1660-17-0x0000000000000000-mapping.dmp
                Download
              • memory/1844-18-0x0000000002820000-0x0000000002821000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1900-15-0x0000000000000000-mapping.dmp
                Download