Overview

overview

8

Static

static

gameover_0...ir.exe

windows7_x64

8

gameover_0...ir.exe

windows10_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19-07-2020 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gameover_0.0.0.19.vir.exe

  • Size

    174KB

  • MD5

    d43d030290edf6eda09c93ac2425addd

  • SHA1

    7533a161e30270bd599d9439e0514f116d4d3cc9

  • SHA256

    c381ea5f5924e2b62d56e5c9ff223598649ff8884a0f88c4362409190bcc5f3e

  • SHA512

    9b17ff70d07fcb04d16ad6d008a7a863c65db1e9f646ddcdc336a79cb98134d187bfbe115988272b2f1a5b3f036fc7da452788fa190db0a0fe40bb3aea836508

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Deletes itself 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1072
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1128
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1184
          • C:\Users\Admin\AppData\Local\Temp\gameover_0.0.0.19.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\gameover_0.0.0.19.vir.exe"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1020
            • C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe
              "C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe"
              3⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:872
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4efab572.bat"
              3⤵
              • Deletes itself
              PID:1036

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp4efab572.bat
          Download Submit
        • C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe
          Download Submit
        • C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe
          Download Submit
        • C:\Users\Admin\AppData\Roaming\Qyna\hoyd.dia
          Download Submit
        • \Users\Admin\AppData\Roaming\Becyi\yweht.exe
          Download Submit
        • \Users\Admin\AppData\Roaming\Becyi\yweht.exe
          Download Submit
        • memory/872-2-0x0000000000000000-mapping.dmp
          Download
        • memory/1036-6-0x0000000000050000-0x0000000000085000-memory.dmp
          Filesize

          212KB

          Download
        • memory/1036-7-0x000000000006BEFB-mapping.dmp
          Download