Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 16:36
Static task
static1
Behavioral task
behavioral1
Sample
gameover_0.0.0.19.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
gameover_0.0.0.19.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
gameover_0.0.0.19.vir.exe
-
Size
174KB
-
MD5
d43d030290edf6eda09c93ac2425addd
-
SHA1
7533a161e30270bd599d9439e0514f116d4d3cc9
-
SHA256
c381ea5f5924e2b62d56e5c9ff223598649ff8884a0f88c4362409190bcc5f3e
-
SHA512
9b17ff70d07fcb04d16ad6d008a7a863c65db1e9f646ddcdc336a79cb98134d187bfbe115988272b2f1a5b3f036fc7da452788fa190db0a0fe40bb3aea836508
Score
8/10
Malware Config
Signatures
-
Processes:
gameover_0.0.0.19.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy gameover_0.0.0.19.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" gameover_0.0.0.19.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
yweht.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run yweht.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{FE7A6C08-DE7A-AD4A-FBCE-7998FCA35A85} = "C:\\Users\\Admin\\AppData\\Roaming\\Becyi\\yweht.exe" yweht.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
gameover_0.0.0.19.vir.exeyweht.exepid process 1020 gameover_0.0.0.19.vir.exe 1020 gameover_0.0.0.19.vir.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe 872 yweht.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
gameover_0.0.0.19.vir.exedescription pid process Token: SeSecurityPrivilege 1020 gameover_0.0.0.19.vir.exe Token: SeSecurityPrivilege 1020 gameover_0.0.0.19.vir.exe Token: SeSecurityPrivilege 1020 gameover_0.0.0.19.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
gameover_0.0.0.19.vir.exepid process 1020 gameover_0.0.0.19.vir.exe 1020 gameover_0.0.0.19.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
yweht.exepid process 872 yweht.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gameover_0.0.0.19.vir.exedescription pid process target process PID 1020 set thread context of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
gameover_0.0.0.19.vir.exeyweht.exedescription pid process target process PID 1020 wrote to memory of 872 1020 gameover_0.0.0.19.vir.exe yweht.exe PID 1020 wrote to memory of 872 1020 gameover_0.0.0.19.vir.exe yweht.exe PID 1020 wrote to memory of 872 1020 gameover_0.0.0.19.vir.exe yweht.exe PID 1020 wrote to memory of 872 1020 gameover_0.0.0.19.vir.exe yweht.exe PID 872 wrote to memory of 1072 872 yweht.exe taskhost.exe PID 872 wrote to memory of 1072 872 yweht.exe taskhost.exe PID 872 wrote to memory of 1072 872 yweht.exe taskhost.exe PID 872 wrote to memory of 1072 872 yweht.exe taskhost.exe PID 872 wrote to memory of 1072 872 yweht.exe taskhost.exe PID 872 wrote to memory of 1128 872 yweht.exe Dwm.exe PID 872 wrote to memory of 1128 872 yweht.exe Dwm.exe PID 872 wrote to memory of 1128 872 yweht.exe Dwm.exe PID 872 wrote to memory of 1128 872 yweht.exe Dwm.exe PID 872 wrote to memory of 1128 872 yweht.exe Dwm.exe PID 872 wrote to memory of 1184 872 yweht.exe Explorer.EXE PID 872 wrote to memory of 1184 872 yweht.exe Explorer.EXE PID 872 wrote to memory of 1184 872 yweht.exe Explorer.EXE PID 872 wrote to memory of 1184 872 yweht.exe Explorer.EXE PID 872 wrote to memory of 1184 872 yweht.exe Explorer.EXE PID 872 wrote to memory of 1020 872 yweht.exe gameover_0.0.0.19.vir.exe PID 872 wrote to memory of 1020 872 yweht.exe gameover_0.0.0.19.vir.exe PID 872 wrote to memory of 1020 872 yweht.exe gameover_0.0.0.19.vir.exe PID 872 wrote to memory of 1020 872 yweht.exe gameover_0.0.0.19.vir.exe PID 872 wrote to memory of 1020 872 yweht.exe gameover_0.0.0.19.vir.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe PID 1020 wrote to memory of 1036 1020 gameover_0.0.0.19.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\gameover_0.0.0.19.vir.exe"C:\Users\Admin\AppData\Local\Temp\gameover_0.0.0.19.vir.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe"C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4efab572.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4efab572.bat
-
C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe
-
C:\Users\Admin\AppData\Roaming\Becyi\yweht.exe
-
C:\Users\Admin\AppData\Roaming\Qyna\hoyd.dia
-
\Users\Admin\AppData\Roaming\Becyi\yweht.exe
-
\Users\Admin\AppData\Roaming\Becyi\yweht.exe
-
memory/872-2-0x0000000000000000-mapping.dmp
-
memory/1036-6-0x0000000000050000-0x0000000000085000-memory.dmpFilesize
212KB
-
memory/1036-7-0x000000000006BEFB-mapping.dmp