Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:52
Static task
static1
Behavioral task
behavioral1
Sample
tasks_183.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_183.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_183.vir.exe
-
Size
214KB
-
MD5
a6232e5060608d255adb79681bba40cc
-
SHA1
31ae96c33a48cbb9977351d5899fc4cd72c3e26c
-
SHA256
c6e6f26516053badbfcd313f80de7b43ef234026fb8317e9855e6a55b80f835d
-
SHA512
4f76d9a258d15b0023095d5f3cd8eec065abb066596b432840aff9987a78faf8fda9cf00c4d5985ac393ac22c307b4c1ce9f619ee5c5b15db86fd540f6524974
Score
8/10
Malware Config
Signatures
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Executes dropped EXE 3 IoCs
Processes:
winsec32.exevivuy.exevivuy.exepid process 1492 winsec32.exe 1592 vivuy.exe 1524 vivuy.exe -
Loads dropped DLL 1 IoCs
Processes:
tasks_183.vir.exepid process 1412 tasks_183.vir.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Drops file in System32 directory 2 IoCs
Processes:
tasks_183.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec32.exe tasks_183.vir.exe File opened for modification C:\Windows\SysWOW64\winsec32.exe tasks_183.vir.exe -
Processes:
vivuy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main vivuy.exe -
Suspicious behavior: EnumeratesProcesses 97 IoCs
Processes:
vivuy.exevivuy.exepid process 1592 vivuy.exe 1592 vivuy.exe 1592 vivuy.exe 1592 vivuy.exe 1592 vivuy.exe 1592 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe 1524 vivuy.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
tasks_183.vir.exevivuy.exevivuy.exedescription pid process target process PID 1412 wrote to memory of 1592 1412 tasks_183.vir.exe vivuy.exe PID 1412 wrote to memory of 1592 1412 tasks_183.vir.exe vivuy.exe PID 1412 wrote to memory of 1592 1412 tasks_183.vir.exe vivuy.exe PID 1412 wrote to memory of 1592 1412 tasks_183.vir.exe vivuy.exe PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1212 1592 vivuy.exe Explorer.EXE PID 1592 wrote to memory of 1524 1592 vivuy.exe vivuy.exe PID 1592 wrote to memory of 1524 1592 vivuy.exe vivuy.exe PID 1592 wrote to memory of 1524 1592 vivuy.exe vivuy.exe PID 1592 wrote to memory of 1524 1592 vivuy.exe vivuy.exe PID 1412 wrote to memory of 1500 1412 tasks_183.vir.exe cmd.exe PID 1412 wrote to memory of 1500 1412 tasks_183.vir.exe cmd.exe PID 1412 wrote to memory of 1500 1412 tasks_183.vir.exe cmd.exe PID 1412 wrote to memory of 1500 1412 tasks_183.vir.exe cmd.exe PID 1524 wrote to memory of 1836 1524 vivuy.exe ctfmon.exe PID 1524 wrote to memory of 1836 1524 vivuy.exe ctfmon.exe PID 1524 wrote to memory of 1836 1524 vivuy.exe ctfmon.exe PID 1524 wrote to memory of 1836 1524 vivuy.exe ctfmon.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1500 cmd.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
tasks_183.vir.exewinsec32.exevivuy.exevivuy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier tasks_183.vir.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winsec32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vivuy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vivuy.exe -
Drops file in Windows directory 1 IoCs
Processes:
tasks_183.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 2472499381.job tasks_183.vir.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
winsec32.exeExplorer.EXEvivuy.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winsec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe\"" winsec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vivuy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe" vivuy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run vivuy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe" vivuy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vivuy.exepid process 1524 vivuy.exe 1524 vivuy.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\tasks_183.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_183.vir.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe"C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe"C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe" -child4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8235e65.bat"3⤵
- Deletes itself
-
C:\Windows\SysWOW64\winsec32.exe"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpe8235e65.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TGWR3MD0.txt
-
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe
-
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe
-
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
C:\Windows\SysWOW64\winsec32.exe
-
\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe
-
memory/1212-6-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1500-14-0x0000000000000000-mapping.dmp
-
memory/1524-12-0x0000000000000000-mapping.dmp
-
memory/1592-4-0x0000000000000000-mapping.dmp
-
memory/1836-16-0x0000000000000000-mapping.dmp