c6e6f26516053badbfcd313f80de7b43ef234026fb8317e9855e6a55b80f835d

General

Target

tasks_183.vir.exe
Size

214KB
MD5

a6232e5060608d255adb79681bba40cc
SHA1

31ae96c33a48cbb9977351d5899fc4cd72c3e26c
SHA256

c6e6f26516053badbfcd313f80de7b43ef234026fb8317e9855e6a55b80f835d
SHA512

4f76d9a258d15b0023095d5f3cd8eec065abb066596b432840aff9987a78faf8fda9cf00c4d5985ac393ac22c307b4c1ce9f619ee5c5b15db86fd540f6524974

Score

8^/10

persistence evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Executes dropped EXE 3 IoCs

Processes:

winsec32.exevivuy.exevivuy.exe

pid process

1492 winsec32.exe
1592 vivuy.exe
1524 vivuy.exe
Loads dropped DLL 1 IoCs

Processes:

tasks_183.vir.exe

pid process

1412 tasks_183.vir.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

pid	process
1492	winsec32.exe
1592	vivuy.exe
1524	vivuy.exe

pid	process
1412	tasks_183.vir.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Drops file in System32 directory 2 IoCs

Processes:

tasks_183.vir.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsec32.exe	tasks_183.vir.exe
File opened for modification	C:\Windows\SysWOW64\winsec32.exe	tasks_183.vir.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

vivuy.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main vivuy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	vivuy.exe

Suspicious behavior: EnumeratesProcesses 97 IoCs

Processes:

vivuy.exevivuy.exe

pid	process
1592	vivuy.exe
1592	vivuy.exe
1592	vivuy.exe
1592	vivuy.exe
1592	vivuy.exe
1592	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe
1524	vivuy.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

tasks_183.vir.exevivuy.exevivuy.exe

description	pid	process	target process
PID 1412 wrote to memory of 1592	1412	tasks_183.vir.exe	vivuy.exe
PID 1412 wrote to memory of 1592	1412	tasks_183.vir.exe	vivuy.exe
PID 1412 wrote to memory of 1592	1412	tasks_183.vir.exe	vivuy.exe
PID 1412 wrote to memory of 1592	1412	tasks_183.vir.exe	vivuy.exe
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1212	1592	vivuy.exe	Explorer.EXE
PID 1592 wrote to memory of 1524	1592	vivuy.exe	vivuy.exe
PID 1592 wrote to memory of 1524	1592	vivuy.exe	vivuy.exe
PID 1592 wrote to memory of 1524	1592	vivuy.exe	vivuy.exe
PID 1592 wrote to memory of 1524	1592	vivuy.exe	vivuy.exe
PID 1412 wrote to memory of 1500	1412	tasks_183.vir.exe	cmd.exe
PID 1412 wrote to memory of 1500	1412	tasks_183.vir.exe	cmd.exe
PID 1412 wrote to memory of 1500	1412	tasks_183.vir.exe	cmd.exe
PID 1412 wrote to memory of 1500	1412	tasks_183.vir.exe	cmd.exe
PID 1524 wrote to memory of 1836	1524	vivuy.exe	ctfmon.exe
PID 1524 wrote to memory of 1836	1524	vivuy.exe	ctfmon.exe
PID 1524 wrote to memory of 1836	1524	vivuy.exe	ctfmon.exe
PID 1524 wrote to memory of 1836	1524	vivuy.exe	ctfmon.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1500 cmd.exe

pid	process
1500	cmd.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

tasks_183.vir.exewinsec32.exevivuy.exevivuy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	tasks_183.vir.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winsec32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vivuy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vivuy.exe

Drops file in Windows directory 1 IoCs

Processes:

tasks_183.vir.exe

description ioc process

File created C:\Windows\Tasks\Security Center Update - 2472499381.job tasks_183.vir.exe

description	ioc	process
File created	C:\Windows\Tasks\Security Center Update - 2472499381.job	tasks_183.vir.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winsec32.exeExplorer.EXEvivuy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winsec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe\""	winsec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vivuy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe"	vivuy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vivuy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Izledyuxowag = "C:\\Users\\Admin\\AppData\\Roaming\\Opxyriy\\vivuy.exe"	vivuy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vivuy.exe

pid process

1524 vivuy.exe
1524 vivuy.exe

pid	process
1524	vivuy.exe
1524	vivuy.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Adds Run key to start application
PID:1212

C:\Users\Admin\AppData\Local\Temp\tasks_183.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_183.vir.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Drops file in Windows directory
PID:1412

C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe
"C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Adds Run key to start application
PID:1592

C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe
"C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe" -child
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
5⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8235e65.bat"
3⤵
- Deletes itself
PID:1500

C:\Windows\SysWOW64\winsec32.exe
"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Adds Run key to start application
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe8235e65.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TGWR3MD0.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
C:\Windows\SysWOW64\winsec32.exe

Download Submit
\Users\Admin\AppData\Roaming\Opxyriy\vivuy.exe

Download Submit
memory/1212-6-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1500-14-0x0000000000000000-mapping.dmp

Download
memory/1524-12-0x0000000000000000-mapping.dmp

Download
memory/1592-4-0x0000000000000000-mapping.dmp

Download
memory/1836-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads