Analysis
-
max time kernel
9s -
max time network
12s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 16:48
Errors
Reason
Machine shutdown
General
-
Target
action_2.0.8.9.vir.exe
-
Size
380KB
-
MD5
11b3ae60c845189bbec476f762476e69
-
SHA1
28461e56f09813363ccc1fa686e48938afde7ec4
-
SHA256
b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67
-
SHA512
4b235b560f0cd9d011017aec3ccbe5636a3c78905ecc401403ec2e01db809bfa3c4ecf973615ded1b54041c7e0a572ac9e6031fd56615a3621d4a9351c40c88e
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 90 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Stops running service(s) 3 TTPs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\action_2.0.8.9.vir.exe"C:\Users\Admin\AppData\Local\Temp\action_2.0.8.9.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Pyohva\tuup.exe"C:\Users\Admin\AppData\Roaming\Pyohva\tuup.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop wuauserv3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc config wuauserv start= disabled3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop wscsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc config wscsvc start= disabled3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc config WinDefend start= disabled3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop WdNisSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WdNisSvc4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc config WdNisSvc start= disabled3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config WdNisSvc start= disabled4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop MpsSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop MpsSvc4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc config MpsSvc start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start= disabled4⤵
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp62262603.bat" C:\Users\Admin\AppData\Local\Temp\action_2.0.8.9.vir.exe"2⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3acc055 /state1:0x41c64e6d1⤵
- Suspicious use of SetWindowsHookEx
- Modifies data under HKEY_USERS
- Modifies WinLogon to allow AutoLogon
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp62262603.bat
-
C:\Users\Admin\AppData\Roaming\Pyohva\tuup.exe
-
C:\Users\Admin\AppData\Roaming\Pyohva\tuup.exe
-
memory/952-34-0x0000000000000000-mapping.dmp
-
memory/988-14-0x0000000000000000-mapping.dmp
-
memory/1012-20-0x0000000000000000-mapping.dmp
-
memory/1260-0-0x00000000005FF000-0x0000000000602000-memory.dmpFilesize
12KB
-
memory/1300-28-0x0000000000000000-mapping.dmp
-
memory/1564-4-0x000000000067D000-0x000000000067E000-memory.dmpFilesize
4KB
-
memory/1564-1-0x0000000000000000-mapping.dmp
-
memory/1732-24-0x0000000000000000-mapping.dmp
-
memory/1832-5-0x0000000000000000-mapping.dmp
-
memory/1872-15-0x0000000000000000-mapping.dmp
-
memory/2008-26-0x0000000000000000-mapping.dmp
-
memory/2148-6-0x0000000000000000-mapping.dmp
-
memory/2164-25-0x0000000000000000-mapping.dmp
-
memory/2184-7-0x0000000000000000-mapping.dmp
-
memory/2604-8-0x0000000000000000-mapping.dmp
-
memory/2632-27-0x0000000000000000-mapping.dmp
-
memory/2772-9-0x0000000000000000-mapping.dmp
-
memory/2772-29-0x0000000000000000-mapping.dmp
-
memory/3068-17-0x0000000000000000-mapping.dmp
-
memory/3168-18-0x0000000000000000-mapping.dmp
-
memory/3528-16-0x0000000000000000-mapping.dmp
-
memory/3664-19-0x0000000000000000-mapping.dmp
-
memory/3712-22-0x0000000000000000-mapping.dmp
-
memory/3716-21-0x0000000000000000-mapping.dmp
-
memory/3764-31-0x0000000000000000-mapping.dmp
-
memory/3864-23-0x0000000000000000-mapping.dmp
-
memory/3924-33-0x0000000000000000-mapping.dmp
-
memory/3924-10-0x0000000000000000-mapping.dmp
-
memory/3956-13-0x0000000000000000-mapping.dmp
-
memory/3992-30-0x0000000000000000-mapping.dmp
-
memory/4032-32-0x0000000000000000-mapping.dmp
-
memory/4032-12-0x0000000000000000-mapping.dmp