4346aab98348203c37445ca65e44656d69cc0175c89efa69d155c604901c6a14

General

Target

tasks_62.vir.exe
Size

149KB
MD5

c61aead90afb983a54d8a4785692130c
SHA1

b880c3d0887d371ff8e731f479a046d13f5f732a
SHA256

4346aab98348203c37445ca65e44656d69cc0175c89efa69d155c604901c6a14
SHA512

769d08eb92622dbdfbc36b32fa5890ff4e41d7a4d43cf2387f9b0e83eb3c6e27fcdb1162396b6ee28501a0d2c8db2d6ea9b3a3812d7b0ef8a566c5e333c7e0c6

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

tasks_62.vir.exe

description ioc process

File created C:\Windows\Tasks\Security Center Update - 2888848354.job tasks_62.vir.exe

description	ioc	process
File created	C:\Windows\Tasks\Security Center Update - 2888848354.job	tasks_62.vir.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

idemnyy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	idemnyy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1956583408 = "C:\\Users\\Admin\\AppData\\Roaming\\Ehtyepke\\idemnyy.exe"	idemnyy.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	idemnyy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\1956583408 = "C:\\Users\\Admin\\AppData\\Roaming\\Ehtyepke\\idemnyy.exe"	idemnyy.exe

Loads dropped DLL 1 IoCs

Processes:

tasks_62.vir.exe

pid process

1144 tasks_62.vir.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

544 cmd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

idemnyy.exe

pid process

796 idemnyy.exe
796 idemnyy.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

idemnyy.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main idemnyy.exe
Executes dropped EXE 3 IoCs

Processes:

winsec.exeidemnyy.exeidemnyy.exe

pid process

1116 winsec.exe
1432 idemnyy.exe
796 idemnyy.exe

pid	process
1144	tasks_62.vir.exe

pid	process
544	cmd.exe

pid	process
796	idemnyy.exe
796	idemnyy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	idemnyy.exe

pid	process
1116	winsec.exe
1432	idemnyy.exe
796	idemnyy.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tasks_62.vir.exeidemnyy.exeidemnyy.exe

description	pid	process	target process
PID 1144 wrote to memory of 1432	1144	tasks_62.vir.exe	idemnyy.exe
PID 1144 wrote to memory of 1432	1144	tasks_62.vir.exe	idemnyy.exe
PID 1144 wrote to memory of 1432	1144	tasks_62.vir.exe	idemnyy.exe
PID 1144 wrote to memory of 1432	1144	tasks_62.vir.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1432 wrote to memory of 796	1432	idemnyy.exe	idemnyy.exe
PID 1144 wrote to memory of 544	1144	tasks_62.vir.exe	cmd.exe
PID 1144 wrote to memory of 544	1144	tasks_62.vir.exe	cmd.exe
PID 1144 wrote to memory of 544	1144	tasks_62.vir.exe	cmd.exe
PID 1144 wrote to memory of 544	1144	tasks_62.vir.exe	cmd.exe
PID 796 wrote to memory of 1484	796	idemnyy.exe	ctfmon.exe
PID 796 wrote to memory of 1484	796	idemnyy.exe	ctfmon.exe
PID 796 wrote to memory of 1484	796	idemnyy.exe	ctfmon.exe
PID 796 wrote to memory of 1484	796	idemnyy.exe	ctfmon.exe

Drops file in System32 directory 2 IoCs

Processes:

tasks_62.vir.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsec.exe	tasks_62.vir.exe
File opened for modification	C:\Windows\SysWOW64\winsec.exe	tasks_62.vir.exe

C:\Users\Admin\AppData\Local\Temp\tasks_62.vir.exe
"C:\Users\Admin\AppData\Local\Temp\tasks_62.vir.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1144

C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe
"C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe
"C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe" -child
3⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp47e38e15.bat"
2⤵
- Deletes itself
PID:544

C:\Windows\SysWOW64\winsec.exe
"C:\Windows\SysWOW64\winsec.exe" -service "C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe"
1⤵
- Executes dropped EXE
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp47e38e15.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe

Download Submit
C:\Windows\SysWOW64\winsec.exe

Download Submit
C:\Windows\SysWOW64\winsec.exe

Download Submit
\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe

Download Submit
memory/544-13-0x0000000000000000-mapping.dmp

Download
memory/796-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/796-10-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/796-11-0x0000000000000000-mapping.dmp

Download
memory/796-9-0x00000000001D0000-0x00000000001D0002-memory.dmp

Filesize
2B

Download
memory/796-7-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1432-4-0x0000000000000000-mapping.dmp

Download
memory/1484-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads