Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
tasks_62.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
tasks_62.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
tasks_62.vir.exe
-
Size
149KB
-
MD5
c61aead90afb983a54d8a4785692130c
-
SHA1
b880c3d0887d371ff8e731f479a046d13f5f732a
-
SHA256
4346aab98348203c37445ca65e44656d69cc0175c89efa69d155c604901c6a14
-
SHA512
769d08eb92622dbdfbc36b32fa5890ff4e41d7a4d43cf2387f9b0e83eb3c6e27fcdb1162396b6ee28501a0d2c8db2d6ea9b3a3812d7b0ef8a566c5e333c7e0c6
Score
8/10
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
tasks_62.vir.exedescription ioc process File created C:\Windows\Tasks\Security Center Update - 2888848354.job tasks_62.vir.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
idemnyy.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run idemnyy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1956583408 = "C:\\Users\\Admin\\AppData\\Roaming\\Ehtyepke\\idemnyy.exe" idemnyy.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run idemnyy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\1956583408 = "C:\\Users\\Admin\\AppData\\Roaming\\Ehtyepke\\idemnyy.exe" idemnyy.exe -
Loads dropped DLL 1 IoCs
Processes:
tasks_62.vir.exepid process 1144 tasks_62.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 544 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
idemnyy.exepid process 796 idemnyy.exe 796 idemnyy.exe -
Processes:
idemnyy.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main idemnyy.exe -
Executes dropped EXE 3 IoCs
Processes:
winsec.exeidemnyy.exeidemnyy.exepid process 1116 winsec.exe 1432 idemnyy.exe 796 idemnyy.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tasks_62.vir.exeidemnyy.exeidemnyy.exedescription pid process target process PID 1144 wrote to memory of 1432 1144 tasks_62.vir.exe idemnyy.exe PID 1144 wrote to memory of 1432 1144 tasks_62.vir.exe idemnyy.exe PID 1144 wrote to memory of 1432 1144 tasks_62.vir.exe idemnyy.exe PID 1144 wrote to memory of 1432 1144 tasks_62.vir.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1432 wrote to memory of 796 1432 idemnyy.exe idemnyy.exe PID 1144 wrote to memory of 544 1144 tasks_62.vir.exe cmd.exe PID 1144 wrote to memory of 544 1144 tasks_62.vir.exe cmd.exe PID 1144 wrote to memory of 544 1144 tasks_62.vir.exe cmd.exe PID 1144 wrote to memory of 544 1144 tasks_62.vir.exe cmd.exe PID 796 wrote to memory of 1484 796 idemnyy.exe ctfmon.exe PID 796 wrote to memory of 1484 796 idemnyy.exe ctfmon.exe PID 796 wrote to memory of 1484 796 idemnyy.exe ctfmon.exe PID 796 wrote to memory of 1484 796 idemnyy.exe ctfmon.exe -
Drops file in System32 directory 2 IoCs
Processes:
tasks_62.vir.exedescription ioc process File created C:\Windows\SysWOW64\winsec.exe tasks_62.vir.exe File opened for modification C:\Windows\SysWOW64\winsec.exe tasks_62.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tasks_62.vir.exe"C:\Users\Admin\AppData\Local\Temp\tasks_62.vir.exe"1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe"C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe"C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe" -child3⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp47e38e15.bat"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\winsec.exe"C:\Windows\SysWOW64\winsec.exe" -service "C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp47e38e15.bat
-
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe
-
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe
-
C:\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe
-
C:\Windows\SysWOW64\winsec.exe
-
C:\Windows\SysWOW64\winsec.exe
-
\Users\Admin\AppData\Roaming\Ehtyepke\idemnyy.exe
-
memory/544-13-0x0000000000000000-mapping.dmp
-
memory/796-6-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/796-10-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/796-11-0x0000000000000000-mapping.dmp
-
memory/796-9-0x00000000001D0000-0x00000000001D0002-memory.dmpFilesize
2B
-
memory/796-7-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1432-4-0x0000000000000000-mapping.dmp
-
memory/1484-15-0x0000000000000000-mapping.dmp