9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390

Analysis

max time kernel
194s
max time network
242s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe
Size

339KB
MD5

8439680cdcfe6e732e560d9e88f4ec54
SHA1

c3fbb99e370ea28e197fa135ac7ed1b9e9377346
SHA256

9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390
SHA512

df6e9296f6d817b745b0dbe3d519e5313fd8cec6f7ec9c9f02af5b12b40954c1c74289d034b5194db76b7ea948856f47941467d69966419b2362b2230b003a78
SSDEEP

6144:XA76TljCh2Hb2baqDqhmmvClvdwpjc3K8CtY:3CQ72+MrmRaK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
320	vimys.exe

Deletes itself 1 IoCs

pid	Process
548	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	vimys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Bekyc\\vimys.exe"	vimys.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe
320	vimys.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe
320	vimys.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 996 wrote to memory of 320	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	27
PID 320 wrote to memory of 1124	320	vimys.exe	16
PID 320 wrote to memory of 1124	320	vimys.exe	16
PID 320 wrote to memory of 1124	320	vimys.exe	16
PID 320 wrote to memory of 1124	320	vimys.exe	16
PID 320 wrote to memory of 1124	320	vimys.exe	16
PID 320 wrote to memory of 1176	320	vimys.exe	15
PID 320 wrote to memory of 1176	320	vimys.exe	15
PID 320 wrote to memory of 1176	320	vimys.exe	15
PID 320 wrote to memory of 1176	320	vimys.exe	15
PID 320 wrote to memory of 1176	320	vimys.exe	15
PID 320 wrote to memory of 1264	320	vimys.exe	9
PID 320 wrote to memory of 1264	320	vimys.exe	9
PID 320 wrote to memory of 1264	320	vimys.exe	9
PID 320 wrote to memory of 1264	320	vimys.exe	9
PID 320 wrote to memory of 1264	320	vimys.exe	9
PID 320 wrote to memory of 996	320	vimys.exe	22
PID 320 wrote to memory of 996	320	vimys.exe	22
PID 320 wrote to memory of 996	320	vimys.exe	22
PID 320 wrote to memory of 996	320	vimys.exe	22
PID 320 wrote to memory of 996	320	vimys.exe	22
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28
PID 996 wrote to memory of 548	996	9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe
  "C:\Users\Admin\AppData\Local\Temp\9a27d7f2ebd219772e66496bb74f87fab3bead160ea50be12690f0bd52178390.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Roaming\Bekyc\vimys.exe
    "C:\Users\Admin\AppData\Roaming\Bekyc\vimys.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2fd14afa.bat"
    3⤵
    - Deletes itself
    PID:548

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2fd14afa.bat

Filesize
307B

MD5
8aab66b184519e53cad09e6b1414bb12

SHA1
c018ca0f533ea74c16ab40898c14a806b3d4e6c4

SHA256
4c009faed2657c2f949d4b15e1a8a1d2ceb774223d1e8eb33676e592bb021091

SHA512
026fe6aaad328bc08cbbe40af490fc6eb0f15be12749cbd4c6b3ebb53da53fa3b32203db3481fced2ccdbfa600cb95e56979e176cf51e0e948dfd27f9649a17e

Download Submit
C:\Users\Admin\AppData\Roaming\Bekyc\vimys.exe

Filesize
339KB

MD5
cd234168d9da029583b07e2f5de8a5b1

SHA1
b215369b5b05a2f7e91879cb93d2580d39d5209c

SHA256
124dfb6634f0f86f2105950de11cff314a7cee0c61db98216b5019b2b00e72f1

SHA512
f81211733cd57d6fd03f33526bf9348c44ce7e84c7ffda945a71e62f623f8ebbe7dc4bc623df36ba08009f77eb90a5466d503e40c54fccb31e31f3553ba57a71

Download Submit
C:\Users\Admin\AppData\Roaming\Bekyc\vimys.exe

Filesize
339KB

MD5
cd234168d9da029583b07e2f5de8a5b1

SHA1
b215369b5b05a2f7e91879cb93d2580d39d5209c

SHA256
124dfb6634f0f86f2105950de11cff314a7cee0c61db98216b5019b2b00e72f1

SHA512
f81211733cd57d6fd03f33526bf9348c44ce7e84c7ffda945a71e62f623f8ebbe7dc4bc623df36ba08009f77eb90a5466d503e40c54fccb31e31f3553ba57a71

Download Submit
\Users\Admin\AppData\Roaming\Bekyc\vimys.exe

Filesize
339KB

MD5
cd234168d9da029583b07e2f5de8a5b1

SHA1
b215369b5b05a2f7e91879cb93d2580d39d5209c

SHA256
124dfb6634f0f86f2105950de11cff314a7cee0c61db98216b5019b2b00e72f1

SHA512
f81211733cd57d6fd03f33526bf9348c44ce7e84c7ffda945a71e62f623f8ebbe7dc4bc623df36ba08009f77eb90a5466d503e40c54fccb31e31f3553ba57a71

Download Submit
memory/320-103-0x00000000004B0000-0x00000000004F7000-memory.dmp

Filesize
284KB

Download
memory/320-104-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/548-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-116-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/548-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/548-95-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/548-99-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/548-98-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/548-97-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/996-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/996-117-0x0000000001F30000-0x0000000001F88000-memory.dmp

Filesize
352KB

Download
memory/996-84-0x0000000001F30000-0x0000000001F77000-memory.dmp

Filesize
284KB

Download
memory/996-85-0x0000000001F30000-0x0000000001F77000-memory.dmp

Filesize
284KB

Download
memory/996-86-0x0000000001F30000-0x0000000001F77000-memory.dmp

Filesize
284KB

Download
memory/996-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/996-106-0x0000000001F30000-0x0000000001F88000-memory.dmp

Filesize
352KB

Download
memory/996-55-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/996-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/996-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/996-83-0x0000000001F30000-0x0000000001F77000-memory.dmp

Filesize
284KB

Download
memory/996-102-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/996-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/996-101-0x00000000002A0000-0x00000000002E7000-memory.dmp

Filesize
284KB

Download
memory/1124-63-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1124-67-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1124-65-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1124-66-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1124-68-0x0000000001E80000-0x0000000001EC7000-memory.dmp

Filesize
284KB

Download
memory/1176-74-0x0000000001DE0000-0x0000000001E27000-memory.dmp

Filesize
284KB

Download
memory/1176-71-0x0000000001DE0000-0x0000000001E27000-memory.dmp

Filesize
284KB

Download
memory/1176-72-0x0000000001DE0000-0x0000000001E27000-memory.dmp

Filesize
284KB

Download
memory/1176-73-0x0000000001DE0000-0x0000000001E27000-memory.dmp

Filesize
284KB

Download
memory/1264-77-0x0000000002C30000-0x0000000002C77000-memory.dmp

Filesize
284KB

Download
memory/1264-78-0x0000000002C30000-0x0000000002C77000-memory.dmp

Filesize
284KB

Download
memory/1264-79-0x0000000002C30000-0x0000000002C77000-memory.dmp

Filesize
284KB

Download
memory/1264-80-0x0000000002C30000-0x0000000002C77000-memory.dmp

Filesize
284KB

Download