2ec248973fcd1cc36a216b0f49d619152aba3b19a9aaca2e5a44290e5fd5df71

General

Target

vir.exe
Size

639KB
MD5

6a1aa3bc4ed58b4f7c2fe6c5925b59a2
SHA1

3a4bdc46ba93106a68ccf81dd1ade010ae364b6c
SHA256

2ec248973fcd1cc36a216b0f49d619152aba3b19a9aaca2e5a44290e5fd5df71
SHA512

fe871b0d7978ae7b4f24f2d89309f402e796982a55ee0ab01d1fe2b97bf01299ce046b0b358ceb812192c825d45f6bab017d6c466b005329fffbd511051b24f5
SSDEEP

12288:zSyaLq+JlizYKrwPKpIlNNFDNHak7IBYf66FilHLYQzLKWs7:w/orwSpIlNNFNHriYS60lrRz27

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2992	attrib.exe
808	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	vir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	file3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	file2.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	file2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost32.exe	vir.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost32.exe	vir.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	file2.exe
4936	file3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\user32dll.exe	file2.exe
File opened for modification	C:\Windows\SysWOW64\user32dll.exe	file2.exe
File opened for modification	C:\Windows\SysWOW64\user32dll.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2644	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	vir.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2456	file2.exe
4276	OpenWith.exe
1196	OpenWith.exe
4080	OpenWith.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2456	4420	vir.exe	88
PID 4420 wrote to memory of 2456	4420	vir.exe	88
PID 4420 wrote to memory of 2456	4420	vir.exe	88
PID 4420 wrote to memory of 4936	4420	vir.exe	89
PID 4420 wrote to memory of 4936	4420	vir.exe	89
PID 4420 wrote to memory of 4936	4420	vir.exe	89
PID 4936 wrote to memory of 3964	4936	file3.exe	91
PID 4936 wrote to memory of 3964	4936	file3.exe	91
PID 2456 wrote to memory of 2992	2456	file2.exe	94
PID 2456 wrote to memory of 2992	2456	file2.exe	94
PID 2456 wrote to memory of 2992	2456	file2.exe	94
PID 2456 wrote to memory of 808	2456	file2.exe	97
PID 2456 wrote to memory of 808	2456	file2.exe	97
PID 2456 wrote to memory of 808	2456	file2.exe	97
PID 2456 wrote to memory of 2644	2456	file2.exe	102
PID 2456 wrote to memory of 2644	2456	file2.exe	102
PID 2456 wrote to memory of 2644	2456	file2.exe	102

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2992	attrib.exe
808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\file2.exe
  "C:\Users\Admin\AppData\Local\Temp\file2.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2992
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk"
    3⤵
    - Sets file to hidden
    - Drops startup file
    - Views/modifies file attributes
    PID:808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "file2.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\file3.exe
  "C:\Users\Admin\AppData\Local\Temp\file3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4FB6.tmp\4FB7.tmp\4FB8.bat C:\Users\Admin\AppData\Local\Temp\file3.exe"
    3⤵
    PID:3964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4FB6.tmp\4FB7.tmp\4FB8.bat

Filesize
27B

MD5
4a1fc61bb326d50fd70eb4a2124abe27

SHA1
87fb4dc42da26db95f01ef4d45c6e50694e50954

SHA256
b29838bcec3c3d5a714abd34a668fdace537f91b9feb69320da8636a034f36ff

SHA512
9487ad35d175bec979475a56a32366283501041bbb64ac18459d7cebff310dd0f2342beb35978fd8a2923665740df6b1689e4d8fb53873ba77ff722ccad3aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file2.exe

Filesize
32KB

MD5
ba42a89ea51c87f3102f0c6184c5614a

SHA1
8f1b5bde4e64e499be8250450dcc0366b41e6d1a

SHA256
21044bad5c3a3abb26a0911aaf7696d6b5e75d0a3c95355cef7a7bc56dbfc621

SHA512
90d283e57518bb461751249f8b2ac0340ffee4f7a59c38dfcbcdf0f004077dfd9c0396b518161910c32cf18b6da2eb2759fb8ea733cf5885f1b38d4733bf25e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file3.exe

Filesize
132KB

MD5
08e38ab37351c044ca54f3c1b9fa7975

SHA1
c23700a021b815d1711cdced027e32426b620908

SHA256
98cd3b62a0d0c56a542df78a4d9bf97778830e0cbcc6e7e623e061035e414101

SHA512
d47d602636baccf1b279c29527e2db6c9dd1414579a2e953863d661bcddd71204216a2714ef2d6d17fdfdc9dc2921d3cea1f876045e7ed82480d3c86092afeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\file6.empty

Filesize
15B

MD5
1ee80a3ca8c142c985758203c13c6a22

SHA1
a06c8b3471f21d8405e6c2e70c62055b7902de0d

SHA256
0359552b4a82ea8e7c3e3fc8d529f3b4f0af3cd8050d728ee49025c24aeb0197

SHA512
51c9545ce13f72af1c25385345a63f905d590a16a7ec8d4da4e3f0ba53a62c2ce0f129a4bd60b7a6536d40632852d84b59561409c99292d5e2dfaac867efb246

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

Filesize
1KB

MD5
22d124282a74ffdb6f4635a30cc93309

SHA1
b40d0e4651e9c57434db9927187a6464dffc19a0

SHA256
07903899f52e59de78e9a295f038f21243f2126630324d542f40d32f996de6ce

SHA512
7084f8f4408430fa822467b387c62da862aad50b00a089ca2ce81f204451a323e46e2f28d22eb67bf3ccbe8b478ff686531eb2709300086aa3c45a901fe6bc2d

Download Submit
memory/4420-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4420-57-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads