ce463fca06e66f2c74012a438b2d310985e5b737772f7e684fa9c3f7d3be15fb

Analysis

max time kernel
65s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vir.exe
Size

36.2MB
MD5

de336bfbdb93119b87a324823c1be2a7
SHA1

fdf123c4638dc22599f92c367800867c933eb202
SHA256

ce463fca06e66f2c74012a438b2d310985e5b737772f7e684fa9c3f7d3be15fb
SHA512

f87e8c717aa8617c126b1fbd40c666e6920cfc467f7e183cbc4c0bd757805387738277f62793f0948ea2df31375c9b82d3affd9ef3eaa63b49def0dbcf3184dd
SSDEEP

786432:d4RerlLa3nwEwrkACTe6YQbjGEhM6XHXkvj:+ulW3wEoALHUr

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4892 taskkill.exe
1684 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4892 taskkill.exe
Token: SeDebugPrivilege 1684 taskkill.exe

pid	process
4892	taskkill.exe
1684	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

vir.execmd.exevir.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 5400	3468	vir.exe	cmd.exe
PID 3468 wrote to memory of 5400	3468	vir.exe	cmd.exe
PID 3468 wrote to memory of 5400	3468	vir.exe	cmd.exe
PID 5400 wrote to memory of 4892	5400	cmd.exe	taskkill.exe
PID 5400 wrote to memory of 4892	5400	cmd.exe	taskkill.exe
PID 5400 wrote to memory of 4892	5400	cmd.exe	taskkill.exe
PID 5400 wrote to memory of 4212	5400	cmd.exe	cmd.exe
PID 5400 wrote to memory of 4212	5400	cmd.exe	cmd.exe
PID 5400 wrote to memory of 4212	5400	cmd.exe	cmd.exe
PID 2980 wrote to memory of 5628	2980	vir.exe	cmd.exe
PID 2980 wrote to memory of 5628	2980	vir.exe	cmd.exe
PID 2980 wrote to memory of 5628	2980	vir.exe	cmd.exe
PID 5628 wrote to memory of 1684	5628	cmd.exe	taskkill.exe
PID 5628 wrote to memory of 1684	5628	cmd.exe	taskkill.exe
PID 5628 wrote to memory of 1684	5628	cmd.exe	taskkill.exe
PID 5628 wrote to memory of 5436	5628	cmd.exe	cmd.exe
PID 5628 wrote to memory of 5436	5628	cmd.exe	cmd.exe
PID 5628 wrote to memory of 5436	5628	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_c83c0fd6-aef9-4241-b9c4-1d350459983c\loader.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WindowsDefender.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K main.cmd
3⤵
PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_feb52b0f-0b2c-4beb-bb42-a8d8966525a5\loader.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WindowsDefender.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K main.cmd
3⤵
PID:5436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vir.exe.log

Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir_c83c0fd6-aef9-4241-b9c4-1d350459983c\loader.bat

Filesize
51B

MD5
e67249c010d7541925320d0e6b94a435

SHA1
66aa61cc4f66d5315e7c988988b319e0ab5f01f2

SHA256
4fc3cb68df5fc781354dcc462bf953b746584b304a84e2d21b340f62e4e330fc

SHA512
681698eb0aab92c2209cc06c7d32a34cbc209cc4e63d653c797d06ebf4d9342e4f882b3ab74c294eb345f62af454f5f3a721fe3dbc094ddbe9694e40c953df96

Download Submit
memory/2980-62-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2980-63-0x0000000004B20000-0x0000000004B44000-memory.dmp

Filesize
144KB

Download
memory/2980-64-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/2980-119-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3468-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3468-1-0x0000000000ED0000-0x0000000000F5C000-memory.dmp

Filesize
560KB

Download
memory/3468-2-0x0000000003310000-0x0000000003334000-memory.dmp

Filesize
144KB

Download
memory/3468-3-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3468-4-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/3468-60-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download