Analysis
-
max time kernel
65s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 23:34
Behavioral task
behavioral1
Sample
vir.exe
Resource
win10v2004-20240426-en
General
-
Target
vir.exe
-
Size
36.2MB
-
MD5
de336bfbdb93119b87a324823c1be2a7
-
SHA1
fdf123c4638dc22599f92c367800867c933eb202
-
SHA256
ce463fca06e66f2c74012a438b2d310985e5b737772f7e684fa9c3f7d3be15fb
-
SHA512
f87e8c717aa8617c126b1fbd40c666e6920cfc467f7e183cbc4c0bd757805387738277f62793f0948ea2df31375c9b82d3affd9ef3eaa63b49def0dbcf3184dd
-
SSDEEP
786432:d4RerlLa3nwEwrkACTe6YQbjGEhM6XHXkvj:+ulW3wEoALHUr
Malware Config
Signatures
-
Kills process with taskkill 2 IoCs
pid Process 4892 taskkill.exe 1684 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4892 taskkill.exe Token: SeDebugPrivilege 1684 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3468 wrote to memory of 5400 3468 vir.exe 85 PID 3468 wrote to memory of 5400 3468 vir.exe 85 PID 3468 wrote to memory of 5400 3468 vir.exe 85 PID 5400 wrote to memory of 4892 5400 cmd.exe 87 PID 5400 wrote to memory of 4892 5400 cmd.exe 87 PID 5400 wrote to memory of 4892 5400 cmd.exe 87 PID 5400 wrote to memory of 4212 5400 cmd.exe 90 PID 5400 wrote to memory of 4212 5400 cmd.exe 90 PID 5400 wrote to memory of 4212 5400 cmd.exe 90 PID 2980 wrote to memory of 5628 2980 vir.exe 106 PID 2980 wrote to memory of 5628 2980 vir.exe 106 PID 2980 wrote to memory of 5628 2980 vir.exe 106 PID 5628 wrote to memory of 1684 5628 cmd.exe 108 PID 5628 wrote to memory of 1684 5628 cmd.exe 108 PID 5628 wrote to memory of 1684 5628 cmd.exe 108 PID 5628 wrote to memory of 5436 5628 cmd.exe 109 PID 5628 wrote to memory of 5436 5628 cmd.exe 109 PID 5628 wrote to memory of 5436 5628 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_c83c0fd6-aef9-4241-b9c4-1d350459983c\loader.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K main.cmd3⤵PID:4212
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_feb52b0f-0b2c-4beb-bb42-a8d8966525a5\loader.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K main.cmd3⤵PID:5436
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520B
MD541c37de2b4598f7759f865817dba5f80
SHA1884ccf344bc2dd409425dc5ace0fd909a5f8cce4
SHA256427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc
SHA512a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd
-
Filesize
51B
MD5e67249c010d7541925320d0e6b94a435
SHA166aa61cc4f66d5315e7c988988b319e0ab5f01f2
SHA2564fc3cb68df5fc781354dcc462bf953b746584b304a84e2d21b340f62e4e330fc
SHA512681698eb0aab92c2209cc06c7d32a34cbc209cc4e63d653c797d06ebf4d9342e4f882b3ab74c294eb345f62af454f5f3a721fe3dbc094ddbe9694e40c953df96