Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
24-05-2024 00:05
General
-
Target
vir.exe
-
Size
36.9MB
-
MD5
2d4e021175d1b6bbee51be15e9bec384
-
SHA1
24256916b2c654a4c9055f0e1e6fe423654310f0
-
SHA256
cb9036f98e1865c5b9d4a82f76fc60176bf6353ee3e1a41d72c198bf992cd19d
-
SHA512
cbbf62fa974781192db459c546b5cd575d59ec528e04a63a8f7d8eb3fabec810ddef5c41d854aac4633fea0a36129b1a263540b38d0f77594799aa5af90d448d
-
SSDEEP
786432:J4RerlLa3nbEwrkACTe6YQbjGEhM6XHXkvj:aulW3bEoALHUr
Malware Config
Signatures
-
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies registry class 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\main.cmd" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\Rover.exeRover.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\web.htm3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacd1c3cb8,0x7ffacd1c3cc8,0x7ffacd1c3cd84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,10845542644916710736,1446915014530673093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\helper.vbs"3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\spinner.gif3⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\psiphon3.exepsiphon3.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 18444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\vir_75d7f261-14ee-4d09-aa07-44719b677553\regmess.exeregmess.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_063a7685-adb5-437d-8275-2364a9045ba7\regmess.bat" "4⤵
-
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2664 -ip 26641⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59faad3e004614b187287bed750e56acc
SHA1eeea3627a208df5a8cf627b0d39561167d272ac5
SHA25664a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9
SHA512a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90
-
Filesize
152B
MD57915c5c12c884cc2fa03af40f3d2e49d
SHA1d48085f85761cde9c287b0b70a918c7ce8008629
SHA256e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da
SHA5124c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
5KB
MD599501bef66b95be9fdeb147cb1a37b46
SHA19a99778bc45002facf5f3dcbef48ddef4d5ac071
SHA2569a40881ab81007a4ffc6d8cead22bb9053e177058f1d0fa574ce3616f50034d7
SHA512028e61e6fb62dfa2290f412514cf2a74d306876192557c2b9e665fe4e7982bffcd0bc8a7029059c94bc1cf33f0e2df76755f59ea572bd27c1cce97149c7c3fe9
-
Filesize
5KB
MD52d81a77939a16d1dd1bfe6db3b57a652
SHA1da5cbcacd7ee1ddcd6deb049edfe4ff2722816ee
SHA2566992b6303c35401259c82b891913e1f646987c7aefed8ef19761a323bbb7aa58
SHA5129d97728f49d3d9ebe2354c4d37d1310f2c969e41d25f4eb9a718b2e3b456df098e246619539d752ec7edc0071df347d8543bd4c68474c806af602ee98e8ac053
-
Filesize
11KB
MD5a6936de53c87e5fcb9dbe104105c4004
SHA1bce9595c52011d24d88a01dad743b2758ba9aa2f
SHA256a8a929c49991b4ea400df8ad603fa6b687750036ab600c7eca5da3ce6bb88ad2
SHA512555abd1c2f784eef8177f6fafc863acea5ceda6be143df0361640f20e4ce791370a831935dd246dd31a2e0e372583d56273c9b4e48205ba9f67b1ed430b24f40
-
Filesize
10KB
MD5bee007a5a5b6e1001cfc391d178cf5ba
SHA14478c5db863011a846ad2db5cf5e30a8cdb5f819
SHA2568001fb963acb6e4342750a3b0a704c353107b60516dbdb614c5192e199168d50
SHA512120ece82ec85b4dc1d25e004899848a50c5b5c3fc32971890a9fd7b22840881fa89c22a2102d3878e516f039e1a5f2c63687862f04de0111011cd38279125c41
-
Filesize
28B
MD57cb66dc89fe80337d3cc76467cfdcf98
SHA18b683342a055b3a5ba0ab6e7089872165d69d5bc
SHA2562609e65a1aedbbd73c5679675f07da7b171e48111a556a62935a8843f93e0127
SHA51254d27b3b74b12d5ce86806efd0a5a5ac6e6df99c08415cbe815b0ef1d45fc0dce2c9342badd302278134c1526070ba3796914b5206529d4f9045d8448a3079e8
-
Filesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
1KB
MD5bb130f376e3b817134b94e9c832d6843
SHA1c528cb7076567d7ce3e25232b5f5927ffa8eff10
SHA256974486e4604fce6a4873f49d7ec18625533e2ec7bd78bf68a0be20dd8859d1d7
SHA512a523527edd3255c7e0515ddac57d518dd003f7692976bfbcb86fd363c887595160cadd3073dee6a79aa32c80336f4b4b65eb92179ba4ec691ac3be3137b3ff7e
-
Filesize
7.4MB
MD550b9d2aea0106f1953c6dc506a7d6d0a
SHA11317c91d02bbe65740524b759d3d34a57caff35a
SHA256b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA5129581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c
-
Filesize
680KB
MD530bba5cf00fd210476978618539058d9
SHA136c0160196e41561991404bf96efae9a952f1ca0
SHA256162947d11d177ccf6da4eb75f56877e14341b24f8a06b503c7d13f43bd653bcd
SHA512449830ae87e66182c811ed21036e90bcbce6c78a972581d5bcb71bdf2bca07ffea263c9be74cf3619b1ba8f377ea014a4c840f1510cae92fbe1f3c1dd507fd7c
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
212B
MD5e81c57260456ac0df66ef4e88138bed3
SHA10304e684033142a96e049461c0c8b1420b8fb650
SHA2564b22f2f0add8546487bd4f1cc6eba404ee5353c10cf0eae58ce5b664ca1e2485
SHA512d73b58c087b660dc7d9f1c81828e4e6d7368bd3d702d6dcff719345d7d612685b1747979c89c483d35e480ded9666fdd2178452444b87e9f402ba01b0e43771c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
7.7MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
6.9MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
7.7MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.3MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
22.2MB
-
Filesize
22.2MB
-
Filesize
7.7MB
-
Filesize
144KB
-
Filesize
560KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
