Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
unnamed 1_1.0.1.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
unnamed 1_1.0.1.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
unnamed 1_1.0.1.0.vir.exe
-
Size
688KB
-
MD5
01b86c6bdbe6272b7d12b677d6aadbb5
-
SHA1
23ac6317ee5aba4b9274316aa90bc869127ab30b
-
SHA256
eee761a6932c45c52e7ca0a901eee84191846058ddfb1973ea850400640808f6
-
SHA512
2dd48f3d0217a58a26f470cdb2d713350823b3a5ec633bb27617dad9cbe04a3bc472213a43615f12e6b879e32a02213e924bbfb4ff6f455a544d789746eac4c4
Score
8/10
Malware Config
Signatures
-
Blacklisted process makes network request 61 IoCs
Processes:
msiexec.exeflow pid process 1 868 msiexec.exe 2 868 msiexec.exe 3 868 msiexec.exe 4 868 msiexec.exe 5 868 msiexec.exe 6 868 msiexec.exe 7 868 msiexec.exe 8 868 msiexec.exe 9 868 msiexec.exe 10 868 msiexec.exe 11 868 msiexec.exe 12 868 msiexec.exe 13 868 msiexec.exe 14 868 msiexec.exe 15 868 msiexec.exe 16 868 msiexec.exe 17 868 msiexec.exe 18 868 msiexec.exe 19 868 msiexec.exe 20 868 msiexec.exe 21 868 msiexec.exe 25 868 msiexec.exe 26 868 msiexec.exe 27 868 msiexec.exe 28 868 msiexec.exe 31 868 msiexec.exe 32 868 msiexec.exe 33 868 msiexec.exe 34 868 msiexec.exe 35 868 msiexec.exe 36 868 msiexec.exe 37 868 msiexec.exe 38 868 msiexec.exe 39 868 msiexec.exe 40 868 msiexec.exe 41 868 msiexec.exe 42 868 msiexec.exe 43 868 msiexec.exe 44 868 msiexec.exe 45 868 msiexec.exe 46 868 msiexec.exe 47 868 msiexec.exe 48 868 msiexec.exe 50 868 msiexec.exe 51 868 msiexec.exe 52 868 msiexec.exe 53 868 msiexec.exe 54 868 msiexec.exe 55 868 msiexec.exe 56 868 msiexec.exe 57 868 msiexec.exe 58 868 msiexec.exe 59 868 msiexec.exe 60 868 msiexec.exe 61 868 msiexec.exe 62 868 msiexec.exe 63 868 msiexec.exe 64 868 msiexec.exe 65 868 msiexec.exe 66 868 msiexec.exe 67 868 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5880 IoCs
Processes:
msiexec.exepid process 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe 868 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Olsuymeh = "C:\\Users\\Admin\\AppData\\Roaming\\aepfbfq\\kasen.exe" msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 checkip.dyndns.org -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
unnamed 1_1.0.1.0.vir.exedescription pid process target process PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe PID 1296 wrote to memory of 868 1296 unnamed 1_1.0.1.0.vir.exe msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
unnamed 1_1.0.1.0.vir.exepid process 1296 unnamed 1_1.0.1.0.vir.exe 1296 unnamed 1_1.0.1.0.vir.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 868 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.1.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.1.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.1.0.vir.exe"2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Deletes itself