eee761a6932c45c52e7ca0a901eee84191846058ddfb1973ea850400640808f6

General

Target

unnamed 1_1.0.1.0.vir.exe
Size

688KB
MD5

01b86c6bdbe6272b7d12b677d6aadbb5
SHA1

23ac6317ee5aba4b9274316aa90bc869127ab30b
SHA256

eee761a6932c45c52e7ca0a901eee84191846058ddfb1973ea850400640808f6
SHA512

2dd48f3d0217a58a26f470cdb2d713350823b3a5ec633bb27617dad9cbe04a3bc472213a43615f12e6b879e32a02213e924bbfb4ff6f455a544d789746eac4c4

Score

8^/10

persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 40154 IoCs

Processes:

msiexec.exe

pid	process
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe
3888	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hity = "C:\\Users\\Admin\\AppData\\Roaming\\dsj\\ytfeci.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 checkip.dyndns.org

flow	ioc
23	checkip.dyndns.org

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

unnamed 1_1.0.1.0.vir.exe

description	pid	process	target process
PID 3044 wrote to memory of 3888	3044	unnamed 1_1.0.1.0.vir.exe	msiexec.exe
PID 3044 wrote to memory of 3888	3044	unnamed 1_1.0.1.0.vir.exe	msiexec.exe
PID 3044 wrote to memory of 3888	3044	unnamed 1_1.0.1.0.vir.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

unnamed 1_1.0.1.0.vir.exe

pid process

3044 unnamed 1_1.0.1.0.vir.exe
3044 unnamed 1_1.0.1.0.vir.exe
Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

3888 msiexec.exe

pid	process
3044	unnamed 1_1.0.1.0.vir.exe
3044	unnamed 1_1.0.1.0.vir.exe

Blacklisted process makes network request 61 IoCs

Processes:

msiexec.exe

flow	pid	process
2	3888	msiexec.exe
3	3888	msiexec.exe
4	3888	msiexec.exe
5	3888	msiexec.exe
6	3888	msiexec.exe
7	3888	msiexec.exe
8	3888	msiexec.exe
9	3888	msiexec.exe
10	3888	msiexec.exe
11	3888	msiexec.exe
12	3888	msiexec.exe
13	3888	msiexec.exe
14	3888	msiexec.exe
15	3888	msiexec.exe
16	3888	msiexec.exe
17	3888	msiexec.exe
18	3888	msiexec.exe
19	3888	msiexec.exe
20	3888	msiexec.exe
21	3888	msiexec.exe
22	3888	msiexec.exe
24	3888	msiexec.exe
25	3888	msiexec.exe
26	3888	msiexec.exe
28	3888	msiexec.exe
33	3888	msiexec.exe
34	3888	msiexec.exe
35	3888	msiexec.exe
36	3888	msiexec.exe
37	3888	msiexec.exe
38	3888	msiexec.exe
39	3888	msiexec.exe
40	3888	msiexec.exe
41	3888	msiexec.exe
42	3888	msiexec.exe
43	3888	msiexec.exe
44	3888	msiexec.exe
45	3888	msiexec.exe
46	3888	msiexec.exe
47	3888	msiexec.exe
49	3888	msiexec.exe
50	3888	msiexec.exe
51	3888	msiexec.exe
56	3888	msiexec.exe
57	3888	msiexec.exe
58	3888	msiexec.exe
59	3888	msiexec.exe
60	3888	msiexec.exe
61	3888	msiexec.exe
62	3888	msiexec.exe
63	3888	msiexec.exe
64	3888	msiexec.exe
65	3888	msiexec.exe
66	3888	msiexec.exe
67	3888	msiexec.exe
68	3888	msiexec.exe
69	3888	msiexec.exe
70	3888	msiexec.exe
71	3888	msiexec.exe
72	3888	msiexec.exe
73	3888	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.1.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.1.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3044

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.1.0.vir.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Deletes itself
- Blacklisted process makes network request
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-0-0x0000000000000000-mapping.dmp

Download
memory/3888-1-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/3888-2-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads