7b4337184880f3cacdc58db416278fb34dc7ca8f8f8292b5c7e14abadcb9ef5f

General

Target

unnamed 1_1.0.6.0.vir.exe
Size

688KB
MD5

bcebdd7668b10fafa8ecad1d335e97bf
SHA1

7c60785354c17dab9952716439dc009251ebbc9b
SHA256

7b4337184880f3cacdc58db416278fb34dc7ca8f8f8292b5c7e14abadcb9ef5f
SHA512

0669c4ed70fe272a6d56b2991cfb5eafef32776440a9014d3d322c1fce46a9e2000d77c0161e415857c59511259db6fb65233deb8b5d1f9e7ea6bfa4f580330d

Score

8^/10

persistence

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 checkip.dyndns.org

flow	ioc
29	checkip.dyndns.org

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

unnamed 1_1.0.6.0.vir.exe

description	pid	process	target process
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe
PID 1492 wrote to memory of 1588	1492	unnamed 1_1.0.6.0.vir.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

unnamed 1_1.0.6.0.vir.exe

pid process

1492 unnamed 1_1.0.6.0.vir.exe
1492 unnamed 1_1.0.6.0.vir.exe
Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

1588 msiexec.exe

pid	process
1492	unnamed 1_1.0.6.0.vir.exe
1492	unnamed 1_1.0.6.0.vir.exe

Blacklisted process makes network request 81 IoCs

Processes:

msiexec.exe

flow	pid	process
1	1588	msiexec.exe
2	1588	msiexec.exe
3	1588	msiexec.exe
4	1588	msiexec.exe
5	1588	msiexec.exe
6	1588	msiexec.exe
7	1588	msiexec.exe
8	1588	msiexec.exe
9	1588	msiexec.exe
10	1588	msiexec.exe
11	1588	msiexec.exe
12	1588	msiexec.exe
13	1588	msiexec.exe
14	1588	msiexec.exe
15	1588	msiexec.exe
16	1588	msiexec.exe
17	1588	msiexec.exe
18	1588	msiexec.exe
19	1588	msiexec.exe
20	1588	msiexec.exe
21	1588	msiexec.exe
22	1588	msiexec.exe
24	1588	msiexec.exe
23	1588	msiexec.exe
25	1588	msiexec.exe
26	1588	msiexec.exe
27	1588	msiexec.exe
30	1588	msiexec.exe
32	1588	msiexec.exe
33	1588	msiexec.exe
34	1588	msiexec.exe
35	1588	msiexec.exe
36	1588	msiexec.exe
39	1588	msiexec.exe
40	1588	msiexec.exe
41	1588	msiexec.exe
42	1588	msiexec.exe
43	1588	msiexec.exe
44	1588	msiexec.exe
45	1588	msiexec.exe
46	1588	msiexec.exe
47	1588	msiexec.exe
48	1588	msiexec.exe
49	1588	msiexec.exe
50	1588	msiexec.exe
51	1588	msiexec.exe
52	1588	msiexec.exe
53	1588	msiexec.exe
54	1588	msiexec.exe
55	1588	msiexec.exe
56	1588	msiexec.exe
57	1588	msiexec.exe
58	1588	msiexec.exe
59	1588	msiexec.exe
60	1588	msiexec.exe
61	1588	msiexec.exe
62	1588	msiexec.exe
63	1588	msiexec.exe
64	1588	msiexec.exe
65	1588	msiexec.exe
66	1588	msiexec.exe
67	1588	msiexec.exe
68	1588	msiexec.exe
69	1588	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5797 IoCs

Processes:

msiexec.exe

pid	process
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe
1588	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kyoberro = "C:\\Users\\Admin\\AppData\\Roaming\\iyl\\akugu.exe"	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.6.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.6.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1492

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.6.0.vir.exe"
2⤵
- Deletes itself
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1588-0-0x0000000000000000-mapping.dmp

Download
memory/1588-1-0x0000000000AE0000-0x0000000000AF4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads