Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 19:46
Static task
static1
Behavioral task
behavioral1
Sample
unnamed 1_1.0.6.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
unnamed 1_1.0.6.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
unnamed 1_1.0.6.0.vir.exe
-
Size
688KB
-
MD5
bcebdd7668b10fafa8ecad1d335e97bf
-
SHA1
7c60785354c17dab9952716439dc009251ebbc9b
-
SHA256
7b4337184880f3cacdc58db416278fb34dc7ca8f8f8292b5c7e14abadcb9ef5f
-
SHA512
0669c4ed70fe272a6d56b2991cfb5eafef32776440a9014d3d322c1fce46a9e2000d77c0161e415857c59511259db6fb65233deb8b5d1f9e7ea6bfa4f580330d
Score
8/10
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 checkip.dyndns.org -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
unnamed 1_1.0.6.0.vir.exedescription pid process target process PID 652 wrote to memory of 804 652 unnamed 1_1.0.6.0.vir.exe msiexec.exe PID 652 wrote to memory of 804 652 unnamed 1_1.0.6.0.vir.exe msiexec.exe PID 652 wrote to memory of 804 652 unnamed 1_1.0.6.0.vir.exe msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
unnamed 1_1.0.6.0.vir.exepid process 652 unnamed 1_1.0.6.0.vir.exe 652 unnamed 1_1.0.6.0.vir.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 804 msiexec.exe -
Blacklisted process makes network request 81 IoCs
Processes:
msiexec.exeflow pid process 3 804 msiexec.exe 4 804 msiexec.exe 5 804 msiexec.exe 6 804 msiexec.exe 7 804 msiexec.exe 8 804 msiexec.exe 9 804 msiexec.exe 10 804 msiexec.exe 11 804 msiexec.exe 13 804 msiexec.exe 14 804 msiexec.exe 15 804 msiexec.exe 16 804 msiexec.exe 17 804 msiexec.exe 18 804 msiexec.exe 19 804 msiexec.exe 21 804 msiexec.exe 20 804 msiexec.exe 22 804 msiexec.exe 23 804 msiexec.exe 24 804 msiexec.exe 25 804 msiexec.exe 26 804 msiexec.exe 27 804 msiexec.exe 28 804 msiexec.exe 29 804 msiexec.exe 30 804 msiexec.exe 31 804 msiexec.exe 33 804 msiexec.exe 34 804 msiexec.exe 35 804 msiexec.exe 36 804 msiexec.exe 37 804 msiexec.exe 41 804 msiexec.exe 42 804 msiexec.exe 43 804 msiexec.exe 44 804 msiexec.exe 45 804 msiexec.exe 46 804 msiexec.exe 47 804 msiexec.exe 48 804 msiexec.exe 49 804 msiexec.exe 50 804 msiexec.exe 51 804 msiexec.exe 52 804 msiexec.exe 53 804 msiexec.exe 54 804 msiexec.exe 55 804 msiexec.exe 56 804 msiexec.exe 57 804 msiexec.exe 58 804 msiexec.exe 59 804 msiexec.exe 60 804 msiexec.exe 61 804 msiexec.exe 62 804 msiexec.exe 63 804 msiexec.exe 64 804 msiexec.exe 65 804 msiexec.exe 66 804 msiexec.exe 67 804 msiexec.exe 68 804 msiexec.exe 69 804 msiexec.exe 70 804 msiexec.exe 71 804 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 43555 IoCs
Processes:
msiexec.exepid process 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe 804 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uqfausyk = "C:\\Users\\Admin\\AppData\\Roaming\\iyn\\hupix.exe" msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.6.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.6.0.vir.exe"2⤵
- Deletes itself
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application