0c80fa8807477cff8c9c3ed7b2a857538f022b1e8829020d09f60bd71f1afd9a

General

Target

skynet_0.3.vir.exe
Size

14.3MB
MD5

dfc6739d6c5fddfc0e3a7289b60462d6
SHA1

63a3c16db8254d4e5b0b450e34962612057f21ca
SHA256

0c80fa8807477cff8c9c3ed7b2a857538f022b1e8829020d09f60bd71f1afd9a
SHA512

82ac3acf52e42b2447553ea6a8035b5d2a17c330b3ab63db457cc89d229919434b8cfa95704fd927b9edc5e867c366952c243e540983ec22054860cebaf8680c

Score

8^/10

upx

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

skynet_0.3.vir.exeskynet_0.3.vir.exe

description	pid	process	target process
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2288 wrote to memory of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 wrote to memory of 3844	2408	skynet_0.3.vir.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

skynet_0.3.vir.exeskynet_0.3.vir.exe

description	pid	process	target process
PID 2288 set thread context of 2408	2288	skynet_0.3.vir.exe	skynet_0.3.vir.exe
PID 2408 set thread context of 3036	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 set thread context of 3788	2408	skynet_0.3.vir.exe	svchost.exe
PID 2408 set thread context of 3844	2408	skynet_0.3.vir.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exe

pid process

3036 svchost.exe
3036 svchost.exe
3036 svchost.exe
3036 svchost.exe

pid	process
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe
3036	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3036-3-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral2/memory/3036-6-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral2/memory/3036-11-0x0000000000400000-0x00000000006B3000-memory.dmp	upx

C:\Users\Admin\AppData\Local\Temp\skynet_0.3.vir.exe
"C:\Users\Admin\AppData\Local\Temp\skynet_0.3.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2288

C:\Users\Admin\AppData\Local\Temp\skynet_0.3.vir.exe
"C:\Users\Admin\AppData\Local\Temp\skynet_0.3.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe --HiddenServiceDir "C:\Users\Admin\AppData\Roaming\tor\hidden_service" --HiddenServicePort "55080 127.0.0.1:55080"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe (null)
3⤵
PID:3788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe ext "C:\Users\Admin\AppData\Local\Temp\skynet_0.3.vir.exe"
3⤵
PID:3844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2408-0-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2408-1-0x0000000000402817-mapping.dmp

Download
memory/2408-2-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/3036-6-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3036-3-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3036-4-0x00000000006B0800-mapping.dmp

Download
memory/3036-15-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3036-326-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3036-215-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3036-195-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3036-194-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/3036-11-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3036-193-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3036-13-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3036-14-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/3788-5-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3788-8-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3788-7-0x0000000000407E2E-mapping.dmp

Download
memory/3844-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3844-10-0x000000000041BADD-mapping.dmp

Download
memory/3844-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads