9606b7c2a76c2f70134ffba266ff8d1f62df336ed149fe28bb85bf230fa22314

General

Target

unnamed 1_1.0.0.0.vir.exe
Size

682KB
MD5

5e6a19522ec875d8920fb28757e463e9
SHA1

72cb35a09f25aba6a9aca0989058ca0ae7f4b8dd
SHA256

9606b7c2a76c2f70134ffba266ff8d1f62df336ed149fe28bb85bf230fa22314
SHA512

93103fbd1cd59c379e8498b10c31da91f2446254b4d0930889143670f68d0ae3c2ff180c751548ef8909f4db4063c35d2dddb0927e792fbd31d76c400fa609e1

Score

8^/10

persistence

Malware Config

Signatures

Blacklisted process makes network request 61 IoCs

Processes:

msiexec.exe

flow	pid	process
1	1292	msiexec.exe
2	1292	msiexec.exe
3	1292	msiexec.exe
4	1292	msiexec.exe
5	1292	msiexec.exe
6	1292	msiexec.exe
7	1292	msiexec.exe
8	1292	msiexec.exe
9	1292	msiexec.exe
10	1292	msiexec.exe
11	1292	msiexec.exe
12	1292	msiexec.exe
13	1292	msiexec.exe
14	1292	msiexec.exe
15	1292	msiexec.exe
16	1292	msiexec.exe
17	1292	msiexec.exe
18	1292	msiexec.exe
19	1292	msiexec.exe
20	1292	msiexec.exe
21	1292	msiexec.exe
24	1292	msiexec.exe
26	1292	msiexec.exe
27	1292	msiexec.exe
28	1292	msiexec.exe
31	1292	msiexec.exe
32	1292	msiexec.exe
33	1292	msiexec.exe
34	1292	msiexec.exe
35	1292	msiexec.exe
36	1292	msiexec.exe
37	1292	msiexec.exe
38	1292	msiexec.exe
39	1292	msiexec.exe
40	1292	msiexec.exe
41	1292	msiexec.exe
42	1292	msiexec.exe
43	1292	msiexec.exe
44	1292	msiexec.exe
45	1292	msiexec.exe
46	1292	msiexec.exe
47	1292	msiexec.exe
48	1292	msiexec.exe
49	1292	msiexec.exe
50	1292	msiexec.exe
51	1292	msiexec.exe
52	1292	msiexec.exe
53	1292	msiexec.exe
54	1292	msiexec.exe
55	1292	msiexec.exe
56	1292	msiexec.exe
57	1292	msiexec.exe
58	1292	msiexec.exe
59	1292	msiexec.exe
60	1292	msiexec.exe
61	1292	msiexec.exe
62	1292	msiexec.exe
63	1292	msiexec.exe
64	1292	msiexec.exe
65	1292	msiexec.exe
66	1292	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5910 IoCs

Processes:

msiexec.exe

pid	process
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe
1292	msiexec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ilamly = "C:\\Users\\Admin\\AppData\\Roaming\\aepfbfq\\fanio.exe"	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 checkip.dyndns.org

flow	ioc
23	checkip.dyndns.org

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

unnamed 1_1.0.0.0.vir.exe

description	pid	process	target process
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe
PID 828 wrote to memory of 1292	828	unnamed 1_1.0.0.0.vir.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

unnamed 1_1.0.0.0.vir.exe

pid process

828 unnamed 1_1.0.0.0.vir.exe
828 unnamed 1_1.0.0.0.vir.exe
Deletes itself 1 IoCs

Processes:

msiexec.exe

pid process

1292 msiexec.exe

pid	process
828	unnamed 1_1.0.0.0.vir.exe
828	unnamed 1_1.0.0.0.vir.exe

C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:828

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"
2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Deletes itself
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-0-0x0000000000000000-mapping.dmp

Download
memory/1292-1-0x0000000000E00000-0x0000000000E14000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads