Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
unnamed 1_1.0.0.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
unnamed 1_1.0.0.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
unnamed 1_1.0.0.0.vir.exe
-
Size
682KB
-
MD5
5e6a19522ec875d8920fb28757e463e9
-
SHA1
72cb35a09f25aba6a9aca0989058ca0ae7f4b8dd
-
SHA256
9606b7c2a76c2f70134ffba266ff8d1f62df336ed149fe28bb85bf230fa22314
-
SHA512
93103fbd1cd59c379e8498b10c31da91f2446254b4d0930889143670f68d0ae3c2ff180c751548ef8909f4db4063c35d2dddb0927e792fbd31d76c400fa609e1
Score
8/10
Malware Config
Signatures
-
Blacklisted process makes network request 61 IoCs
Processes:
msiexec.exeflow pid process 1 1292 msiexec.exe 2 1292 msiexec.exe 3 1292 msiexec.exe 4 1292 msiexec.exe 5 1292 msiexec.exe 6 1292 msiexec.exe 7 1292 msiexec.exe 8 1292 msiexec.exe 9 1292 msiexec.exe 10 1292 msiexec.exe 11 1292 msiexec.exe 12 1292 msiexec.exe 13 1292 msiexec.exe 14 1292 msiexec.exe 15 1292 msiexec.exe 16 1292 msiexec.exe 17 1292 msiexec.exe 18 1292 msiexec.exe 19 1292 msiexec.exe 20 1292 msiexec.exe 21 1292 msiexec.exe 24 1292 msiexec.exe 26 1292 msiexec.exe 27 1292 msiexec.exe 28 1292 msiexec.exe 31 1292 msiexec.exe 32 1292 msiexec.exe 33 1292 msiexec.exe 34 1292 msiexec.exe 35 1292 msiexec.exe 36 1292 msiexec.exe 37 1292 msiexec.exe 38 1292 msiexec.exe 39 1292 msiexec.exe 40 1292 msiexec.exe 41 1292 msiexec.exe 42 1292 msiexec.exe 43 1292 msiexec.exe 44 1292 msiexec.exe 45 1292 msiexec.exe 46 1292 msiexec.exe 47 1292 msiexec.exe 48 1292 msiexec.exe 49 1292 msiexec.exe 50 1292 msiexec.exe 51 1292 msiexec.exe 52 1292 msiexec.exe 53 1292 msiexec.exe 54 1292 msiexec.exe 55 1292 msiexec.exe 56 1292 msiexec.exe 57 1292 msiexec.exe 58 1292 msiexec.exe 59 1292 msiexec.exe 60 1292 msiexec.exe 61 1292 msiexec.exe 62 1292 msiexec.exe 63 1292 msiexec.exe 64 1292 msiexec.exe 65 1292 msiexec.exe 66 1292 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 5910 IoCs
Processes:
msiexec.exepid process 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe 1292 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ilamly = "C:\\Users\\Admin\\AppData\\Roaming\\aepfbfq\\fanio.exe" msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 checkip.dyndns.org -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
unnamed 1_1.0.0.0.vir.exedescription pid process target process PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 828 wrote to memory of 1292 828 unnamed 1_1.0.0.0.vir.exe msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
unnamed 1_1.0.0.0.vir.exepid process 828 unnamed 1_1.0.0.0.vir.exe 828 unnamed 1_1.0.0.0.vir.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 1292 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
- Deletes itself