Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
unnamed 1_1.0.0.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
unnamed 1_1.0.0.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
unnamed 1_1.0.0.0.vir.exe
-
Size
682KB
-
MD5
5e6a19522ec875d8920fb28757e463e9
-
SHA1
72cb35a09f25aba6a9aca0989058ca0ae7f4b8dd
-
SHA256
9606b7c2a76c2f70134ffba266ff8d1f62df336ed149fe28bb85bf230fa22314
-
SHA512
93103fbd1cd59c379e8498b10c31da91f2446254b4d0930889143670f68d0ae3c2ff180c751548ef8909f4db4063c35d2dddb0927e792fbd31d76c400fa609e1
Score
8/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Akwaaci = "C:\\Users\\Admin\\AppData\\Roaming\\dsj\\onno.exe" msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
unnamed 1_1.0.0.0.vir.exedescription pid process target process PID 720 wrote to memory of 1232 720 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 720 wrote to memory of 1232 720 unnamed 1_1.0.0.0.vir.exe msiexec.exe PID 720 wrote to memory of 1232 720 unnamed 1_1.0.0.0.vir.exe msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
unnamed 1_1.0.0.0.vir.exepid process 720 unnamed 1_1.0.0.0.vir.exe 720 unnamed 1_1.0.0.0.vir.exe -
Deletes itself 1 IoCs
Processes:
msiexec.exepid process 1232 msiexec.exe -
Blacklisted process makes network request 61 IoCs
Processes:
msiexec.exeflow pid process 2 1232 msiexec.exe 3 1232 msiexec.exe 4 1232 msiexec.exe 6 1232 msiexec.exe 7 1232 msiexec.exe 8 1232 msiexec.exe 9 1232 msiexec.exe 10 1232 msiexec.exe 11 1232 msiexec.exe 12 1232 msiexec.exe 13 1232 msiexec.exe 14 1232 msiexec.exe 15 1232 msiexec.exe 16 1232 msiexec.exe 18 1232 msiexec.exe 19 1232 msiexec.exe 20 1232 msiexec.exe 21 1232 msiexec.exe 22 1232 msiexec.exe 23 1232 msiexec.exe 24 1232 msiexec.exe 27 1232 msiexec.exe 28 1232 msiexec.exe 29 1232 msiexec.exe 30 1232 msiexec.exe 38 1232 msiexec.exe 39 1232 msiexec.exe 40 1232 msiexec.exe 41 1232 msiexec.exe 42 1232 msiexec.exe 43 1232 msiexec.exe 44 1232 msiexec.exe 45 1232 msiexec.exe 46 1232 msiexec.exe 47 1232 msiexec.exe 48 1232 msiexec.exe 49 1232 msiexec.exe 50 1232 msiexec.exe 51 1232 msiexec.exe 52 1232 msiexec.exe 53 1232 msiexec.exe 54 1232 msiexec.exe 56 1232 msiexec.exe 57 1232 msiexec.exe 58 1232 msiexec.exe 59 1232 msiexec.exe 60 1232 msiexec.exe 61 1232 msiexec.exe 62 1232 msiexec.exe 63 1232 msiexec.exe 64 1232 msiexec.exe 65 1232 msiexec.exe 66 1232 msiexec.exe 67 1232 msiexec.exe 68 1232 msiexec.exe 69 1232 msiexec.exe 70 1232 msiexec.exe 71 1232 msiexec.exe 72 1232 msiexec.exe 73 1232 msiexec.exe 74 1232 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 39426 IoCs
Processes:
msiexec.exepid process 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe 1232 msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 checkip.dyndns.org
Processes
-
C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe "C:\Users\Admin\AppData\Local\Temp\unnamed 1_1.0.0.0.vir.exe"2⤵
- Adds Run key to start application
- Deletes itself
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses