c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe
Size

18.8MB
MD5

10857ae18a0368349feae6108f2b94f3
SHA1

e91f1dc88c02234cd13f31eb64cdd328011ccfb6
SHA256

c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4
SHA512

aaf209b55a6a5e8e1495472b392207a9f4f98c88020c59ccf8a22ded9a64c492e6c793a7f966ce18ebfc6acaa6328987dd1fad89af7d27e7f0dbd49262c33187
SSDEEP

393216:PyS8wkfRT+NSReR1CY9irDI/LcAZ5H2dDERRHx/LB6YeFgCzm:qqkpTVReRcU0I/gA/OEjRF6RgCzm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1000	iesetup.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	cmd.exe
1000	iesetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ie8_main.log	iesetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1988	1116	c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe	28
PID 1116 wrote to memory of 1988	1116	c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe	28
PID 1116 wrote to memory of 1988	1116	c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe	28
PID 1116 wrote to memory of 1988	1116	c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe	28
PID 1988 wrote to memory of 1000	1988	cmd.exe	30
PID 1988 wrote to memory of 1000	1988	cmd.exe	30
PID 1988 wrote to memory of 1000	1988	cmd.exe	30
PID 1988 wrote to memory of 1000	1988	cmd.exe	30
PID 1988 wrote to memory of 1000	1988	cmd.exe	30
PID 1988 wrote to memory of 1000	1988	cmd.exe	30
PID 1988 wrote to memory of 1000	1988	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe
"C:\Users\Admin\AppData\Local\Temp\c7840ec98233bbac0cc53755bfa5310f54fb2e6a15893cdd5d4579777548c3e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\iesetup.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\\ie\update\iesetup.exe /passive /norestart /update-no
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\ie8.cat

Filesize
46KB

MD5
bd9ec62d524e8521bd9aab9b65eea7d9

SHA1
ca867a5804beeb52e031dee70a935711cfaf190f

SHA256
c355c8698f012a6d2464d81e1304d08862280aadf3ac7d63bffc8abcd876cb33

SHA512
7f59a111dc9e20cea7b7aa70f6f7ae07d3dd6f49a350f3979111ece3e7efbd8b47a011cb76baa46c5b63a335a0db34d41cfb6c4b5316976f3cedf574514ea9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\iecustom.dll

Filesize
56KB

MD5
d2b1e4ded51789fe5a0b708e27240d14

SHA1
5de2824834f87042fe5895e8cffd50c317e187a3

SHA256
8aa8384a2a7db73187f9cc5161d4b632cf87ce096c6219387dcbc883fb354ae3

SHA512
cfa922650c88190757d6654cd2325b7a3e42c8b8adb1c5ae86c1ea120d8ec0e71681810bd015b2552d8bdbb309573557aefc8a128606aca217a684a3c1d1a4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\iesetup.exe

Filesize
1.0MB

MD5
1a13ba3ecd70796e8a0d3865754e56c1

SHA1
393cfa3d40f12ed5191e30e2f0cb7efb3e51fd7f

SHA256
27fb50c5f5926bf63baa5bbfb9469eaa2b1127c3cac0e8ac98d6a8caa6ea2e74

SHA512
2908879a9fbdf2ada28f287adbe4d6fd4226363f1f30f9fa724e26cb06608520f7e99b8c1eaa844f9a71c8dc4e2e50aac3981b9f7d5930769c858684026ff742

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\iesetup.exe

Filesize
1.0MB

MD5
1a13ba3ecd70796e8a0d3865754e56c1

SHA1
393cfa3d40f12ed5191e30e2f0cb7efb3e51fd7f

SHA256
27fb50c5f5926bf63baa5bbfb9469eaa2b1127c3cac0e8ac98d6a8caa6ea2e74

SHA512
2908879a9fbdf2ada28f287adbe4d6fd4226363f1f30f9fa724e26cb06608520f7e99b8c1eaa844f9a71c8dc4e2e50aac3981b9f7d5930769c858684026ff742

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\sqmapi.dll

Filesize
138KB

MD5
70af11571afa59b91d19e2637f380f7d

SHA1
e687ef6c179933d3ad8d70af284af534a9e37a52

SHA256
70951a28b692d1fdba84b1826c08e80e84ce5bf27e743a362c26a8e2ff9adde8

SHA512
21cb7d66b6392a49b8f8878d3de425928f045a722909e89c9a4e406f627a7ec44b988bf1d9bbaafdf271d1446353294b186d9a91445bc1bf33977ae5c75de03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\update.exe

Filesize
712KB

MD5
4599ad83996082516ffe0ae50c648805

SHA1
686621d0a0c3a3478a967c555a17d012ec4bf60d

SHA256
863ca400fc95c48e2cefaa95acf32b30e6f5bc8e5c553eb0932c2001ec5b060b

SHA512
306b0718ac67a5513111fe217a10909193ea711c47cb6a8debdc61d4aa3435e6f269e3c8b0ed3c9f8e97f0a73304fb4f42521b84c59cf3dae24864f07f0441af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
1KB

MD5
3e5e66663bb128e17fb3f72518d5b465

SHA1
1c2260e3053290cff8ff3e9df8f983466a2e9b52

SHA256
9a128d31260b29e0e63de9157236c8aa7307889903de0a7243e2fb4ffe8eea11

SHA512
c623e218dcf6f755399777ed288cdb3663ad390e01869ba29196757a09a60ecc0c862b3ec508dcade13661a028ffb867198e4a8125b3c466d04d1f913793c5ff

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\iesetup.exe

Filesize
1.0MB

MD5
1a13ba3ecd70796e8a0d3865754e56c1

SHA1
393cfa3d40f12ed5191e30e2f0cb7efb3e51fd7f

SHA256
27fb50c5f5926bf63baa5bbfb9469eaa2b1127c3cac0e8ac98d6a8caa6ea2e74

SHA512
2908879a9fbdf2ada28f287adbe4d6fd4226363f1f30f9fa724e26cb06608520f7e99b8c1eaa844f9a71c8dc4e2e50aac3981b9f7d5930769c858684026ff742

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ie\update\sqmapi.dll

Filesize
138KB

MD5
70af11571afa59b91d19e2637f380f7d

SHA1
e687ef6c179933d3ad8d70af284af534a9e37a52

SHA256
70951a28b692d1fdba84b1826c08e80e84ce5bf27e743a362c26a8e2ff9adde8

SHA512
21cb7d66b6392a49b8f8878d3de425928f045a722909e89c9a4e406f627a7ec44b988bf1d9bbaafdf271d1446353294b186d9a91445bc1bf33977ae5c75de03b

Download Submit
memory/1116-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download