af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8

Analysis

max time kernel
94s
max time network
93s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
Size

49KB
MD5

9161fad1e911bad9e15e89de2749eb90
SHA1

64aa054a8c8bdba8d7d4d3afe998d04d566f6e02
SHA256

af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8
SHA512

3c6a422e54174ff0b67c2283d9ee364e04f5f7884e1ebfa168ffed7a86609be62071d99f6ebb44b122901ae92d784bbc1706536e542e370394a2cadfe2c565c6
SSDEEP

1536:ooKo93XfyaW+OOoQQUcOJ1t6GBIvsgajtHE6V:TKo9HnOQHT1t5BIsg0D

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1488	iealore.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1508-55-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Help\iealore.exe	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
1588	taskkill.exe
592	taskkill.exe
1772	taskkill.exe
364	taskkill.exe
1660	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	592	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	iealore.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1588	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	26
PID 1508 wrote to memory of 1588	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	26
PID 1508 wrote to memory of 1588	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	26
PID 1508 wrote to memory of 1588	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	26
PID 1508 wrote to memory of 592	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	28
PID 1508 wrote to memory of 592	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	28
PID 1508 wrote to memory of 592	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	28
PID 1508 wrote to memory of 592	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	28
PID 1508 wrote to memory of 1772	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	30
PID 1508 wrote to memory of 1772	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	30
PID 1508 wrote to memory of 1772	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	30
PID 1508 wrote to memory of 1772	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	30
PID 1508 wrote to memory of 1488	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	33
PID 1508 wrote to memory of 1488	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	33
PID 1508 wrote to memory of 1488	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	33
PID 1508 wrote to memory of 1488	1508	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	33
PID 1488 wrote to memory of 1124	1488	iealore.exe	34
PID 1488 wrote to memory of 1124	1488	iealore.exe	34
PID 1488 wrote to memory of 1124	1488	iealore.exe	34
PID 1488 wrote to memory of 1124	1488	iealore.exe	34
PID 1488 wrote to memory of 1624	1488	iealore.exe	35
PID 1488 wrote to memory of 1624	1488	iealore.exe	35
PID 1488 wrote to memory of 1624	1488	iealore.exe	35
PID 1488 wrote to memory of 1624	1488	iealore.exe	35
PID 1488 wrote to memory of 364	1488	iealore.exe	37
PID 1488 wrote to memory of 364	1488	iealore.exe	37
PID 1488 wrote to memory of 364	1488	iealore.exe	37
PID 1488 wrote to memory of 364	1488	iealore.exe	37
PID 1488 wrote to memory of 1660	1488	iealore.exe	38
PID 1488 wrote to memory of 1660	1488	iealore.exe	38
PID 1488 wrote to memory of 1660	1488	iealore.exe	38
PID 1488 wrote to memory of 1660	1488	iealore.exe	38
PID 1624 wrote to memory of 1620	1624	cmd.exe	43
PID 1624 wrote to memory of 1620	1624	cmd.exe	43
PID 1624 wrote to memory of 1620	1624	cmd.exe	43
PID 1624 wrote to memory of 1620	1624	cmd.exe	43
PID 1124 wrote to memory of 1828	1124	cmd.exe	42
PID 1124 wrote to memory of 1828	1124	cmd.exe	42
PID 1124 wrote to memory of 1828	1124	cmd.exe	42
PID 1124 wrote to memory of 1828	1124	cmd.exe	42
PID 1828 wrote to memory of 1956	1828	net.exe	45
PID 1828 wrote to memory of 1956	1828	net.exe	45
PID 1828 wrote to memory of 1956	1828	net.exe	45
PID 1828 wrote to memory of 1956	1828	net.exe	45
PID 1620 wrote to memory of 280	1620	net.exe	44
PID 1620 wrote to memory of 280	1620	net.exe	44
PID 1620 wrote to memory of 280	1620	net.exe	44
PID 1620 wrote to memory of 280	1620	net.exe	44

C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
"C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im SkypeClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\WINDOWS\Help\iealore.exe
  "C:\WINDOWS\Help\iealore.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop KAVStart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\net.exe
      net stop KAVStart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KAVStart
        5⤵
        
        PID:280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360Safe.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360tray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\iealore.exe

Filesize
13KB

MD5
97ad9b43e6528f377f66f2bc82161456

SHA1
240a1824f44044c6e2b5fca135ff997191dea4bd

SHA256
d4941e18e5b0e7039c4dabb96ce9d73cd710bf8f3a775cbaf1b38921d2ce0fc2

SHA512
b9709f661104ace85a26097fce9579bc6ec779c3899e18b99069273fc920a22271bf3971ed7f49c96ac2afb1bc0cd355e26f729629ae19277cc9c6a5ccc571c0

Download Submit
\Windows\Help\iealore.exe

Filesize
13KB

MD5
97ad9b43e6528f377f66f2bc82161456

SHA1
240a1824f44044c6e2b5fca135ff997191dea4bd

SHA256
d4941e18e5b0e7039c4dabb96ce9d73cd710bf8f3a775cbaf1b38921d2ce0fc2

SHA512
b9709f661104ace85a26097fce9579bc6ec779c3899e18b99069273fc920a22271bf3971ed7f49c96ac2afb1bc0cd355e26f729629ae19277cc9c6a5ccc571c0

Download Submit
\Windows\Help\iealore.exe

Filesize
13KB

MD5
97ad9b43e6528f377f66f2bc82161456

SHA1
240a1824f44044c6e2b5fca135ff997191dea4bd

SHA256
d4941e18e5b0e7039c4dabb96ce9d73cd710bf8f3a775cbaf1b38921d2ce0fc2

SHA512
b9709f661104ace85a26097fce9579bc6ec779c3899e18b99069273fc920a22271bf3971ed7f49c96ac2afb1bc0cd355e26f729629ae19277cc9c6a5ccc571c0

Download Submit
memory/1508-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download