af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8

Analysis

max time kernel
94s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
Size

49KB
MD5

9161fad1e911bad9e15e89de2749eb90
SHA1

64aa054a8c8bdba8d7d4d3afe998d04d566f6e02
SHA256

af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8
SHA512

3c6a422e54174ff0b67c2283d9ee364e04f5f7884e1ebfa168ffed7a86609be62071d99f6ebb44b122901ae92d784bbc1706536e542e370394a2cadfe2c565c6
SSDEEP

1536:ooKo93XfyaW+OOoQQUcOJ1t6GBIvsgajtHE6V:TKo9HnOQHT1t5BIsg0D

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3948	iealore.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-132-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4964-136-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Help\iealore.exe	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
4564	taskkill.exe
4204	taskkill.exe
4404	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4564	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	82
PID 4964 wrote to memory of 4564	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	82
PID 4964 wrote to memory of 4564	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	82
PID 4964 wrote to memory of 4204	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	84
PID 4964 wrote to memory of 4204	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	84
PID 4964 wrote to memory of 4204	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	84
PID 4964 wrote to memory of 4404	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	86
PID 4964 wrote to memory of 4404	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	86
PID 4964 wrote to memory of 4404	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	86
PID 4964 wrote to memory of 3948	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	88
PID 4964 wrote to memory of 3948	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	88
PID 4964 wrote to memory of 3948	4964	af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe	88

C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe
"C:\Users\Admin\AppData\Local\Temp\af579ea95a91cdf86f99f66b644eeb61f53039cc569cd2248e532fcdd0cff9d8.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im SkypeClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\WINDOWS\Help\iealore.exe
  "C:\WINDOWS\Help\iealore.exe"
  2⤵
  - Executes dropped EXE
  PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\iealore.exe

Filesize
13KB

MD5
97ad9b43e6528f377f66f2bc82161456

SHA1
240a1824f44044c6e2b5fca135ff997191dea4bd

SHA256
d4941e18e5b0e7039c4dabb96ce9d73cd710bf8f3a775cbaf1b38921d2ce0fc2

SHA512
b9709f661104ace85a26097fce9579bc6ec779c3899e18b99069273fc920a22271bf3971ed7f49c96ac2afb1bc0cd355e26f729629ae19277cc9c6a5ccc571c0

Download Submit
memory/4964-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4964-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download