0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d

Analysis

max time kernel
39s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe
Size

922KB
MD5

a0ee9999c0a28a71f757f240a409e120
SHA1

b92cce27db72d8367cd48dc375a09a4323c000c8
SHA256

0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d
SHA512

5cea6779f891870a3de0f5933eae675fb9b002024a8a4598f58d83ee4ea8493020ef6559f631ddadc5f5153567bc7caebc18ffa00287444032f5cb43194633be
SSDEEP

12288:2vfyIIIzAClE7uDOch+h2ul/mJoDA4zubJzUWiXblUUGFUSrb+afySvEFRMEWEg:ysSzlEqF+hVcODMz8XblU1FzfyAE0

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000149b7-65.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
960	irsetup.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000014544-55.dat	upx
behavioral1/files/0x0008000000014544-57.dat	upx
behavioral1/files/0x0008000000014544-60.dat	upx
behavioral1/files/0x0008000000014544-59.dat	upx
behavioral1/files/0x0008000000014544-61.dat	upx
behavioral1/files/0x0008000000014544-62.dat	upx
behavioral1/memory/960-64-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral1/memory/960-68-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe
960	irsetup.exe
960	irsetup.exe
960	irsetup.exe
960	irsetup.exe
960	irsetup.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sendemail.dll	irsetup.exe
File created	C:\Windows\SysWOW64\sendemail.dll	irsetup.exe
File opened for modification	C:\Windows\SysWOW64\scvhost.exe	irsetup.exe
File created	C:\Windows\SysWOW64\scvhost.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\TypeLib	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\TypeLib\ = "{EA1C80A8-350A-4905-855B-41FE1A252E52}"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender.2\CLSID\ = "{469F124F-C01C-4B01-A388-66386E7FA41D}"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\InprocServer32\ThreadingModel = "Apartment"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\ = "SendEmail - by Eng. Usama El-Mokadem"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\VersionIndependentProgID	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\Programmable	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\InprocServer32\ = "C:\\Windows\\SysWow64\\sendemail.dll"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\TypeLib\ = "{EA1C80A8-350A-4905-855B-41FE1A252E52}"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender.2	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender.2\CLSID	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender\ = "Sender Class"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\TypeLib	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\ProxyStubClsid32	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\InprocServer32	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\0	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\HELPDIR	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\ProgID\ = "SendMail.Sender.2"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\TypeLib\Version = "1.0"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender\CLSID	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender\CurVer\ = "SendMail.Sender.2"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\ = "Sender Class"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\TypeLib\Version = "1.0"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\sendemail.dll"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\ = "ISender"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender.2\ = "Sender Class"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender\CurVer	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\TypeLib\ = "{EA1C80A8-350A-4905-855B-41FE1A252E52}"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\FLAGS	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\ProxyStubClsid32	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\TypeLib	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\FLAGS\ = "0"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B6AE8420-23F6-41BD-84E4-9C347378FC9D}\ = "ISender"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SendMail.Sender\CLSID\ = "{469F124F-C01C-4B01-A388-66386E7FA41D}"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\ProgID	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{469F124F-C01C-4B01-A388-66386E7FA41D}\VersionIndependentProgID\ = "SendMail.Sender"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA1C80A8-350A-4905-855B-41FE1A252E52}\1.0\0\win32	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
960	irsetup.exe
960	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27
PID 548 wrote to memory of 960	548	0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe	27

C:\Users\Admin\AppData\Local\Temp\0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe
"C:\Users\Admin\AppData\Local\Temp\0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
  __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\0e93e61e0b156fd756fe4e664c5fe6bc3dadbc604caec5c7d847876df5c9048d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
\Windows\SysWOW64\scvhost.exe

Filesize
64KB

MD5
6e00c90c8044474a98ec6da4beb71043

SHA1
1d61241bd9f0eae133b357d120f2de82fc3a5cb5

SHA256
a036fb9a55ac97064f9ba5780b8027553c0b1c2d852e5b4104e1b7ab98fca1df

SHA512
c524d8704dfddde27732a147b72dd54c36ec96e6bed04349d9b1f2ce47e16d230127eac348997b162f7fa4d7b3e7f1fd0591d80380bf1d031827ef657c031be2

Download Submit
\Windows\SysWOW64\sendemail.dll

Filesize
302KB

MD5
6af5491540b35ea502aadde3a358e2c9

SHA1
8f7ae2112f2f4c6af52c7d5f1f44cb228ccef4d1

SHA256
649519a892e42f41e10a668138b2cd8fa9fee0c277e447a91fcbc0e2743d504b

SHA512
4d19475f87edfa0e14996eb944d57967bd5007f017b41d89dee6e7f8d836ec24b3fde5cf22659e6dc7af3b7ae4cab330d5f1645fb3ac3a9c35d59d0c700f9b0b

Download Submit
memory/548-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/548-63-0x0000000001F80000-0x00000000020A7000-memory.dmp

Filesize
1.2MB

Download
memory/960-64-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/960-66-0x00000000009C0000-0x0000000000AE7000-memory.dmp

Filesize
1.2MB

Download
memory/960-68-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download