1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451

Analysis

max time kernel
123s
max time network
119s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
Size

506KB
MD5

9f2eb04e92a19b2dbb3a351f229f0795
SHA1

c2aeb031c54c7c5c889d2666778afe9971348315
SHA256

1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451
SHA512

3f2078057e8bd9220ad15877327ad89ebed2e6fcfbd6b3b39438bd0015d3ef768d89e7540491bcbff3fd54adb16393c24eb2194a3f51c092e8ab7c1c97cc5a1d
SSDEEP

12288:ZzYwKuEYUhoMO+xxmYrkwDDV69J/LGqnfBFun5C5fP7ZWToUvJF:1sZYUhoM/LmKo/fnfBFACiPL

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	irsy.exe
724	irsy.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/832-66-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/files/0x00090000000122dc-71.dat	upx
behavioral1/files/0x00090000000122dc-73.dat	upx
behavioral1/files/0x00090000000122dc-75.dat	upx
behavioral1/memory/1176-89-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/files/0x00090000000122dc-87.dat	upx

Deletes itself 1 IoCs

pid	Process
1788	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/832-66-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/1176-89-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 1176 set thread context of 724	1176	irsy.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\28DD0F78-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
724	irsy.exe
724	irsy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
Token: SeManageVolumePrivilege	1756	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1756	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	WinMail.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 832 wrote to memory of 1240	832	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	28
PID 1240 wrote to memory of 1176	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	29
PID 1240 wrote to memory of 1176	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	29
PID 1240 wrote to memory of 1176	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	29
PID 1240 wrote to memory of 1176	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	29
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1176 wrote to memory of 724	1176	irsy.exe	30
PID 1240 wrote to memory of 1788	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	31
PID 1240 wrote to memory of 1788	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	31
PID 1240 wrote to memory of 1788	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	31
PID 1240 wrote to memory of 1788	1240	1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe	31
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 724 wrote to memory of 572	724	irsy.exe	33
PID 572 wrote to memory of 1208	572	explorer.exe	17
PID 572 wrote to memory of 1208	572	explorer.exe	17
PID 572 wrote to memory of 1208	572	explorer.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
  "C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe
    "C:\Users\Admin\AppData\Local\Temp\1607268ef2fa78fbf22c9d504a0add52ffe84acbba6a10c0c53b90e70fc26451.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe
      "C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe
        
        "C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3f0a46e9.bat"
      4⤵
      Deletes itself
      PID:1788

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cva26r2T3dAD3qr66SAS7844U0W6K6XTQ9

Filesize
164KB

MD5
a8fb9a340407f57b0c1f110c02718ed9

SHA1
d2b5f0aeaa5566e92b905b5d74ecd5bc5606201e

SHA256
cc7bb2e97ba52eeafdc4d118b763c9f048492d20141728f7a8da1f8af4f6c0e9

SHA512
8388b7bda61614a14e9019cfaf01d61d7b4ab8748fcd8b9cbe7e38ad6dbddaff8e00fe37131d0aaf3c120febb930da0ffd1f9468612503685d48dd98ea98737f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3f0a46e9.bat

Filesize
307B

MD5
d51bebf61048e4eb4adff0b4b09f38a1

SHA1
5dce46d3c208c97ca6fe6d57d862f37b9f231650

SHA256
a42de4930ccb869203a6f89a04c5f9a443255876c08d876a9a17b50b198ab6f8

SHA512
7e0e231dec5a8bbc6ccda22af546ba8c46959b729140886d17e7190322d1e55e3de09d9911796a6aa2ca0ed2f2c8d483f1a7d5918652ac3aadde11c825ad48ad

Download Submit
C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe

Filesize
506KB

MD5
ea2eb5981de4628eaea262ac45166bac

SHA1
590936f4e5252dd1dc319b7bd8439a1879f6be43

SHA256
c5041e53406fcd3f84086a5fd9ab9fde3a76fa6e405ec07fa13162421e769556

SHA512
4a77b60777d442f23a8f4c9c35e7e00cfd2e059b0b1fc00c6369ff4624e84f8cec2473917d9878ce6f564aeac6dc343206cd02e591b0cc6281b024717aa9e3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe

Filesize
506KB

MD5
ea2eb5981de4628eaea262ac45166bac

SHA1
590936f4e5252dd1dc319b7bd8439a1879f6be43

SHA256
c5041e53406fcd3f84086a5fd9ab9fde3a76fa6e405ec07fa13162421e769556

SHA512
4a77b60777d442f23a8f4c9c35e7e00cfd2e059b0b1fc00c6369ff4624e84f8cec2473917d9878ce6f564aeac6dc343206cd02e591b0cc6281b024717aa9e3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe

Filesize
506KB

MD5
ea2eb5981de4628eaea262ac45166bac

SHA1
590936f4e5252dd1dc319b7bd8439a1879f6be43

SHA256
c5041e53406fcd3f84086a5fd9ab9fde3a76fa6e405ec07fa13162421e769556

SHA512
4a77b60777d442f23a8f4c9c35e7e00cfd2e059b0b1fc00c6369ff4624e84f8cec2473917d9878ce6f564aeac6dc343206cd02e591b0cc6281b024717aa9e3c7

Download Submit
\Users\Admin\AppData\Roaming\Ezegpo\irsy.exe

Filesize
506KB

MD5
ea2eb5981de4628eaea262ac45166bac

SHA1
590936f4e5252dd1dc319b7bd8439a1879f6be43

SHA256
c5041e53406fcd3f84086a5fd9ab9fde3a76fa6e405ec07fa13162421e769556

SHA512
4a77b60777d442f23a8f4c9c35e7e00cfd2e059b0b1fc00c6369ff4624e84f8cec2473917d9878ce6f564aeac6dc343206cd02e591b0cc6281b024717aa9e3c7

Download Submit
memory/572-105-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/572-120-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/572-122-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/572-102-0x0000000000000000-mapping.dmp

Download
memory/572-97-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/572-98-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/572-100-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/572-101-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/572-99-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/724-104-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/724-121-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/724-86-0x0000000000405DC9-mapping.dmp

Download
memory/832-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/832-66-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1176-89-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1176-72-0x0000000000000000-mapping.dmp

Download
memory/1240-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-64-0x0000000000405DC9-mapping.dmp

Download
memory/1240-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-93-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1756-108-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1756-114-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/1756-107-0x000007FEF6CC1000-0x000007FEF6CC3000-memory.dmp

Filesize
8KB

Download
memory/1756-106-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1788-92-0x0000000000000000-mapping.dmp

Download