e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e

Analysis

max time kernel
46s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe
Size

73KB
MD5

8cd03e458c250abf34356371ccaa2a02
SHA1

f889d8276648c83b846ef67867d85f7cd028d7cf
SHA256

e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e
SHA512

c721f1c2d463baa637a4417686e98a7982268f754c44dbc783e8f9a30a06eda0936027ade0e667acb941e30a5ccfb19aa8c4b4f84abc8ab78b665bfbfaffb8ce
SSDEEP

1536:9xsX0F6Cusc+X79aau64DUDLrfiK+OKVeuWkE5BnoCg+fU2:cX0qscwduiLmBVE5tFXU2

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	IEXPL0RE.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1364	attrib.exe

Deletes itself 1 IoCs

pid	Process
1352	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	cmd.exe
1352	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\IEXPL0RE.exe	cmd.exe
File opened for modification	C:\Windows\Web\IEXPL0RE.exe	attrib.exe
File created	C:\Windows\Web\705.5475.bat	e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe
File created	C:\Windows\Web\IEXPL0RE.exe	cmd.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1816	taskkill.exe
1668	taskkill.exe
1596	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1820	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1688	e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe
1340	IEXPL0RE.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1352	1688	e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe	29
PID 1688 wrote to memory of 1352	1688	e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe	29
PID 1688 wrote to memory of 1352	1688	e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe	29
PID 1688 wrote to memory of 1352	1688	e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe	29
PID 1352 wrote to memory of 1820	1352	cmd.exe	30
PID 1352 wrote to memory of 1820	1352	cmd.exe	30
PID 1352 wrote to memory of 1820	1352	cmd.exe	30
PID 1352 wrote to memory of 1820	1352	cmd.exe	30
PID 1352 wrote to memory of 1364	1352	cmd.exe	31
PID 1352 wrote to memory of 1364	1352	cmd.exe	31
PID 1352 wrote to memory of 1364	1352	cmd.exe	31
PID 1352 wrote to memory of 1364	1352	cmd.exe	31
PID 1352 wrote to memory of 1340	1352	cmd.exe	32
PID 1352 wrote to memory of 1340	1352	cmd.exe	32
PID 1352 wrote to memory of 1340	1352	cmd.exe	32
PID 1352 wrote to memory of 1340	1352	cmd.exe	32
PID 1340 wrote to memory of 1796	1340	IEXPL0RE.exe	33
PID 1340 wrote to memory of 1796	1340	IEXPL0RE.exe	33
PID 1340 wrote to memory of 1796	1340	IEXPL0RE.exe	33
PID 1340 wrote to memory of 1796	1340	IEXPL0RE.exe	33
PID 1340 wrote to memory of 676	1340	IEXPL0RE.exe	35
PID 1340 wrote to memory of 676	1340	IEXPL0RE.exe	35
PID 1340 wrote to memory of 676	1340	IEXPL0RE.exe	35
PID 1340 wrote to memory of 676	1340	IEXPL0RE.exe	35
PID 1340 wrote to memory of 1852	1340	IEXPL0RE.exe	38
PID 1340 wrote to memory of 1852	1340	IEXPL0RE.exe	38
PID 1340 wrote to memory of 1852	1340	IEXPL0RE.exe	38
PID 1340 wrote to memory of 1852	1340	IEXPL0RE.exe	38
PID 1796 wrote to memory of 1816	1796	cmd.exe	39
PID 1796 wrote to memory of 1816	1796	cmd.exe	39
PID 1796 wrote to memory of 1816	1796	cmd.exe	39
PID 1796 wrote to memory of 1816	1796	cmd.exe	39
PID 676 wrote to memory of 1668	676	cmd.exe	40
PID 676 wrote to memory of 1668	676	cmd.exe	40
PID 676 wrote to memory of 1668	676	cmd.exe	40
PID 676 wrote to memory of 1668	676	cmd.exe	40
PID 1852 wrote to memory of 1596	1852	cmd.exe	41
PID 1852 wrote to memory of 1596	1852	cmd.exe	41
PID 1852 wrote to memory of 1596	1852	cmd.exe	41
PID 1852 wrote to memory of 1596	1852	cmd.exe	41

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1364	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe
"C:\Users\Admin\AppData\Local\Temp\e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\Web\705.5475.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\Web\IEXPL0RE.exe"
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1364
- - C:\Windows\Web\IEXPL0RE.exe
    "C:\Windows\Web\IEXPL0RE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im qq.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im qq.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im Rstray.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rstray.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 360tray.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im 360tray.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Web\705.5475.bat

Filesize
361B

MD5
cfd167171603710ab4f1bd3f4288a4e0

SHA1
92e07e18832806f41b3f368c8aa505135e2c0e14

SHA256
30d60fcf30d8431a6345c9dd42b85b550e7df9ba222ba8f332e9e4042a47fae1

SHA512
03814a0b0016b7d89b79b8756a51efc9ec5fadeb48ef0e5d19facdbe215f7dbd35fc3bb7521672082ef7a6a717b74be14fd62b4cef707d2829228bbff4e686a5

Download Submit
C:\Windows\Web\IEXPL0RE.exe

Filesize
73KB

MD5
8cd03e458c250abf34356371ccaa2a02

SHA1
f889d8276648c83b846ef67867d85f7cd028d7cf

SHA256
e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e

SHA512
c721f1c2d463baa637a4417686e98a7982268f754c44dbc783e8f9a30a06eda0936027ade0e667acb941e30a5ccfb19aa8c4b4f84abc8ab78b665bfbfaffb8ce

Download Submit
C:\Windows\Web\IEXPL0RE.exe

Filesize
73KB

MD5
8cd03e458c250abf34356371ccaa2a02

SHA1
f889d8276648c83b846ef67867d85f7cd028d7cf

SHA256
e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e

SHA512
c721f1c2d463baa637a4417686e98a7982268f754c44dbc783e8f9a30a06eda0936027ade0e667acb941e30a5ccfb19aa8c4b4f84abc8ab78b665bfbfaffb8ce

Download Submit
\Windows\Web\IEXPL0RE.exe

Filesize
73KB

MD5
8cd03e458c250abf34356371ccaa2a02

SHA1
f889d8276648c83b846ef67867d85f7cd028d7cf

SHA256
e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e

SHA512
c721f1c2d463baa637a4417686e98a7982268f754c44dbc783e8f9a30a06eda0936027ade0e667acb941e30a5ccfb19aa8c4b4f84abc8ab78b665bfbfaffb8ce

Download Submit
\Windows\Web\IEXPL0RE.exe

Filesize
73KB

MD5
8cd03e458c250abf34356371ccaa2a02

SHA1
f889d8276648c83b846ef67867d85f7cd028d7cf

SHA256
e1c7b1ea88ca0eef826120d75506dbb5a67be8f8271549caa5c25106eb49c66e

SHA512
c721f1c2d463baa637a4417686e98a7982268f754c44dbc783e8f9a30a06eda0936027ade0e667acb941e30a5ccfb19aa8c4b4f84abc8ab78b665bfbfaffb8ce

Download Submit
memory/676-71-0x0000000000000000-mapping.dmp

Download
memory/1340-67-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1340-65-0x0000000000000000-mapping.dmp

Download
memory/1340-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1352-57-0x0000000000000000-mapping.dmp

Download
memory/1364-61-0x0000000000000000-mapping.dmp

Download
memory/1596-75-0x0000000000000000-mapping.dmp

Download
memory/1668-74-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1688-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1796-70-0x0000000000000000-mapping.dmp

Download
memory/1816-73-0x0000000000000000-mapping.dmp

Download
memory/1820-60-0x0000000000000000-mapping.dmp

Download
memory/1852-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads