4b9bf5c5caf3d7a9394f361099977d7a4ef4477c97f7d6ba54e9981567003dc8

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995ff2c762507d4d58ee1726e0e08277.exe
Size

92KB
MD5

995ff2c762507d4d58ee1726e0e08277
SHA1

88727c48ace43e54aa83c9a8bf8da66eba047dbc
SHA256

4b9bf5c5caf3d7a9394f361099977d7a4ef4477c97f7d6ba54e9981567003dc8
SHA512

0291f8776ab7147473a96179983b938c79d2eea32c9a97f8ff8f997539693446de9f0f4cde589efe3543ae7a664fe42178761cf669e3e999409584842ca761b8
SSDEEP

1536:Xn/oYXOFGRG8zr7tLqLdjXpeHQr84qS/UOZ:X/onGRbz3ULdDpEm84qe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	iealore.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	995ff2c762507d4d58ee1726e0e08277.exe
2324	995ff2c762507d4d58ee1726e0e08277.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Help\iealore.exe	995ff2c762507d4d58ee1726e0e08277.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
2888	taskkill.exe
2432	taskkill.exe
2644	taskkill.exe
2680	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2324	995ff2c762507d4d58ee1726e0e08277.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2016	iealore.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2432	2324	995ff2c762507d4d58ee1726e0e08277.exe	30
PID 2324 wrote to memory of 2432	2324	995ff2c762507d4d58ee1726e0e08277.exe	30
PID 2324 wrote to memory of 2432	2324	995ff2c762507d4d58ee1726e0e08277.exe	30
PID 2324 wrote to memory of 2432	2324	995ff2c762507d4d58ee1726e0e08277.exe	30
PID 2324 wrote to memory of 2888	2324	995ff2c762507d4d58ee1726e0e08277.exe	28
PID 2324 wrote to memory of 2888	2324	995ff2c762507d4d58ee1726e0e08277.exe	28
PID 2324 wrote to memory of 2888	2324	995ff2c762507d4d58ee1726e0e08277.exe	28
PID 2324 wrote to memory of 2888	2324	995ff2c762507d4d58ee1726e0e08277.exe	28
PID 2324 wrote to memory of 2644	2324	995ff2c762507d4d58ee1726e0e08277.exe	33
PID 2324 wrote to memory of 2644	2324	995ff2c762507d4d58ee1726e0e08277.exe	33
PID 2324 wrote to memory of 2644	2324	995ff2c762507d4d58ee1726e0e08277.exe	33
PID 2324 wrote to memory of 2644	2324	995ff2c762507d4d58ee1726e0e08277.exe	33
PID 2324 wrote to memory of 2680	2324	995ff2c762507d4d58ee1726e0e08277.exe	34
PID 2324 wrote to memory of 2680	2324	995ff2c762507d4d58ee1726e0e08277.exe	34
PID 2324 wrote to memory of 2680	2324	995ff2c762507d4d58ee1726e0e08277.exe	34
PID 2324 wrote to memory of 2680	2324	995ff2c762507d4d58ee1726e0e08277.exe	34
PID 2324 wrote to memory of 2016	2324	995ff2c762507d4d58ee1726e0e08277.exe	37
PID 2324 wrote to memory of 2016	2324	995ff2c762507d4d58ee1726e0e08277.exe	37
PID 2324 wrote to memory of 2016	2324	995ff2c762507d4d58ee1726e0e08277.exe	37
PID 2324 wrote to memory of 2016	2324	995ff2c762507d4d58ee1726e0e08277.exe	37
PID 2016 wrote to memory of 868	2016	iealore.exe	38
PID 2016 wrote to memory of 868	2016	iealore.exe	38
PID 2016 wrote to memory of 868	2016	iealore.exe	38
PID 2016 wrote to memory of 868	2016	iealore.exe	38
PID 868 wrote to memory of 3020	868	cmd.exe	40
PID 868 wrote to memory of 3020	868	cmd.exe	40
PID 868 wrote to memory of 3020	868	cmd.exe	40
PID 868 wrote to memory of 3020	868	cmd.exe	40
PID 3020 wrote to memory of 3008	3020	net.exe	41
PID 3020 wrote to memory of 3008	3020	net.exe	41
PID 3020 wrote to memory of 3008	3020	net.exe	41
PID 3020 wrote to memory of 3008	3020	net.exe	41

C:\Users\Admin\AppData\Local\Temp\995ff2c762507d4d58ee1726e0e08277.exe
"C:\Users\Admin\AppData\Local\Temp\995ff2c762507d4d58ee1726e0e08277.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im 360tray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im 360Safe.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im SkypeClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\WINDOWS\Help\iealore.exe
  "C:\WINDOWS\Help\iealore.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\iealore.exe

Filesize
13KB

MD5
ab9e1d25b8b3b04cb5db1693de8473cb

SHA1
68dbb66b1ef48df5e685adfa272ed969a6047397

SHA256
08f7b098c3443661be43150e184dd987586dc2bf861c06999ed45f19189d2106

SHA512
3d34d657dee0df049cf3a6c39bd45fa17b0b687ebb3e9d6209a5e98c7a6349424e444088558ec1f74491717a43780c5ab774db129044ae0b63af0a2999aaa4da

Download Submit
memory/2016-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2324-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download