4b9bf5c5caf3d7a9394f361099977d7a4ef4477c97f7d6ba54e9981567003dc8

Analysis

max time kernel
91s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995ff2c762507d4d58ee1726e0e08277.exe
Size

92KB
MD5

995ff2c762507d4d58ee1726e0e08277
SHA1

88727c48ace43e54aa83c9a8bf8da66eba047dbc
SHA256

4b9bf5c5caf3d7a9394f361099977d7a4ef4477c97f7d6ba54e9981567003dc8
SHA512

0291f8776ab7147473a96179983b938c79d2eea32c9a97f8ff8f997539693446de9f0f4cde589efe3543ae7a664fe42178761cf669e3e999409584842ca761b8
SSDEEP

1536:Xn/oYXOFGRG8zr7tLqLdjXpeHQr84qS/UOZ:X/onGRbz3ULdDpEm84qe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	995ff2c762507d4d58ee1726e0e08277.exe

Executes dropped EXE 1 IoCs

pid	Process
4132	iealore.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Help\iealore.exe	995ff2c762507d4d58ee1726e0e08277.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
3516	taskkill.exe
2880	taskkill.exe
4960	taskkill.exe
372	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2392	995ff2c762507d4d58ee1726e0e08277.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 372	2392	995ff2c762507d4d58ee1726e0e08277.exe	85
PID 2392 wrote to memory of 372	2392	995ff2c762507d4d58ee1726e0e08277.exe	85
PID 2392 wrote to memory of 372	2392	995ff2c762507d4d58ee1726e0e08277.exe	85
PID 2392 wrote to memory of 3516	2392	995ff2c762507d4d58ee1726e0e08277.exe	87
PID 2392 wrote to memory of 3516	2392	995ff2c762507d4d58ee1726e0e08277.exe	87
PID 2392 wrote to memory of 3516	2392	995ff2c762507d4d58ee1726e0e08277.exe	87
PID 2392 wrote to memory of 2880	2392	995ff2c762507d4d58ee1726e0e08277.exe	89
PID 2392 wrote to memory of 2880	2392	995ff2c762507d4d58ee1726e0e08277.exe	89
PID 2392 wrote to memory of 2880	2392	995ff2c762507d4d58ee1726e0e08277.exe	89
PID 2392 wrote to memory of 4960	2392	995ff2c762507d4d58ee1726e0e08277.exe	91
PID 2392 wrote to memory of 4960	2392	995ff2c762507d4d58ee1726e0e08277.exe	91
PID 2392 wrote to memory of 4960	2392	995ff2c762507d4d58ee1726e0e08277.exe	91
PID 2392 wrote to memory of 4132	2392	995ff2c762507d4d58ee1726e0e08277.exe	94
PID 2392 wrote to memory of 4132	2392	995ff2c762507d4d58ee1726e0e08277.exe	94
PID 2392 wrote to memory of 4132	2392	995ff2c762507d4d58ee1726e0e08277.exe	94

C:\Users\Admin\AppData\Local\Temp\995ff2c762507d4d58ee1726e0e08277.exe
"C:\Users\Admin\AppData\Local\Temp\995ff2c762507d4d58ee1726e0e08277.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im 360Safe.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im 360tray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im SkypeClient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\WINDOWS\Help\iealore.exe
  "C:\WINDOWS\Help\iealore.exe"
  2⤵
  - Executes dropped EXE
  PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\iealore.exe

Filesize
13KB

MD5
ab9e1d25b8b3b04cb5db1693de8473cb

SHA1
68dbb66b1ef48df5e685adfa272ed969a6047397

SHA256
08f7b098c3443661be43150e184dd987586dc2bf861c06999ed45f19189d2106

SHA512
3d34d657dee0df049cf3a6c39bd45fa17b0b687ebb3e9d6209a5e98c7a6349424e444088558ec1f74491717a43780c5ab774db129044ae0b63af0a2999aaa4da

Download Submit
memory/2392-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2392-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download