5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee

General

Target

2ADDAADC910383F2753B62C8E1CDE0C0.exe
Size

1.8MB
MD5

2addaadc910383f2753b62c8e1cde0c0
SHA1

d646976c67990dad2d7631ae70d36228e177606f
SHA256

5c393e03afee6dff3591edb1b4461a4f0228cd1c8fe969f87d083a96406e85ee
SHA512

392fe6f4b749db1cdb909aff7815fee865ada2415e232bcc6523446a5afedfd1fd6a22909990b12db605a51a7221ceec2ef5feb82711dc495bb2e1f1b1822ce5

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

irsetup.exe

pid process

1284 irsetup.exe

pid	process
1284	irsetup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 5 IoCs

Processes:

2ADDAADC910383F2753B62C8E1CDE0C0.exeirsetup.exe

pid	process
1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe
1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe
1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe
1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe
1284	irsetup.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

irsetup.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main irsetup.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

irsetup.exe

pid process

1284 irsetup.exe
1284 irsetup.exe
1284 irsetup.exe
1284 irsetup.exe
1284 irsetup.exe

flow	ioc
7	ip-api.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

pid	process
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe
1284	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2ADDAADC910383F2753B62C8E1CDE0C0.exe

description	pid	process	target process
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe
PID 1644 wrote to memory of 1284	1644	2ADDAADC910383F2753B62C8E1CDE0C0.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\2ADDAADC910383F2753B62C8E1CDE0C0.exe
"C:\Users\Admin\AppData\Local\Temp\2ADDAADC910383F2753B62C8E1CDE0C0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1796642 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2ADDAADC910383F2753B62C8E1CDE0C0.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-2513283230-931923277-594887482-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
8d9f6c3dcc0a6d436519969a6b69bb63

SHA1
1dc4fc93160018d2922650a30f2062f91d541d56

SHA256
5223c4cf220d45a77632aff778537a52f6d1273ec65e80d17133251ef9e0548e

SHA512
e148e2b80f9308e559a77078813bca98896f0f774d588e59ee6c12e73b93d3c89f76746d8e79d57c2dd2b2e06efc00fe2470c2eea79536ee519bbfd60cadc440

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
8d9f6c3dcc0a6d436519969a6b69bb63

SHA1
1dc4fc93160018d2922650a30f2062f91d541d56

SHA256
5223c4cf220d45a77632aff778537a52f6d1273ec65e80d17133251ef9e0548e

SHA512
e148e2b80f9308e559a77078813bca98896f0f774d588e59ee6c12e73b93d3c89f76746d8e79d57c2dd2b2e06efc00fe2470c2eea79536ee519bbfd60cadc440

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
8d9f6c3dcc0a6d436519969a6b69bb63

SHA1
1dc4fc93160018d2922650a30f2062f91d541d56

SHA256
5223c4cf220d45a77632aff778537a52f6d1273ec65e80d17133251ef9e0548e

SHA512
e148e2b80f9308e559a77078813bca98896f0f774d588e59ee6c12e73b93d3c89f76746d8e79d57c2dd2b2e06efc00fe2470c2eea79536ee519bbfd60cadc440

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
8d9f6c3dcc0a6d436519969a6b69bb63

SHA1
1dc4fc93160018d2922650a30f2062f91d541d56

SHA256
5223c4cf220d45a77632aff778537a52f6d1273ec65e80d17133251ef9e0548e

SHA512
e148e2b80f9308e559a77078813bca98896f0f774d588e59ee6c12e73b93d3c89f76746d8e79d57c2dd2b2e06efc00fe2470c2eea79536ee519bbfd60cadc440

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
8d9f6c3dcc0a6d436519969a6b69bb63

SHA1
1dc4fc93160018d2922650a30f2062f91d541d56

SHA256
5223c4cf220d45a77632aff778537a52f6d1273ec65e80d17133251ef9e0548e

SHA512
e148e2b80f9308e559a77078813bca98896f0f774d588e59ee6c12e73b93d3c89f76746d8e79d57c2dd2b2e06efc00fe2470c2eea79536ee519bbfd60cadc440

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
8d9f6c3dcc0a6d436519969a6b69bb63

SHA1
1dc4fc93160018d2922650a30f2062f91d541d56

SHA256
5223c4cf220d45a77632aff778537a52f6d1273ec65e80d17133251ef9e0548e

SHA512
e148e2b80f9308e559a77078813bca98896f0f774d588e59ee6c12e73b93d3c89f76746d8e79d57c2dd2b2e06efc00fe2470c2eea79536ee519bbfd60cadc440

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
memory/1284-64-0x0000000000000000-mapping.dmp

Download
memory/1644-59-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads