80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8

Analysis

max time kernel
105s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2022, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe
Size

2.7MB
MD5

ddbfa546fe1b1e1e0f7115fa96f0e3a8
SHA1

3f7561631e53acbe00779fa0542b79c8ce1b3f8b
SHA256

80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8
SHA512

7f97ff49f647755aa372ca6c43a6514ffc8f20539ef828be3a9f769ab6727cc822a0fd82b89bf6800468671c214d2a729c799431f026b3730436d1be541ea004
SSDEEP

49152:ON26FOnzGn6LJvqkwnpC+mWd6uIcc9fJIluAGzdlz+mdUHZxs8GPX:O06FOznLo0+Dd6uxc9xIwCZxDGPX

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4908	irsetup.exe
4252	un.exe
2008	un.exe
2208	php-cgi.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000022e39-133.dat	upx
behavioral2/files/0x0008000000022e39-134.dat	upx
behavioral2/memory/4908-137-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/4908-147-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe

Loads dropped DLL 1 IoCs

pid	Process
4908	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
728	2208	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4908	irsetup.exe
4908	irsetup.exe
4908	irsetup.exe
4252	un.exe
2008	un.exe
2208	php-cgi.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 4908	2144	80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe	81
PID 2144 wrote to memory of 4908	2144	80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe	81
PID 2144 wrote to memory of 4908	2144	80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe	81
PID 4908 wrote to memory of 4252	4908	irsetup.exe	83
PID 4908 wrote to memory of 4252	4908	irsetup.exe	83
PID 4908 wrote to memory of 2008	4908	irsetup.exe	85
PID 4908 wrote to memory of 2008	4908	irsetup.exe	85
PID 4908 wrote to memory of 2208	4908	irsetup.exe	87
PID 4908 wrote to memory of 2208	4908	irsetup.exe	87
PID 4908 wrote to memory of 2208	4908	irsetup.exe	87

C:\Users\Admin\AppData\Local\Temp\80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe
"C:\Users\Admin\AppData\Local\Temp\80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\80690178a97a99e54eeb310d1f9b7dd97aaabcd2d4bb7e459464c51ecfaf47e8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2629973501-4017243118-3254762364-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\un.exe
    "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar ziliao.jpg C:\ProgramData\Microsoft\Program\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4252
- - C:\un.exe
    "C:\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar php-cgi.exe C:\PHP5433\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2008
- - C:\PHP5433\php-cgi.exe
    C:\PHP5433\php-cgi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 476
      4⤵
      Program crash
      PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2208 -ip 2208
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PHP5433\php-cgi.exe

Filesize
972KB

MD5
5612854da654663c0b066e3aaf5091d4

SHA1
88e42ab7c8a515a9b84dffcbaea4c0df7e519c29

SHA256
cc4ca836bf854c99c4cdc6f893ee1187d3178f62dc197c575dbf8058006aab18

SHA512
f3e855738db5764966822128e0758fff641e106527efc1ebdcb5d95e7b879f2456c357c568f0eed5f5cc69bb5d42fa492cbb4a98923d8c7147bd50a8bee79eed

Download Submit
C:\PHP5433\php-cgi.exe

Filesize
972KB

MD5
5612854da654663c0b066e3aaf5091d4

SHA1
88e42ab7c8a515a9b84dffcbaea4c0df7e519c29

SHA256
cc4ca836bf854c99c4cdc6f893ee1187d3178f62dc197c575dbf8058006aab18

SHA512
f3e855738db5764966822128e0758fff641e106527efc1ebdcb5d95e7b879f2456c357c568f0eed5f5cc69bb5d42fa492cbb4a98923d8c7147bd50a8bee79eed

Download Submit
C:\ProgramData\Data\UPX.rar

Filesize
866KB

MD5
3baed4d50bf5826da0c6d7f7a105e68b

SHA1
11b7850f3b81a5bd1f7f31547a9d7dfcbb2a26bb

SHA256
8c502c920f85629e9d9a2e190c9adf161dc799de6563821ee1d9c287a49cc9de

SHA512
964d276f3c2002df6ed09e275bbbb070611044afc4f31675e94469bf8b234e05842d426e598a50f419c294b13a9447515d22d963c278aa9dd98ce72c46c8fe0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\un.exe

Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
C:\un.exe

Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
C:\un.exe

Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
memory/2208-149-0x00000000776C0000-0x0000000077863000-memory.dmp

Filesize
1.6MB

Download
memory/2208-152-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2208-150-0x0000000075E20000-0x0000000076035000-memory.dmp

Filesize
2.1MB

Download
memory/2208-148-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4908-137-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/4908-147-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download