d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9

Analysis

max time kernel
41s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
Size

3.3MB
MD5

88b1dff8e8b47fbddb1dba61c58d8f07
SHA1

c6f12706a5163feeb749402fc4909b2b137f8a9c
SHA256

d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9
SHA512

20ba0e072e51c9e89107bbb56e4e24b6a1f681860f4d29b7dd8079b4cb1c11a6f36b2bd02b05e3c6317ae2268b8f2d78dc41340cad0229583eb8d8e979bfec78
SSDEEP

49152:E9BfDauF3rt3g7GNBamkmmCwLtLV3viyKXtLGNWImgPIsxmHCpswILEtLH:EfTxzG7CwdV3vidSWHFCmLwH

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1256	reg64.exe
1140	bot.exe
2044	irsetup.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000122c2-69.dat	upx
behavioral1/memory/1140-70-0x0000000002E20000-0x00000000031EB000-memory.dmp	upx
behavioral1/files/0x00080000000122c2-73.dat	upx
behavioral1/files/0x00080000000122c2-72.dat	upx
behavioral1/files/0x00080000000122c2-71.dat	upx
behavioral1/files/0x00080000000122c2-75.dat	upx
behavioral1/memory/2044-81-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/files/0x00080000000122c2-82.dat	upx
behavioral1/memory/2044-85-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Loads dropped DLL 14 IoCs

pid	Process
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
1140	bot.exe
1140	bot.exe
1140	bot.exe
1140	bot.exe
2044	irsetup.exe
2044	irsetup.exe
2044	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2044	irsetup.exe
2044	irsetup.exe
2044	irsetup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1256	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	27
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1476 wrote to memory of 1140	1476	d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe	28
PID 1140 wrote to memory of 2044	1140	bot.exe	29
PID 1140 wrote to memory of 2044	1140	bot.exe	29
PID 1140 wrote to memory of 2044	1140	bot.exe	29
PID 1140 wrote to memory of 2044	1140	bot.exe	29
PID 1140 wrote to memory of 2044	1140	bot.exe	29
PID 1140 wrote to memory of 2044	1140	bot.exe	29
PID 1140 wrote to memory of 2044	1140	bot.exe	29

C:\Users\Admin\AppData\Local\Temp\d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe
"C:\Users\Admin\AppData\Local\Temp\d183cf24dcb323f6f09c6ef03d4782e3d3a5a73fd198b67f89fa2c4d59bc80b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\reg64.exe
  "C:\Users\Admin\AppData\Local\Temp\reg64.exe"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\bot.exe
  "C:\Users\Admin\AppData\Local\Temp\bot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1749498 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\bot.exe" "__IRCT:3" "__IRTSS:2621767" "__IRSID:S-1-5-21-999675638-2867687379-27515722-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
C:\Users\Admin\AppData\Local\Temp\reg64.exe

Filesize
525KB

MD5
513d7b7802c59b1da771eaf8603dee9d

SHA1
8b6dc913f4fc7d20f68cd9dc123f74e5eb3a138a

SHA256
2e666dc99f813f62d2f6caf7dc0b152863be2997852ab3e48cc24afe7e1c921f

SHA512
dd0b2f591892741ae7b09d02a58d72021ad446af07274ff167db088622fa409d9ad7eba50807f33f15707d98bfb643f2953a2646819078ebdd985eb6bf34577c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1437d30476f86879af27aa3c4f5cf2ef

SHA1
cea48b9a0103cb60738fe23c2927c02880d7d954

SHA256
9a7bb59efdca3a44db5227ed2a501681e976ec53dce37934990c36b58d51e783

SHA512
41c17395e32949f11214295a4237a3e1f80b29a6299f79f7764b5990bff73434d3c60084461d872361fb275dca943a8a7fb770fd9d8d542b2cd3091e4d533ac6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
2.5MB

MD5
2464b4bf0871616c933bfe12f5b2ab71

SHA1
561f70e457cb22fcbe344e4605be3ee9f2ddd606

SHA256
65bf4a5ab8bd9e351c01a2a45eec3062e39717e6dc4694ed7c1f7b54f3d38f75

SHA512
3cdbd672c92c0808e11197577564a53db1560065b45aa57aabe2a4df0c2c2aa93357762359d575a0bafb2750239dda26689d82135656e12ae749e85ccc1e400b

Download Submit
\Users\Admin\AppData\Local\Temp\reg64.exe

Filesize
525KB

MD5
513d7b7802c59b1da771eaf8603dee9d

SHA1
8b6dc913f4fc7d20f68cd9dc123f74e5eb3a138a

SHA256
2e666dc99f813f62d2f6caf7dc0b152863be2997852ab3e48cc24afe7e1c921f

SHA512
dd0b2f591892741ae7b09d02a58d72021ad446af07274ff167db088622fa409d9ad7eba50807f33f15707d98bfb643f2953a2646819078ebdd985eb6bf34577c

Download Submit
\Users\Admin\AppData\Local\Temp\reg64.exe

Filesize
525KB

MD5
513d7b7802c59b1da771eaf8603dee9d

SHA1
8b6dc913f4fc7d20f68cd9dc123f74e5eb3a138a

SHA256
2e666dc99f813f62d2f6caf7dc0b152863be2997852ab3e48cc24afe7e1c921f

SHA512
dd0b2f591892741ae7b09d02a58d72021ad446af07274ff167db088622fa409d9ad7eba50807f33f15707d98bfb643f2953a2646819078ebdd985eb6bf34577c

Download Submit
\Users\Admin\AppData\Local\Temp\reg64.exe

Filesize
525KB

MD5
513d7b7802c59b1da771eaf8603dee9d

SHA1
8b6dc913f4fc7d20f68cd9dc123f74e5eb3a138a

SHA256
2e666dc99f813f62d2f6caf7dc0b152863be2997852ab3e48cc24afe7e1c921f

SHA512
dd0b2f591892741ae7b09d02a58d72021ad446af07274ff167db088622fa409d9ad7eba50807f33f15707d98bfb643f2953a2646819078ebdd985eb6bf34577c

Download Submit
memory/1140-79-0x0000000002E20000-0x00000000031EB000-memory.dmp

Filesize
3.8MB

Download
memory/1140-70-0x0000000002E20000-0x00000000031EB000-memory.dmp

Filesize
3.8MB

Download
memory/1140-80-0x0000000002E20000-0x00000000031EB000-memory.dmp

Filesize
3.8MB

Download
memory/1140-65-0x0000000000000000-mapping.dmp

Download
memory/1256-58-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/2044-74-0x0000000000000000-mapping.dmp

Download
memory/2044-81-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2044-85-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download