a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834

General

Target

a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe
Size

675KB
MD5

520967b89e3c199aeb953dd96a5b1934
SHA1

53edcbf7659478031a05a37fe1f2df05fa4a1658
SHA256

a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834
SHA512

77a1a9a906d269ded0147563f50f78da3740497d7d23986b869556fce3effadf9088694d917d5302db8cf318d7e908f67dedf8619c5f52d22d85a9ed3a9667c7
SSDEEP

12288:cfNb4S3eYs5lSl4sRmKXsq42aJuMBvN1Bxb5dIYs3g1RwS3wGvTbd1wjop+w:ANEq+xKX62aJuYvNPd543A6S/vTPwjoh

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

irsetup.exealg.exe

pid process

2368 irsetup.exe
3232 alg.exe

pid	process
2368	irsetup.exe
3232	alg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral2/memory/2368-135-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/2368-139-0x0000000000400000-0x000000000057F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Application Layer Gateway = "C:\\Program Files (x86)\\Common Files\\alg.exe"	irsetup.exe

Drops file in Program Files directory 2 IoCs

Processes:

irsetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\alg.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\alg.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

irsetup.exealg.exe

pid process

2368 irsetup.exe
2368 irsetup.exe
3232 alg.exe
3232 alg.exe

pid	process
2368	irsetup.exe
2368	irsetup.exe
3232	alg.exe
3232	alg.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exeirsetup.exe

description	pid	process	target process
PID 992 wrote to memory of 2368	992	a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe	irsetup.exe
PID 992 wrote to memory of 2368	992	a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe	irsetup.exe
PID 992 wrote to memory of 2368	992	a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe	irsetup.exe
PID 2368 wrote to memory of 3232	2368	irsetup.exe	alg.exe
PID 2368 wrote to memory of 3232	2368	irsetup.exe	alg.exe

C:\Users\Admin\AppData\Local\Temp\a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe
"C:\Users\Admin\AppData\Local\Temp\a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:654882 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a5fa03912e42b146af3cbe6dbf816137d09c29388725a1ab566f910780c92834.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-4246620582-653642754-1174164128-1000"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files (x86)\Common Files\alg.exe
    "C:\Program Files (x86)\Common Files\alg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\alg.exe

Filesize
33KB

MD5
95e93dab48ebaad753dadae83b666556

SHA1
5415f8aec7736d00ccd217ef8389721882109a21

SHA256
eb7bdd197576b898ee19bc0bd51f1902c179ce48079e8bf34b46ae675cecabca

SHA512
02b8d49bed87a9624402d593c032af34a41621128f6d050d01213f382a533079250c584cd386c6e4f5e2889f0721ecf00471dd881a2b6fc82dfb2c073e7ea84f

Download Submit
C:\Program Files (x86)\Common Files\alg.exe

Filesize
33KB

MD5
95e93dab48ebaad753dadae83b666556

SHA1
5415f8aec7736d00ccd217ef8389721882109a21

SHA256
eb7bdd197576b898ee19bc0bd51f1902c179ce48079e8bf34b46ae675cecabca

SHA512
02b8d49bed87a9624402d593c032af34a41621128f6d050d01213f382a533079250c584cd386c6e4f5e2889f0721ecf00471dd881a2b6fc82dfb2c073e7ea84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
563KB

MD5
76da2c7c124183acf74251db2a336a79

SHA1
e3af0b141c37fe8db95397970aac0f9545e8b45a

SHA256
77a0ee56b68c5524c79201bc045aed9c212a90f4f28d5f08a8c15507df94aad0

SHA512
b160aa92810da8dc71cfffcc5ee0eeaf3058dcd39a0b1c0f02fd03436d011d9f50b46c0bea984cf3ee732162601e3a140b408655c647ff00654fa59d8fb2a8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
563KB

MD5
76da2c7c124183acf74251db2a336a79

SHA1
e3af0b141c37fe8db95397970aac0f9545e8b45a

SHA256
77a0ee56b68c5524c79201bc045aed9c212a90f4f28d5f08a8c15507df94aad0

SHA512
b160aa92810da8dc71cfffcc5ee0eeaf3058dcd39a0b1c0f02fd03436d011d9f50b46c0bea984cf3ee732162601e3a140b408655c647ff00654fa59d8fb2a8e4

Download Submit
memory/2368-132-0x0000000000000000-mapping.dmp

Download
memory/2368-135-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2368-139-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/3232-136-0x0000000000000000-mapping.dmp

Download
memory/3232-140-0x000000001C800000-0x000000001D236000-memory.dmp

Filesize
10.2MB

Download
memory/3232-141-0x00000000019BA000-0x00000000019BF000-memory.dmp

Filesize
20KB

Download
memory/3232-142-0x00000000019BA000-0x00000000019BF000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads