b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93

General

Target

b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe
Size

1.7MB
MD5

e9dc18e35c44154c4e9fc93d8487300e
SHA1

0e1abf531bd74795fc839d52b202bd48a4d0f7e4
SHA256

b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93
SHA512

93d3546ce41fcac293d61778003babc72d2a9a3717f5e0e7d389bfb1254bf0d77f9c8367fca5560a3c191dbd585faef627f58a9f96e8bf762a4c62e10a058b07
SSDEEP

49152:GC2lJmXbj5DIwbQea1LPEyK7r385JD3d6cIWhEt:GzlkbFDVrQMyOr3S3d6cLhEt

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	irsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	irsetup.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	irsetup.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122da-55.dat	upx
behavioral1/files/0x000b0000000122da-58.dat	upx
behavioral1/files/0x000b0000000122da-57.dat	upx
behavioral1/files/0x000b0000000122da-56.dat	upx
behavioral1/files/0x000b0000000122da-60.dat	upx
behavioral1/files/0x000b0000000122da-64.dat	upx
behavioral1/memory/1716-68-0x0000000000EE0000-0x00000000012C7000-memory.dmp	upx
behavioral1/memory/1716-70-0x0000000000EE0000-0x00000000012C7000-memory.dmp	upx
behavioral1/memory/1716-71-0x0000000000EE0000-0x00000000012C7000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe
1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe
1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe
1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe
1716	irsetup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	irsetup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1716	irsetup.exe
1716	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27
PID 1768 wrote to memory of 1716	1768	b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe	27

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	irsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	irsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe
"C:\Users\Admin\AppData\Local\Temp\b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1790722 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\b614e1d6ed4deafd064e1067ffd0172e8adf66ec481963c6b183f5e6e9471d93.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-4063495947-34355257-727531523-1000"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9bdcf813d65265255b820bc7a704da3c

SHA1
dad6501711992ab874d778ece5a103e143fd42d7

SHA256
b15d67b4a57184e5202df3c25e20dc0b7f853f4d527d148b337138900989824a

SHA512
53cac68a57194ec33ccc5c212a6b82bc554e85c86faab4e095876f5c037f680c646ce8463857e61438b92cb7ca7c17efea1d713a9d772d9f2afeb5ddd17b6504

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9bdcf813d65265255b820bc7a704da3c

SHA1
dad6501711992ab874d778ece5a103e143fd42d7

SHA256
b15d67b4a57184e5202df3c25e20dc0b7f853f4d527d148b337138900989824a

SHA512
53cac68a57194ec33ccc5c212a6b82bc554e85c86faab4e095876f5c037f680c646ce8463857e61438b92cb7ca7c17efea1d713a9d772d9f2afeb5ddd17b6504

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
322KB

MD5
c3f5f4a1fb69b5889f0bbb313cf6017f

SHA1
e4f592cfbd62a3c3caf27177ccea5a77afa649bb

SHA256
769416fa7edf38e91a55f4f7163914ee4aad9c8c890ed641c300b73157acac45

SHA512
e17d3be36fd2ba892d945f3737ebffdefe6d476224ef3459b567579971559a048a886941f57ae671b3df32844f99575a14c72ef8c49c2d4b1e8352204ccc05ab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9bdcf813d65265255b820bc7a704da3c

SHA1
dad6501711992ab874d778ece5a103e143fd42d7

SHA256
b15d67b4a57184e5202df3c25e20dc0b7f853f4d527d148b337138900989824a

SHA512
53cac68a57194ec33ccc5c212a6b82bc554e85c86faab4e095876f5c037f680c646ce8463857e61438b92cb7ca7c17efea1d713a9d772d9f2afeb5ddd17b6504

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9bdcf813d65265255b820bc7a704da3c

SHA1
dad6501711992ab874d778ece5a103e143fd42d7

SHA256
b15d67b4a57184e5202df3c25e20dc0b7f853f4d527d148b337138900989824a

SHA512
53cac68a57194ec33ccc5c212a6b82bc554e85c86faab4e095876f5c037f680c646ce8463857e61438b92cb7ca7c17efea1d713a9d772d9f2afeb5ddd17b6504

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9bdcf813d65265255b820bc7a704da3c

SHA1
dad6501711992ab874d778ece5a103e143fd42d7

SHA256
b15d67b4a57184e5202df3c25e20dc0b7f853f4d527d148b337138900989824a

SHA512
53cac68a57194ec33ccc5c212a6b82bc554e85c86faab4e095876f5c037f680c646ce8463857e61438b92cb7ca7c17efea1d713a9d772d9f2afeb5ddd17b6504

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9bdcf813d65265255b820bc7a704da3c

SHA1
dad6501711992ab874d778ece5a103e143fd42d7

SHA256
b15d67b4a57184e5202df3c25e20dc0b7f853f4d527d148b337138900989824a

SHA512
53cac68a57194ec33ccc5c212a6b82bc554e85c86faab4e095876f5c037f680c646ce8463857e61438b92cb7ca7c17efea1d713a9d772d9f2afeb5ddd17b6504

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
322KB

MD5
c3f5f4a1fb69b5889f0bbb313cf6017f

SHA1
e4f592cfbd62a3c3caf27177ccea5a77afa649bb

SHA256
769416fa7edf38e91a55f4f7163914ee4aad9c8c890ed641c300b73157acac45

SHA512
e17d3be36fd2ba892d945f3737ebffdefe6d476224ef3459b567579971559a048a886941f57ae671b3df32844f99575a14c72ef8c49c2d4b1e8352204ccc05ab

Download Submit
memory/1716-68-0x0000000000EE0000-0x00000000012C7000-memory.dmp

Filesize
3.9MB

Download
memory/1716-70-0x0000000000EE0000-0x00000000012C7000-memory.dmp

Filesize
3.9MB

Download
memory/1716-71-0x0000000000EE0000-0x00000000012C7000-memory.dmp

Filesize
3.9MB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-65-0x0000000002A90000-0x0000000002E77000-memory.dmp

Filesize
3.9MB

Download
memory/1768-66-0x0000000002A90000-0x0000000002E77000-memory.dmp

Filesize
3.9MB

Download
memory/1768-67-0x0000000002A90000-0x0000000002E77000-memory.dmp

Filesize
3.9MB

Download
memory/1768-69-0x0000000002A90000-0x0000000002E77000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads