a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6

Analysis

max time kernel
123s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6.exe
Size

2.3MB
MD5

db67a1dac1ed03da67cf7e80c2a01d75
SHA1

cf5df16cbbec8f47a850f37dae927b15928da42c
SHA256

a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6
SHA512

e40ec60adf77b5ca37231ebc674e3d1d707ed2eee9030ba90e31aabccd2cbaa411199809b35f73819d2cf5e1e013c340f9e998ed24fe94ced0f93222ce3319e9
SSDEEP

49152:2bTaSh0nrZEAP085cP08oeKBP08zP0819HqYi+kiomVMDl4obLvP08QlyERU6b+z:2bGShsrrP04cP0hlP0aP06HqwxoJDl46

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1200	irsetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ÖÕ¼¶ÉÏÍøÌáËÙ Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1200	irsetup.exe
1200	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1200	1944	a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6.exe	82
PID 1944 wrote to memory of 1200	1944	a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6.exe	82
PID 1944 wrote to memory of 1200	1944	a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6.exe	82

C:\Users\Admin\AppData\Local\Temp\a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6.exe
"C:\Users\Admin\AppData\Local\Temp\a82ed783b581bc3840fea36ea2df60b9987a343c44b6d37e583b1f212dcac2b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
18KB

MD5
4fc960d117c55a164a0f70353cd8e097

SHA1
960d23492fc4f447ab6172af889a3d5aa4748531

SHA256
c474f92b6b5a8425c3148a9b3b8cb72c2a083665bbc0648f1278310a3d106495

SHA512
8430d44595a2016c9dbaf68f281ca5ae7beb7279e6c7c8c311bbfa71bd67879882775a480edd10242d46e528b3a8c2ff3e3169fed4b8b2a85bfdc2ba1091e7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
137B

MD5
be58e454a902db7fc3b0555c44e07054

SHA1
385d490c89ec9b4faa63596e163f03b6a0e8315d

SHA256
eb92fad11822e2471c4ce4cf39337cfb273a8a2d18c9212d55d04033bb908eed

SHA512
9cca45019572d00f60efbb34ca8959d26f319002532f6f9e4954b7790acbc2ef214fbac8dddc3490bb378eb5515cf222fe98626bde8c5f340cba9b9defd174f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit