01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c

Analysis

max time kernel
186s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c.exe
Size

2.3MB
MD5

670d875c56ab5944d218d9a52b53cb47
SHA1

8c8ec5a3d8b5f06ecbdfeecb6f4d82f24136fd4d
SHA256

01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c
SHA512

88d37c58eee8ffbcc0cdc2c820f9d74db82951e1c86f0f5f15137cb4881bf62e9dd56099d1c478a46a375492fcfb0fde72c57d297f427c1d323a6bfcfd6d9d45
SSDEEP

49152:ZbTaSh0nGK5+bdTAEUMLe9gc+DRRcO9//oUsvjO:ZbGShsh+5TVUMyg1RjbyjO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3424	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3424	irsetup.exe
3424	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3424	4288	01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c.exe	82
PID 4288 wrote to memory of 3424	4288	01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c.exe	82
PID 4288 wrote to memory of 3424	4288	01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c.exe	82

C:\Users\Admin\AppData\Local\Temp\01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c.exe
"C:\Users\Admin\AppData\Local\Temp\01649a26c54f527aa1dadab4cc0a357df07447c79b8719eed8f9f39e0a33e51c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
51KB

MD5
ff439d8a48231281a5b95d703c168fe7

SHA1
76094b5540f187bc730fb9ce8265c5d5fd74d4e9

SHA256
403b2c886bf9895534a5ebe14894d64f80ec1f10d01c04480ba68a4b10870067

SHA512
ea3c9ff9f2fb64e271b6b0dcd13db4e70d3e5b71b7d6302692bc46586edb33cb6aacb9c9548f00c17d1b063c430c4fd2807afcf39fbe50d358c89e19c6955d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
7KB

MD5
2be04e8d0c899ec033c4676616d07c8a

SHA1
37169c554f0a4a587ad9bc89dce14d8d9b06f9a8

SHA256
52c378c737eee0c387618f3eb8acea21cacf9bf2083756f043f3d1aee585f66d

SHA512
b136b058a5626c5dce858704d13fb9427ac348ae07cf68ad22c5751aa3dfae98f43e0d1b3b1d2a662a48a8d87ae698f32edd4ce66eb746cd828272f3c194787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
137B

MD5
144f96fdb274d64295441a1d9656e0ac

SHA1
3a958c06fc511841e22962979e52356d029f1fb8

SHA256
84188363933b21fce3a34fa37c2b57c087386cb9a3f6b77ba0b8038f66e98790

SHA512
06482d74105cb64fd5878c03e31c3801ba919719e72539dec9bc1c28fee222d7bcc6290a6eef115c94053190349c3df95a0c0a59f67970fa5e0077967d1630a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit
memory/3424-132-0x0000000000000000-mapping.dmp

Download