71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2023 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe
Size

16.0MB
MD5

14ea45c21c29c2f388fd7c28b5f1f85d
SHA1

440ead5f7eb66ecade2d09abeb1a5534a6dfb353
SHA256

71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8
SHA512

c92792620ca854ee115d2e83aa4576e54cbeb5b781c822607f3cefbb452299f24779ff294c3d6fa1f1f5216878db1c39eaff471c68805a10d869f8732ba05f81
SSDEEP

393216:wU3w6DsnwYNNEPnVlwCfIoo5+5A1VHlR93bEGlrTZIRhOYs/DH:wU3w6DYwYNNEPnVlwjoCd3HlR93LPGuz

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000021b42-134.dat	upx
behavioral2/files/0x0002000000021b42-133.dat	upx
behavioral2/memory/2952-135-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral2/memory/2952-136-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\¹ã¶«Ê¡³µ¹ºË°¶þÎ¬Âëµç×ÓÉê±¨ÏµÍ³ Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe
2952	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2952	irsetup.exe
2952	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 2952	4576	71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe	80
PID 4576 wrote to memory of 2952	4576	71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe	80
PID 4576 wrote to memory of 2952	4576	71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe	80

C:\Users\Admin\AppData\Local\Temp\71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe
"C:\Users\Admin\AppData\Local\Temp\71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
  __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\71ed101516f22718e2d96e6af38cde6dda496f81312b041f3ed39e64c0b5a1e8.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
memory/2952-132-0x0000000000000000-mapping.dmp

Download
memory/2952-135-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2952-136-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download