67f9fc075f73f9b68fa081c505763295ffeaea9d29a1f48b66ed6cb12b49fe8e

Analysis

max time kernel
29s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launch-setup.exe
Size

5.7MB
MD5

77a42e949d35b755dc6c097499d1ee9f
SHA1

6251cd59c8ea0057839f98314921512bb25d3360
SHA256

67f9fc075f73f9b68fa081c505763295ffeaea9d29a1f48b66ed6cb12b49fe8e
SHA512

4049840dce051639113b51396e563d690c7cd63524ae8201206885a9e99d13f9ca22e4b4179c33248b188f1c967d838e94f995ff2516622ba843390fa6ac29c5
SSDEEP

98304:i9oTUCIqyXc0DHppz8ECf1zB2wQuKmEwEJu4h9+KwETRHX63aHXdhuiE3ub:i9oTRwc0DT8E+72w0/LZ3+KwIHq3a3X9

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
564	irsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
1040	Launch-setup.exe
1040	Launch-setup.exe
1040	Launch-setup.exe
1040	Launch-setup.exe
564	irsetup.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122e3-57.dat	upx
behavioral1/files/0x000a0000000122e3-60.dat	upx
behavioral1/files/0x000a0000000122e3-66.dat	upx
behavioral1/files/0x000a0000000122e3-64.dat	upx
behavioral1/files/0x000a0000000122e3-61.dat	upx
behavioral1/files/0x000a0000000122e3-68.dat	upx
behavioral1/memory/564-73-0x0000000000DB0000-0x0000000001197000-memory.dmp	upx
behavioral1/files/0x000a0000000122e3-74.dat	upx
behavioral1/memory/564-90-0x0000000000DB0000-0x0000000001197000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
564	irsetup.exe
564	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27
PID 1040 wrote to memory of 564	1040	Launch-setup.exe	27

C:\Users\Admin\AppData\Local\Temp\Launch-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Launch-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1957298 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Launch-setup.exe" "__IRCT:3" "__IRTSS:5966732" "__IRSID:S-1-5-21-1914912747-3343861975-731272777-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
memory/564-73-0x0000000000DB0000-0x0000000001197000-memory.dmp

Filesize
3.9MB

Download
memory/564-90-0x0000000000DB0000-0x0000000001197000-memory.dmp

Filesize
3.9MB

Download
memory/1040-69-0x0000000002B10000-0x0000000002EF7000-memory.dmp

Filesize
3.9MB

Download
memory/1040-72-0x0000000002B10000-0x0000000002EF7000-memory.dmp

Filesize
3.9MB

Download
memory/1040-84-0x0000000002B10000-0x0000000002EF7000-memory.dmp

Filesize
3.9MB

Download