67f9fc075f73f9b68fa081c505763295ffeaea9d29a1f48b66ed6cb12b49fe8e

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launch-setup.exe
Size

5.7MB
MD5

77a42e949d35b755dc6c097499d1ee9f
SHA1

6251cd59c8ea0057839f98314921512bb25d3360
SHA256

67f9fc075f73f9b68fa081c505763295ffeaea9d29a1f48b66ed6cb12b49fe8e
SHA512

4049840dce051639113b51396e563d690c7cd63524ae8201206885a9e99d13f9ca22e4b4179c33248b188f1c967d838e94f995ff2516622ba843390fa6ac29c5
SSDEEP

98304:i9oTUCIqyXc0DHppz8ECf1zB2wQuKmEwEJu4h9+KwETRHX63aHXdhuiE3ub:i9oTRwc0DT8E+72w0/LZ3+KwIHq3a3X9

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Launch-setup.exe

Executes dropped EXE 2 IoCs

pid	Process
1900	irsetup.exe
4380	GetMachineSID.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	irsetup.exe
1900	irsetup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e6dc-138.dat	upx
behavioral2/files/0x000200000001e6dc-143.dat	upx
behavioral2/files/0x000200000001e6dc-144.dat	upx
behavioral2/memory/1900-153-0x0000000000F00000-0x00000000012E7000-memory.dmp	upx
behavioral2/memory/1900-190-0x0000000000F00000-0x00000000012E7000-memory.dmp	upx
behavioral2/memory/1900-200-0x0000000000F00000-0x00000000012E7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1900	irsetup.exe
1900	irsetup.exe
1900	irsetup.exe
4380	GetMachineSID.exe
1900	irsetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 1900	3504	Launch-setup.exe	84
PID 3504 wrote to memory of 1900	3504	Launch-setup.exe	84
PID 3504 wrote to memory of 1900	3504	Launch-setup.exe	84
PID 1900 wrote to memory of 4380	1900	irsetup.exe	86
PID 1900 wrote to memory of 4380	1900	irsetup.exe	86
PID 1900 wrote to memory of 4380	1900	irsetup.exe	86
PID 1900 wrote to memory of 1092	1900	irsetup.exe	88
PID 1900 wrote to memory of 1092	1900	irsetup.exe	88
PID 1900 wrote to memory of 1092	1900	irsetup.exe	88

C:\Users\Admin\AppData\Local\Temp\Launch-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Launch-setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1957298 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Launch-setup.exe" "__IRCT:3" "__IRTSS:5966732" "__IRSID:S-1-5-21-1529757233-3489015626-3409890339-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /reg:32 /y
    3⤵
    PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REG7DA1.tmp

Filesize
412B

MD5
cc6203f603ffa66f0af29d7869058023

SHA1
dcc44a6bdb610610a0cd6c7e33bb82963ee909fe

SHA256
365eaefdc6bcb33b8f0e17222eec871d0315f98960bb66e9549fd306138e848d

SHA512
0a35f4cd7ea319e839397a9d63912c1a2aa6dba8595a6082230f8192ad3f3ce672103f34aa0b34cf68641c213ff85f04ae288523ef818f2263025e51ec37aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
41B

MD5
1e9fb6cd8989e1072999440c379a08cd

SHA1
bda3d4adb7bc3cd7fc9c4c6de94605a818ee8f26

SHA256
66635469e5e67230f92a5ea281293e8a810779a2d6dde5cff94f6d963103f77f

SHA512
f95666a47c1510e6e7d21c6ad1c23cda9a8a88e89c969a565e8dc760d9b858164c40de9faf16e06a42ba775ac0f385ddeeb9b848cb43c6e934934df7bee6fe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Unicode.lmd

Filesize
343KB

MD5
513c279740c287dec3508ae26d7916c0

SHA1
cafe05c4d5528d6fb51d94a33307d1e2cc5a9bf6

SHA256
a285299f207a0093158c05d46996b880032a9b11fb456ce78bba18988be9b14a

SHA512
8bf18cb54c3031863f0a0df5f064e78a8750c123878998ee45c10f50937eb875f7d1c75b867a25d60a858a976516d8ffabf5cc6d988a473cacd2d19909427dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Unicode.lmd

Filesize
343KB

MD5
513c279740c287dec3508ae26d7916c0

SHA1
cafe05c4d5528d6fb51d94a33307d1e2cc5a9bf6

SHA256
a285299f207a0093158c05d46996b880032a9b11fb456ce78bba18988be9b14a

SHA512
8bf18cb54c3031863f0a0df5f064e78a8750c123878998ee45c10f50937eb875f7d1c75b867a25d60a858a976516d8ffabf5cc6d988a473cacd2d19909427dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bd355563cafc7a6d74b6c2a874b12a1b

SHA1
8bd1d53c04f53d3d93562be8450dcf6e3fb917c5

SHA256
7c9c346b78c1b99a5efce00985d0d14bf9feaba37c0259b7c0ae83e9bc9d47da

SHA512
dea42e5b77543c44e48f598a81ecf82faff67d9b730622231dc00570ed26b9a5be243e2fef5c2b6007183157658a8949f18ffaa247a9e2fe8314f02e9b5ec672

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
05ceb6d2e88a896d6ada0ab3f0dc40aa

SHA1
2b62cc437f5b3268acb3f569b43fd6c0a08e4e47

SHA256
b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a

SHA512
fd9a03167c70ddd156d6942e503f7d9528e4748e9613cfba69181eb8b50fcaea9f6d3b9e1398da21d4e4c8bf47c99fe2becc88b98107a4fdcb80697510c1860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\registry_export.txt

Filesize
412B

MD5
cc6203f603ffa66f0af29d7869058023

SHA1
dcc44a6bdb610610a0cd6c7e33bb82963ee909fe

SHA256
365eaefdc6bcb33b8f0e17222eec871d0315f98960bb66e9549fd306138e848d

SHA512
0a35f4cd7ea319e839397a9d63912c1a2aa6dba8595a6082230f8192ad3f3ce672103f34aa0b34cf68641c213ff85f04ae288523ef818f2263025e51ec37aff0

Download Submit
memory/1900-172-0x0000000006100000-0x0000000006103000-memory.dmp

Filesize
12KB

Download
memory/1900-170-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/1900-153-0x0000000000F00000-0x00000000012E7000-memory.dmp

Filesize
3.9MB

Download
memory/1900-190-0x0000000000F00000-0x00000000012E7000-memory.dmp

Filesize
3.9MB

Download
memory/1900-191-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/1900-197-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download
memory/1900-200-0x0000000000F00000-0x00000000012E7000-memory.dmp

Filesize
3.9MB

Download
memory/1900-217-0x0000000010000000-0x00000000100EC000-memory.dmp

Filesize
944KB

Download