e9fdf63506a606f0ef304b50700e5fce95a85b8aa1659118945aff419dc825d5

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Multiplicity3_setup.exe
Size

9.8MB
MD5

a26b50b411e62f21ba3853862131c750
SHA1

26db147ee2839853064d02e9c003be4c2d5fc4ae
SHA256

e9fdf63506a606f0ef304b50700e5fce95a85b8aa1659118945aff419dc825d5
SHA512

e5c5c9457ff48040b37c20ab98bb6c5d8770f7803ce0477c5a30b89749d75be3f5e18f34bc9be341ee12d5c98d45236f1aac97b40213f93b526f9d65daf715ef
SSDEEP

196608:tNaqQ8Eiv3KAvBgtvYetrdm450+TWLlu5Pm/C8UvpakibFzOPkQ+:tAPivLBgtQX42/Io/Ap/ipzV

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Multiplicity3_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 2 IoCs

pid	Process
5052	irsetup.exe
4348	GetMachineSID.exe

Loads dropped DLL 4 IoCs

pid	Process
5052	irsetup.exe
5052	irsetup.exe
5052	irsetup.exe
5052	irsetup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022f9f-138.dat	upx
behavioral2/files/0x0007000000022f9f-143.dat	upx
behavioral2/files/0x0007000000022f9f-144.dat	upx
behavioral2/memory/5052-155-0x00000000000B0000-0x0000000000498000-memory.dmp	upx
behavioral2/memory/5052-215-0x00000000000B0000-0x0000000000498000-memory.dmp	upx
behavioral2/memory/5052-227-0x00000000000B0000-0x0000000000498000-memory.dmp	upx
behavioral2/memory/5052-230-0x00000000000B0000-0x0000000000498000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5052	irsetup.exe
5052	irsetup.exe
5052	irsetup.exe
4348	GetMachineSID.exe
5052	irsetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 5052	2696	Multiplicity3_setup.exe	84
PID 2696 wrote to memory of 5052	2696	Multiplicity3_setup.exe	84
PID 2696 wrote to memory of 5052	2696	Multiplicity3_setup.exe	84
PID 5052 wrote to memory of 4328	5052	irsetup.exe	86
PID 5052 wrote to memory of 4328	5052	irsetup.exe	86
PID 5052 wrote to memory of 4328	5052	irsetup.exe	86
PID 5052 wrote to memory of 4348	5052	irsetup.exe	88
PID 5052 wrote to memory of 4348	5052	irsetup.exe	88
PID 5052 wrote to memory of 4348	5052	irsetup.exe	88

C:\Users\Admin\AppData\Local\Temp\Multiplicity3_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplicity3_setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1896994 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Multiplicity3_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-4238149048-355649189-894321705-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\REGC151.tmp

Filesize
436B

MD5
d9c698203b0466e42a1e16109d456cd1

SHA1
24fe9da4ade74af9ed14c84642381771814027ce

SHA256
fb497ac3e79ab8d68dc2dbc92757bbbd5657a20867f3611c10733fc0afe8ca3f

SHA512
713ac91e1c7d8d6c0be25b5d3cd27a3fcfaecbdf931bbfb17c03c68ecb3e3c32f56377ed87fd528d327507e9ad7f2c89a060ec777595adc82d032c580014dc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
39B

MD5
612ddb818e77bf1debcfbc67df79ad6d

SHA1
55edb91fa62971009ce3bc3e5954048797c1311c

SHA256
ffec707cb7c9fba905807fa14c13fa01b92cb1dd41d1228acd305cf7c9e03c25

SHA512
4fd339e9f551cf380e66857a786103ae92ab7d7d2380887f5e3d3cfd101b2ee65e479bb2018d902824d6f3f6522d8b137d437b0a62149c74e7d29e48268eb64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\registry_export.txt

Filesize
436B

MD5
d9c698203b0466e42a1e16109d456cd1

SHA1
24fe9da4ade74af9ed14c84642381771814027ce

SHA256
fb497ac3e79ab8d68dc2dbc92757bbbd5657a20867f3611c10733fc0afe8ca3f

SHA512
713ac91e1c7d8d6c0be25b5d3cd27a3fcfaecbdf931bbfb17c03c68ecb3e3c32f56377ed87fd528d327507e9ad7f2c89a060ec777595adc82d032c580014dc12

Download Submit
memory/5052-199-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/5052-155-0x00000000000B0000-0x0000000000498000-memory.dmp

Filesize
3.9MB

Download
memory/5052-200-0x0000000005880000-0x0000000005883000-memory.dmp

Filesize
12KB

Download
memory/5052-202-0x0000000005910000-0x0000000005913000-memory.dmp

Filesize
12KB

Download
memory/5052-201-0x00000000058A0000-0x00000000058F1000-memory.dmp

Filesize
324KB

Download
memory/5052-215-0x00000000000B0000-0x0000000000498000-memory.dmp

Filesize
3.9MB

Download
memory/5052-216-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/5052-217-0x00000000058A0000-0x00000000058F1000-memory.dmp

Filesize
324KB

Download
memory/5052-225-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/5052-226-0x00000000058A0000-0x00000000058F1000-memory.dmp

Filesize
324KB

Download
memory/5052-227-0x00000000000B0000-0x0000000000498000-memory.dmp

Filesize
3.9MB

Download
memory/5052-230-0x00000000000B0000-0x0000000000498000-memory.dmp

Filesize
3.9MB

Download
memory/5052-255-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/5052-256-0x00000000058A0000-0x00000000058F1000-memory.dmp

Filesize
324KB

Download