cd00d989e4b386ac6c1c664ee200861cbe17dcd38f87bdbccc6c6e7aea5a6f3f

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start11_setup.exe
Size

40.5MB
MD5

f137d456b4d15b8c1a0cae83b2667a2c
SHA1

b1b540cc2ab4eba0bdc1ece652eed67816b44aa2
SHA256

cd00d989e4b386ac6c1c664ee200861cbe17dcd38f87bdbccc6c6e7aea5a6f3f
SHA512

847f146df4e739df2d17272d5662b5f7335b00a53028f91c30c16279b533b75b9caa7bb8f3a38a16e4f7b1243ac4b037af0e89efa18a2bab53f76ec802919453
SSDEEP

786432:7P+Abv+5N4kr01zX3qI3MxTj4UtY4doZrDxfmv57bbhtU5tbbhJbsOPN:XINrAGIcTj1Po1DhW7bs5tbbsOPN

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012288-3.dat	upx
behavioral1/memory/1752-5-0x0000000003020000-0x0000000003408000-memory.dmp	upx
behavioral1/files/0x0009000000012288-7.dat	upx
behavioral1/files/0x0009000000012288-13.dat	upx
behavioral1/files/0x0009000000012288-11.dat	upx
behavioral1/files/0x0009000000012288-8.dat	upx
behavioral1/files/0x0009000000012288-15.dat	upx
behavioral1/memory/1860-19-0x0000000001030000-0x0000000001418000-memory.dmp	upx
behavioral1/files/0x0009000000012288-21.dat	upx
behavioral1/memory/1860-54-0x0000000001030000-0x0000000001418000-memory.dmp	upx

Executes dropped EXE 1 IoCs

pid	Process
1860	irsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
1752	Start11_setup.exe
1752	Start11_setup.exe
1752	Start11_setup.exe
1752	Start11_setup.exe
1860	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1860	irsetup.exe
1860	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28
PID 1752 wrote to memory of 1860	1752	Start11_setup.exe	28

C:\Users\Admin\AppData\Local\Temp\Start11_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Start11_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1914402 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Start11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-86725733-3001458681-3405935542-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/1752-16-0x0000000003020000-0x0000000003408000-memory.dmp

Filesize
3.9MB

Download
memory/1752-18-0x0000000003020000-0x0000000003408000-memory.dmp

Filesize
3.9MB

Download
memory/1752-5-0x0000000003020000-0x0000000003408000-memory.dmp

Filesize
3.9MB

Download
memory/1860-19-0x0000000001030000-0x0000000001418000-memory.dmp

Filesize
3.9MB

Download
memory/1860-54-0x0000000001030000-0x0000000001418000-memory.dmp

Filesize
3.9MB

Download