c45f3d6e119324a0381903df0d3ad7feafee9affba8f0dc3e2263183e376c313

Analysis

max time kernel
144s
max time network
132s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe
Size

89.5MB
MD5

29b65192dded2499cbfa4da86fff8d63
SHA1

504d4e3a028dfa8b25ace7f7e65e8e50762e2a94
SHA256

19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878
SHA512

2e857feef8d67cf5e724f11dd8bbb5d71e8e0d7b6bbb97bfe3390a69a8ec26252489642cb917a97d7476ecad39ea22392fc8374cbf91ae8ed2d7db63a2581d0c
SSDEEP

1572864:GVTlgywHTuSQBem/SSde6JUgdjlROqNnVyizOAkR5TwoDTTwoD5:YTlgBT1jzSLjTOMR6YoDQoD5

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2804	irsetup.exe
1672	vcredist_x86.exe
2496	vcredist_x86.exe

Loads dropped DLL 8 IoCs

pid	Process
2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe
2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe
2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe
2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe
2804	irsetup.exe
2804	irsetup.exe
1672	vcredist_x86.exe
2496	vcredist_x86.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000155fd-3.dat	upx
behavioral1/memory/2864-5-0x0000000002FF0000-0x00000000033BB000-memory.dmp	upx
behavioral1/files/0x000c0000000155fd-7.dat	upx
behavioral1/files/0x000c0000000155fd-11.dat	upx
behavioral1/files/0x000c0000000155fd-8.dat	upx
behavioral1/files/0x000c0000000155fd-13.dat	upx
behavioral1/memory/2804-17-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/files/0x000c0000000155fd-16.dat	upx
behavioral1/files/0x000c0000000155fd-20.dat	upx
behavioral1/memory/2804-63-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/2804-64-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Setup_SoftPlot9_Log.txt	irsetup.exe
File opened for modification	C:\Windows\Setup_SoftPlot9_Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	irsetup.exe
2804	irsetup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2864 wrote to memory of 2804	2864	19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe	28
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 2804 wrote to memory of 1672	2804	irsetup.exe	29
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30
PID 1672 wrote to memory of 2496	1672	vcredist_x86.exe	30

C:\Users\Admin\AppData\Local\Temp\19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe
"C:\Users\Admin\AppData\Local\Temp\19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\19870f84b02c76f49219510e6cdf6fb8375325a5a3d4f0afbbd8b88cceb9e878.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2085049433-1067986815-1244098655-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe
    C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe" -burn.unelevated BurnPipe.{FDFBE2AC-36D4-4518-995D-EBFB130D6405} {ACC0253E-DE31-42CD-B3BE-61E652872998} 1672
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\SoftPlot10Icon.ico

Filesize
52KB

MD5
265c5203f435725d63273321e03d77a7

SHA1
d56f8561cbce42fb74ba008c799c1266932d3140

SHA256
9c4d55555640f2e317ff9f062d79f2f642ea9b17244376e2d921b6f2933c4d3c

SHA512
5fb820a25f39edabee24907570ed4e2f6f8a239d3f3747ff87397e5e1421f36737adaeba3f06778c671606ad1231e68838ad613a3f792708372552c4c454f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe

Filesize
6.2MB

MD5
2b6889ac60e866fcca633ef0ddc50df5

SHA1
407951838ef622bbfd2e359f0019453dc9a124ed

SHA256
c493561785ab2a970d4560b5f5e3b38bc10a08c30c38399a5e230ee0a7bcc81f

SHA512
ce4bef9aae277e30fad8053e5ec78f6b47f416d22fb43d3bc01cc4b7213928120294f5d7bdf9e414352e49b1b6aa2a512e079acf131fcc9aae127f69f941263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe

Filesize
6.2MB

MD5
2b6889ac60e866fcca633ef0ddc50df5

SHA1
407951838ef622bbfd2e359f0019453dc9a124ed

SHA256
c493561785ab2a970d4560b5f5e3b38bc10a08c30c38399a5e230ee0a7bcc81f

SHA512
ce4bef9aae277e30fad8053e5ec78f6b47f416d22fb43d3bc01cc4b7213928120294f5d7bdf9e414352e49b1b6aa2a512e079acf131fcc9aae127f69f941263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe

Filesize
6.2MB

MD5
2b6889ac60e866fcca633ef0ddc50df5

SHA1
407951838ef622bbfd2e359f0019453dc9a124ed

SHA256
c493561785ab2a970d4560b5f5e3b38bc10a08c30c38399a5e230ee0a7bcc81f

SHA512
ce4bef9aae277e30fad8053e5ec78f6b47f416d22fb43d3bc01cc4b7213928120294f5d7bdf9e414352e49b1b6aa2a512e079acf131fcc9aae127f69f941263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{22154f09-719a-4619-bb71-5b3356999fbf}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe

Filesize
6.2MB

MD5
2b6889ac60e866fcca633ef0ddc50df5

SHA1
407951838ef622bbfd2e359f0019453dc9a124ed

SHA256
c493561785ab2a970d4560b5f5e3b38bc10a08c30c38399a5e230ee0a7bcc81f

SHA512
ce4bef9aae277e30fad8053e5ec78f6b47f416d22fb43d3bc01cc4b7213928120294f5d7bdf9e414352e49b1b6aa2a512e079acf131fcc9aae127f69f941263c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\vc2012x86\vcredist_x86.exe

Filesize
6.2MB

MD5
2b6889ac60e866fcca633ef0ddc50df5

SHA1
407951838ef622bbfd2e359f0019453dc9a124ed

SHA256
c493561785ab2a970d4560b5f5e3b38bc10a08c30c38399a5e230ee0a7bcc81f

SHA512
ce4bef9aae277e30fad8053e5ec78f6b47f416d22fb43d3bc01cc4b7213928120294f5d7bdf9e414352e49b1b6aa2a512e079acf131fcc9aae127f69f941263c

Download Submit
\Users\Admin\AppData\Local\Temp\{22154f09-719a-4619-bb71-5b3356999fbf}\.ba1\wixstdba.dll

Filesize
126KB

MD5
a8b8255d7e14ecd138120886e192a9f9

SHA1
4c5ac3f752066bfe9c3ebc24f3be8d51d4817e88

SHA256
c7bc4ac3009fe274dd7b8ef323d596cb7949e02b22b699d7c0ce4a8e0e6799af

SHA512
2d610c9f6f53ea13632b34da910a9c7715b351ee17f72cb17cc4b2bf7c43cfb17f01bd2ac9b658449df5cd383c934baf02707edb1413155dec4cf289854e6997

Download Submit
memory/2804-17-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2804-63-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2804-64-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2864-5-0x0000000002FF0000-0x00000000033BB000-memory.dmp

Filesize
3.8MB

Download
memory/2864-30-0x0000000002FF0000-0x00000000033BB000-memory.dmp

Filesize
3.8MB

Download
memory/2864-15-0x0000000002FF0000-0x00000000033BB000-memory.dmp

Filesize
3.8MB

Download