49cadb5eb2fc20355f545537d8fae3395bbbd1a12a8822076eea0a3453aa60dd

Analysis

max time kernel
175s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TD-H8 Ham/1.Firmware Upgrade/IAP_Firmware_Upgrade.exe
Size

1.2MB
MD5

27010425ce90ab0a7b69fe355ce2c320
SHA1

23a1af624763f75617fc418e773d7136f418ef81
SHA256

ce04a81f0402033080e00b66d220d55b02eb8f2303993205301038cac7b66e44
SHA512

f26cdc39057bc982527e3f414e6c389dd78044ebdf459fb76afbf887213d8bc76977b3ec78915243504885e7d161f8e91d8a1d4d40f8724761eb5bb287cbfdc2
SSDEEP

24576:hTCMXuthC1jc1a05AuLz7J4doQ9TC69tZ50u:hTC4uOVcY6JLztup46HQu

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	irsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2764	IAP_Firmware_Upgrade.exe
2764	IAP_Firmware_Upgrade.exe
2764	IAP_Firmware_Upgrade.exe
2764	IAP_Firmware_Upgrade.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x001d000000015c41-2.dat	upx
behavioral3/files/0x001d000000015c41-11.dat	upx
behavioral3/files/0x001d000000015c41-9.dat	upx
behavioral3/files/0x001d000000015c41-6.dat	upx
behavioral3/files/0x001d000000015c41-5.dat	upx
behavioral3/memory/2688-15-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral3/files/0x001d000000015c41-14.dat	upx
behavioral3/files/0x001d000000015c41-16.dat	upx
behavioral3/memory/2688-27-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral3/memory/2688-28-0x0000000000400000-0x000000000057E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IAP_3773_3782 Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	irsetup.exe
2688	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29
PID 2764 wrote to memory of 2688	2764	IAP_Firmware_Upgrade.exe	29

C:\Users\Admin\AppData\Local\Temp\TD-H8 Ham\1.Firmware Upgrade\IAP_Firmware_Upgrade.exe
"C:\Users\Admin\AppData\Local\Temp\TD-H8 Ham\1.Firmware Upgrade\IAP_Firmware_Upgrade.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TD-H8 Ham\1.Firmware Upgrade\IAP_Firmware_Upgrade.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-1154728922-3261336865-3456416385-1000"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
memory/2688-15-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2688-27-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2688-28-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2764-13-0x0000000002760000-0x00000000028DE000-memory.dmp

Filesize
1.5MB

Download