fe4ef7eb884fed14e5ca386bd3f6dd470309681a8c718ea3a3447139a41380f6

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 13:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a382d5629bc8d44759bc73c3166e3d46.exe
Size

4.4MB
MD5

a382d5629bc8d44759bc73c3166e3d46
SHA1

2ae6dd3d8b45d340dc9065b16be1370a99bec615
SHA256

fe4ef7eb884fed14e5ca386bd3f6dd470309681a8c718ea3a3447139a41380f6
SHA512

0d2a83b3fb3fee3bfb4ae5aa2c0bda5ccff7adbc37f8bf716ece6398d235a5141f750cca877a30e68611fb8f69b6b79ba876f7584bd31f63b8371176a68ed747
SSDEEP

98304:HdJcUQLUGrupm8EC2+dHI02EQdeYgS5toD80r:/PGZKm8EOh2NUhDF

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000141a2-3.dat	upx
behavioral1/memory/2984-20-0x0000000000ED0000-0x00000000012B8000-memory.dmp	upx
behavioral1/memory/2984-79-0x0000000000ED0000-0x00000000012B8000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
2984	irsetup.exe
2568	LookPicture.exe

Loads dropped DLL 13 IoCs

pid	Process
2392	a382d5629bc8d44759bc73c3166e3d46.exe
2392	a382d5629bc8d44759bc73c3166e3d46.exe
2392	a382d5629bc8d44759bc73c3166e3d46.exe
2392	a382d5629bc8d44759bc73c3166e3d46.exe
2984	irsetup.exe
2984	irsetup.exe
2984	irsetup.exe
2984	irsetup.exe
2984	irsetup.exe
2984	irsetup.exe
2984	irsetup.exe
2984	irsetup.exe
2568	LookPicture.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000149f5-51.dat	nsis_installer_1
behavioral1/files/0x00070000000149f5-51.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2984	irsetup.exe
2984	irsetup.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe
2568	LookPicture.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	irsetup.exe
2984	irsetup.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2392 wrote to memory of 2984	2392	a382d5629bc8d44759bc73c3166e3d46.exe	28
PID 2984 wrote to memory of 2568	2984	irsetup.exe	29
PID 2984 wrote to memory of 2568	2984	irsetup.exe	29
PID 2984 wrote to memory of 2568	2984	irsetup.exe	29
PID 2984 wrote to memory of 2568	2984	irsetup.exe	29

C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe
"C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1847330 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe
    "C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe" -in
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2568

Network

DNS

api.zcjczj.cn

LookPicture.exe

Remote address:

8.8.8.8:53

Request

api.zcjczj.cn

IN A

Response

api.zcjczj.cn

IN A

8.210.18.201

8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3
8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3
8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3
8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3
8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3
8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3
8.210.18.201:80

api.zcjczj.cn

LookPicture.exe

152 B
3

8.8.8.8:53

api.zcjczj.cn

dns

LookPicture.exe

59 B
75 B
1
1

DNS Request

api.zcjczj.cn

DNS Response

8.210.18.201

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LookPicture\FreeImage.dll

Filesize
4.3MB

MD5
6341f4bdd2ffa5d43b37ea746a2f0831

SHA1
7c97207c7e3022b5a899965987d43e3b2bb7cb7c

SHA256
a5cafa6449b0cc9b012c4becb5a9f28c5ea830f883339b06f9e5ae57999f1665

SHA512
dc1e69a9480c2ee1f9063330f433cadde49c470cc985228e85444faf9ef4eceb58db0b6f54534b990c5925fdbe634d56af0fb9d0c4d942e96ed5bbfbf9fc1cae

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.ini

Filesize
45B

MD5
ea0e191382c342f37fed75b3d6241d24

SHA1
3f28dfc009194d624e282ff178e415ef1f81b13a

SHA256
a7579c49522e82e47065fb94081608b115fb745faf34a099b6e77bcbdcd13b8d

SHA512
71f1b4cbbf9530bc647c7046f4f0f5b263cf75be99959e74ff58774ffe38eb5ba91820f8546aee72012ec76ad559f366a8db3cd22cb3acaa2ddd780e216eef87

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\Uninst.exe

Filesize
114KB

MD5
4493eeb8fcfe69942b4686f4f368b43c

SHA1
9c086b0721b9cf099e627e91b689af202913247e

SHA256
ac112aa639504a0a3ade925fc23de0c1d32c3200eec16845f6db03e06c14daf5

SHA512
2e801da9ef7435790b2a7622d616a04e5f4ab4cdffdba4b59032c79cbeeb20e865fc665b03aa186b1e0e63448eac11bfe5d493c1cbd116e391864efba187860d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
\Users\Admin\AppData\Roaming\LookPicture\FreeImage.dll

Filesize
3.2MB

MD5
15e5ed3886e54523a3781f69233d294b

SHA1
bcd1af015a7fb9a49c0c60f82d126141feefb316

SHA256
3de0b810fbc297eb5cbb1736342af4a3be29bbb3ddeb19ab65b596841c000ddd

SHA512
18204f236687f83f488cc380e9984565c6fccd226915a7c638e718157cdd0bd7274732c8f2ddfce98c03e3af404e10b0d59053ae643c90d9fb30c8337c66087b

Download Submit
\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe

Filesize
1.8MB

MD5
4cdb3c220777364e88167dd3125b2cc8

SHA1
8f1219766b955c6e8fcb555dc718ebd0f688e6d8

SHA256
a7962322db50fc381f969cd1778539bd13dd20db3b26d8944a7d768e24a6471d

SHA512
d041118c7bc97ad2dc0ad21b28858d6f7f3d51713555ef7f5ebe0d783b9bfaa9abfb7e0b3930eeb7f88bb81ff88774061f1fd1a90ca1435e649074d09792c0e7

Download Submit
memory/2392-6-0x0000000003160000-0x0000000003548000-memory.dmp

Filesize
3.9MB

Download
memory/2392-19-0x0000000003160000-0x0000000003548000-memory.dmp

Filesize
3.9MB

Download
memory/2984-20-0x0000000000ED0000-0x00000000012B8000-memory.dmp

Filesize
3.9MB

Download
memory/2984-76-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2984-79-0x0000000000ED0000-0x00000000012B8000-memory.dmp

Filesize
3.9MB

Download
memory/2984-81-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download