fe4ef7eb884fed14e5ca386bd3f6dd470309681a8c718ea3a3447139a41380f6

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a382d5629bc8d44759bc73c3166e3d46.exe
Size

4.4MB
MD5

a382d5629bc8d44759bc73c3166e3d46
SHA1

2ae6dd3d8b45d340dc9065b16be1370a99bec615
SHA256

fe4ef7eb884fed14e5ca386bd3f6dd470309681a8c718ea3a3447139a41380f6
SHA512

0d2a83b3fb3fee3bfb4ae5aa2c0bda5ccff7adbc37f8bf716ece6398d235a5141f750cca877a30e68611fb8f69b6b79ba876f7584bd31f63b8371176a68ed747
SSDEEP

98304:HdJcUQLUGrupm8EC2+dHI02EQdeYgS5toD80r:/PGZKm8EOh2NUhDF

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231f7-5.dat	upx
behavioral2/memory/2752-14-0x0000000000400000-0x00000000007E8000-memory.dmp	upx
behavioral2/files/0x00080000000231f7-11.dat	upx
behavioral2/files/0x00080000000231f7-10.dat	upx
behavioral2/memory/2752-60-0x0000000000400000-0x00000000007E8000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	a382d5629bc8d44759bc73c3166e3d46.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
2752	irsetup.exe
4432	LookPicture.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	irsetup.exe
4432	LookPicture.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	irsetup.exe
2752	irsetup.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe
4432	LookPicture.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
4432	LookPicture.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2752	1944	a382d5629bc8d44759bc73c3166e3d46.exe	31
PID 1944 wrote to memory of 2752	1944	a382d5629bc8d44759bc73c3166e3d46.exe	31
PID 1944 wrote to memory of 2752	1944	a382d5629bc8d44759bc73c3166e3d46.exe	31
PID 2752 wrote to memory of 4432	2752	irsetup.exe	50
PID 2752 wrote to memory of 4432	2752	irsetup.exe	50
PID 2752 wrote to memory of 4432	2752	irsetup.exe	50

C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe
"C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1847330 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\a382d5629bc8d44759bc73c3166e3d46.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe
    "C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe" -in
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
600KB

MD5
93c6b33fde6658ebd85904fbb959e45a

SHA1
d1b95f9d9973f030a61375ccc0d4ef8d7c2df24c

SHA256
8b7a7a02b76de362558808a50d7c4319e463ca869d6734c4d7cb9d6965623d00

SHA512
43ac5e325e34a240b08eac95dcf95529feefa882a08ce7e10d7cbb737e27844957fbf1ae07b07648d9a058bd7986680ce9a6318e5c5606d5763ca5faa3de66df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
899KB

MD5
cbdd2cc197e44155bb9dbd2e387fa4a6

SHA1
098ab66ce1142e9dc208153f68538d7d4821975a

SHA256
dcdc82335b83eb0a651a0152a12aff9119c013c4d66c40b690d032f5fb01e7b7

SHA512
48fa62783895a5e5d5039bdcf5263c3b5724e25bea135ea6d8a446305b41c8707020653d73247b4cb23d1bad06eaaf4bbd24bf22ab3b168aba30600d2a25bda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
635KB

MD5
44b860b44f87946824689728b5570dd4

SHA1
05893ab1793f7aef5f67bb20a8fe78a1bac355fc

SHA256
0d123a93d0645166a1afc89672c07f2e9282d486c7b901515b396ecea7dff549

SHA512
83e54368473a95f0b49ad82f9a5a6102c9bc1cc81dd90bb9101fd85b21ea482fe32ff4ed3523b6a3b83c6bc6254cac3fb1ea16a7ce9b63149a636863d1e51c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\FreeImage.dll

Filesize
920KB

MD5
9247cc60ad7bfc0797d3b0cf3e1cf313

SHA1
d39a33c0a176377d70d9962a3c40776f50f90897

SHA256
37e6f53353370f36e7541d66a68e617a25255e49091997c77e98314f32032e29

SHA512
5c7c4f3ced6f5dcda04d4bebc8b8d3c5b26e7484c416a8ad2eb2ed9ba1a3eea4aa4956913987ed6ae45babc609a214cfa023271e458f7df5f2a5a299854ab135

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\FreeImage.dll

Filesize
862KB

MD5
1070ec8cf0eb7749ebbd92ceea7806c7

SHA1
49906dbcf0e7265524790572fd9d4159a7df5373

SHA256
2454d96fd79c380643590e332d5bdab4e502469d96f6089d79f1f9074a76120e

SHA512
8dab48c71104485715387da12b1a643dea188f72d3335845aa8115a8348836b5175bb10c37ed48a23a747e1a9f92edbdf86fe439a361cda834c2ce7f6f6acfeb

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe

Filesize
1.8MB

MD5
4cdb3c220777364e88167dd3125b2cc8

SHA1
8f1219766b955c6e8fcb555dc718ebd0f688e6d8

SHA256
a7962322db50fc381f969cd1778539bd13dd20db3b26d8944a7d768e24a6471d

SHA512
d041118c7bc97ad2dc0ad21b28858d6f7f3d51713555ef7f5ebe0d783b9bfaa9abfb7e0b3930eeb7f88bb81ff88774061f1fd1a90ca1435e649074d09792c0e7

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe

Filesize
1.6MB

MD5
1fbb6c465e4ff444f12389ba5d5781e0

SHA1
25e4d3be31a7230c88b936487c6eda181af2483d

SHA256
f6a946a59d7ba3bcdbae7b69163b4fae352f0d6c97bf53ca8a5046d20745c752

SHA512
ae6aff4f0201670f4c4c73bd8b8eed48ced7a1ffc3cf627618a16511da0961c6a3e232f9a9b0e5feea39232e99b5d2aa80856216631c0c552f4755fba37cf38b

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.exe

Filesize
1.4MB

MD5
156d0843ec8d7ab6957f0c2848b7021c

SHA1
5d06414b9d5bd2a8a2aecf4c664b8bb5d6e1c359

SHA256
fcff7ca38a488b4867a3c57ffad801d78e1ef78e75b2203354e62c3d3f11819d

SHA512
e089034a4986de91d89c7339991603d5808aa57e78e5116314bfc4b799cafbc2661c9874c38a592f16be4d333b25d6787fdf81c8b95b596f1fc6a489bdf59f71

Download Submit
C:\Users\Admin\AppData\Roaming\LookPicture\LookPicture.ini

Filesize
45B

MD5
ea0e191382c342f37fed75b3d6241d24

SHA1
3f28dfc009194d624e282ff178e415ef1f81b13a

SHA256
a7579c49522e82e47065fb94081608b115fb745faf34a099b6e77bcbdcd13b8d

SHA512
71f1b4cbbf9530bc647c7046f4f0f5b263cf75be99959e74ff58774ffe38eb5ba91820f8546aee72012ec76ad559f366a8db3cd22cb3acaa2ddd780e216eef87

Download Submit
memory/2752-14-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2752-60-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download