dcdca008b206fa1698e2401c520bc7a7d0cd3554eeaf8e4013453ec6fb0634fe

Analysis

max time kernel
190s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 09:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62293179285aab1278fa87f3a5c95ebd.exe
Size

2.9MB
MD5

62293179285aab1278fa87f3a5c95ebd
SHA1

6f956a215957298d950fb358df89ebf32671fb3d
SHA256

dcdca008b206fa1698e2401c520bc7a7d0cd3554eeaf8e4013453ec6fb0634fe
SHA512

39b1d10c246df9fe1fe58ebc3b87a7b5ec1a382106956acbbcd8a172865e717c1a2a66d26a46708887369910ee03a011fb6d3fc4ecb86d529881f4eba9bf6985
SSDEEP

49152:PbTaSh0nyu5mF3vWgoNprogLtG6atEKFncPg7SkSRjWtkbAT81OxHJcDh+dxcanj:PbGShsD5G/upkCtG6MEKdgqWjWtkbAQm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1200	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1200	irsetup.exe
1200	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1200	4628	62293179285aab1278fa87f3a5c95ebd.exe	93
PID 4628 wrote to memory of 1200	4628	62293179285aab1278fa87f3a5c95ebd.exe	93
PID 4628 wrote to memory of 1200	4628	62293179285aab1278fa87f3a5c95ebd.exe	93

C:\Users\Admin\AppData\Local\Temp\62293179285aab1278fa87f3a5c95ebd.exe
"C:\Users\Admin\AppData\Local\Temp\62293179285aab1278fa87f3a5c95ebd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
5KB

MD5
320cd7717b8b408244cd25575eae1202

SHA1
fb72bcecfa3ede595a6f20167ad5f71446462b1f

SHA256
d5017af5808bf8bb3a76c34e2b44b25ca46cecb73d9642a33e601d7f8152d48d

SHA512
a22f44924cab694a03b7b4379521099b18b40b1e58cfc924c9151ff5f7f4d41edd1366665673cbcfd59d2c5ceebcd2bbb84908124cc42dcdc361188dd0c2ddc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
105B

MD5
fa65976b40f19551a379b8ad4870618a

SHA1
ff75883fa77dad4f5c88a895fe3345aa94e10455

SHA256
bd5307a138832d698582c0e7d91c652b2734a4435608ba444eca33dd84bd3cd2

SHA512
2e35d32b402fdae3a0f13f29f9e13aa5f16e1ae47633d51c9c99c50e5f4796220c7dac99b27488c7dafe0b37d9ddf0cb5e5c29e14123821233e9d47efd5c4ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit