b452af2e9e249554f1c1bc3c67b26f8c846e30c050dc30169c79078f43d3ad4d

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe
Size

19.1MB
MD5

818abab7f442577efe0ddfdd50ae0f16
SHA1

dc3ba3ed9d561915ffd7b259b509c3977c69d119
SHA256

1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01
SHA512

94a96307ff073e395a693e1521c92f06cd89f4e506efb92162e2e0f2603b1f8d61b24cb454a51f8ebdd7ede7c1fa7d5cbba2b9f2cf402012157e3d37e10246c8
SSDEEP

393216:ueH2Vd945S0UGlBEGFfmVRFwkh4sYb1OS5hahewKElo:P045/KN3wpscwSuG

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	irsetup.exe

Loads dropped DLL 7 IoCs

pid	Process
2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe
2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe
2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe
2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012281-3.dat	upx
behavioral1/files/0x0008000000012281-6.dat	upx
behavioral1/files/0x0008000000012281-12.dat	upx
behavioral1/files/0x0008000000012281-10.dat	upx
behavioral1/files/0x0008000000012281-7.dat	upx
behavioral1/files/0x0008000000012281-14.dat	upx
behavioral1/memory/2536-16-0x0000000002B60000-0x0000000002F2B000-memory.dmp	upx
behavioral1/files/0x0008000000012281-19.dat	upx
behavioral1/memory/2364-20-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/2364-41-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2364	irsetup.exe
2364	irsetup.exe
2364	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28
PID 2536 wrote to memory of 2364	2536	1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe	28

C:\Users\Admin\AppData\Local\Temp\1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe
"C:\Users\Admin\AppData\Local\Temp\1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1852786 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1a5b6c29bd963bc4316f7fcedde146b01c89c4114a82688ce9bb0994a77f0e01.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1268429524-3929314613-1992311491-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
187KB

MD5
bdc488fb0fde07bc93fb77366956c8f6

SHA1
f3078d17661b30747c8c992ccafff8b7024972f1

SHA256
30c21ecfd57adb8e914b2a58c9eb0022ffea44101fc015c4636d072e840b1b60

SHA512
128fd313c1016e684454299f238c259d9bd2767e21e7a139be9426f575717df38747014be38c3f3ceae8855c011085022f2c04487e6071cbd10d4d438bd3c777

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
285KB

MD5
6a6a4f8d545c8872a7342b730ffa7027

SHA1
fb4cd354fd3fbecd90721fca4f80b94a7168bd74

SHA256
2c668ca88dfa0f0b60f246a7bc70fc19ded5a9b07401ca64a495c6cd223c5558

SHA512
50f4b1ee61f54fddde5a3b7c1b777c28fc570a53e34910baad5eb8f2c511720b77990ca44792219a4731671e77b143946c5cfb467c1ab89114707e257d1dbae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
788KB

MD5
4f243f32f1be644321cff1df9aa3998c

SHA1
7d5417c77043f5010b1d3d04cf14225d8a02c7f6

SHA256
d6058336d35d80cdc0f2eaa16ff1fbeefbfb61a4a7d70c318e98b1a1b26fca22

SHA512
ad7c6d4f68c2f7aed8a2f1c780b10a0523e213f00c64ba9c962168f6c7cd5dfff6f0b2b7e17c678e8621b144c1c181fbfb6af0895fe452be47e966bb517e6ed4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\MediaZone Editor Pro.exe

Filesize
201KB

MD5
ab18aaaffbb0307aefceb9553f3b9a9a

SHA1
8700710f15f2e0fde16be5a8b3b049b35f8df869

SHA256
6a419694b5901a03187ee3a2cdf96af1dbf78d088482bb650fe37530820b1334

SHA512
03256b78409ec3e87e5c3e406f00187b468cc575ffda3c37738599a224b7cc0df67c2a8e9a29657cd6ea9bab561be6a477b3ed167e2cba86e84764cebb4028b9

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\MediaZone Editor Pro.exe

Filesize
142KB

MD5
dd99640764d2e516de1fc9b817db7d07

SHA1
da1a460bb8712ad48e57714f4221ae85f389a1d1

SHA256
a9195e54fbed7d0350c7c381c1a9f0db4167c42d0770c7792f0f7112b8b90c67

SHA512
eb5f5d2c209ac0bf3385d7af7139b8b68c13e3b1598d64c9e14427a9a6637b56f2586fe08e48b00072a46f7bc9bf5e6f51fc1426c05f4bba2fecedb4b750147b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
344KB

MD5
4c225a1378b650da08a7c1cef567fbec

SHA1
40e94f1a78fc6ff2b488a8e72bcd988ea1565855

SHA256
30c5a62c02642ff3e2743da2f351500afebe59e1e305b006b24c1e70cd6fa9db

SHA512
3d6712c5b02c50247c21f9639899e2e39cd204295ef209d0b46940c77f29b428b36e31d1b5d011bad07a54e1b4a9f3da2818bd30dec4aec17eca1ee56121f316

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
270KB

MD5
b01a5869115f316c95b31b4c0404f7de

SHA1
b8209581d7e989007b57499a4869b5d3ac0d8923

SHA256
aac3ad8774d0b1587dd1e34c85d0c86cdde73dcbfab16095ce1b689af05862bf

SHA512
2c454b0ebe5b4e9785ebfef8950baf48b37b99451d4a9ddaa40ec789c4a71a2d901112783e46bc1941eff25b519f01bdfc57f23638af14355c1cbdb59afdfbe8

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
d2ea8141ca728ec537e818aa388d9f85

SHA1
f094c2140ad7e11e9d1fb0ca485866a2c8860075

SHA256
4416745b3f2ab9af31cb8bb7d96929f1f92855c7afde787c0ef2a2f65ca87057

SHA512
e11508f2bfb87e7d66e53c116f0c5217aca5a417452c14b507f5c839093cb111f25bc86e2113f91ed5179701d95e11a2481102720724860da8fcd380a6e5f259

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
328KB

MD5
7473891c2cc031fceba2918cdf5138c4

SHA1
bc93f1776d295df1c86f83b96f64bb30e8cb8dde

SHA256
bed916ba06614a4991363b7fe42bfecd4945f47673a739ea1108d4c0a255fd0f

SHA512
d1d56554831e86c7cbb976853d91bcc63173b32b98ac7c9ee9ad60b7c71c005c93da87fbab9410ea59f0daea7bb1b7d189a4d23bf9ec304351d6d7b2122e3612

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
98bf508c6c2087d0c53374c3af38e7a7

SHA1
59c60529a739c337843b351c8058082afb3edc54

SHA256
9d7ce814a91b8659ab6266cfacd6316828d41538bf8fba9667f9e068d020af6d

SHA512
9d156fd2d7c06a8e88cbb78a7d249f8964f3e05c2818b80f236b6d3188cb8e42f269c34d36efbd50d6b5e50eaf97eaab360b90aeef4c64860f42a86ba0eec32b

Download Submit
memory/2364-20-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2364-41-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2536-18-0x0000000002B60000-0x0000000002F2B000-memory.dmp

Filesize
3.8MB

Download
memory/2536-24-0x0000000002B60000-0x0000000002F2B000-memory.dmp

Filesize
3.8MB

Download
memory/2536-16-0x0000000002B60000-0x0000000002F2B000-memory.dmp

Filesize
3.8MB

Download
memory/2536-43-0x0000000002B60000-0x0000000002F2B000-memory.dmp

Filesize
3.8MB

Download