30c39af78f0d3ec0a62f056b0c1e725e26ec469c121d47aab775fcf6ce7757ea

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe
Size

65.5MB
MD5

6613b847292a0b7f246b35eaab993c94
SHA1

9a4f9aee46293bbbe33e75c4f71c49911c7719fb
SHA256

5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca
SHA512

2ac078f386f09e1f12c92ea89adf8e7266f9b03b06ef540a080f108cd0971b624441b69e5a5e447b592b8954b12206e2a35b528ebe602d807c3b0a30a54fb74f
SSDEEP

1572864:g43BkNe5iof1ewvEraVlWcDXTIJSBCm2cFb7m:x/AwvEcjLTIsBC1cFXm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1420	irsetup.exe
1260	Process not Found

Loads dropped DLL 8 IoCs

pid	Process
2420	5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe
1420	irsetup.exe
1260	Process not Found
1420	irsetup.exe
1420	irsetup.exe
1420	irsetup.exe
1420	irsetup.exe
1420	irsetup.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\WinGate\WinGate Setup Log.txt	irsetup.exe
File opened for modification	C:\Program Files\WinGate\WinGate Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1420	irsetup.exe
1420	irsetup.exe
1420	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1420	2420	5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe	28
PID 2420 wrote to memory of 1420	2420	5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe	28
PID 2420 wrote to memory of 1420	2420	5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe	28

C:\Users\Admin\AppData\Local\Temp\5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe
"C:\Users\Admin\AppData\Local\Temp\5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5601026 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\5d308d7df3181c8e10d961ebca349b5a665d8eda6df05fca978e9165d4e380ca.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2444714103-3190537498-3629098939-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.8MB

MD5
e3d25485787ac3969910ea03092cb99f

SHA1
fb1a640bf285f10c97954f302aa07ece8902e438

SHA256
a186b8831b87116aa4d1d185c30e7da1d23cdad259dd01a690e5794955ae99f2

SHA512
c4a1f616b38ce71430c8fc9236ebfe895025ae0e9076dea7ee45ba97256dd0f53cfd8f3cd45a481eb3572b990acca596ea80ca8877d5f2ff7e381e4649e731d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.8MB

MD5
621b3d46cd4c82823dc071e427269671

SHA1
891422c0d1cafa1c724a96db79b98ad014cc0364

SHA256
79a319d1fad2d8296b9e4bf309676359153b1a0a9229c8e043b4c072fd4dbbdc

SHA512
f46626ec8d899919888ac10d78ec26eb4c2edb93ffbe404c6f03ee318fa24c41fd8b4ec03e6922d8076a02e416679a2c9044c06306e391cf91594fd5501ecbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
346KB

MD5
3a7223b677b0eaac95208967eff2467d

SHA1
585142fcbf8eae42188aad21d3bc14d77a6e910b

SHA256
6145373038b272331ac9ed3009292009bfcb295efc55e2704c4a3045c365079e

SHA512
9d4c5450bc54e471fa3b6b999d6cafc8c3b564feb14845cc0365809500415d94d151969548469b90daf827d77c25fc71486da543b8ba36f96603fcd058db870b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\HtmlHelpColx64.lmd

Filesize
4.6MB

MD5
aae64ba02655830115d3dbd88137e607

SHA1
563f28e6fefd03f6fc1054727e45ce9ed557cb84

SHA256
ce015be589fd68a582a6b0ac7c14d3760c418c347be4900bdc1bd7b29eaeef6b

SHA512
2e5adc3e6938f94876d981ed396c03774a8d7f0a1049ab48b42b7e4845132cbbe3ab43123976fda55fe8618c8e5429adc1c25b8b6d1f8090c887d358caad34ba

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\MiscUtilsx64.lmd

Filesize
5.0MB

MD5
a766b6f0b82485f81b3526923999c17b

SHA1
0248492383957214811e66db1a77663dd58d94a6

SHA256
b2c4ad5c74f7cd598a3f6ddb867c52dbcb0e3f78a8bd362033cbd4f212099e6f

SHA512
b7baa8134819ced5e52f187e02a1ac8cef579b5cb1320f2e214e9a1d2be29914ab49fde7474000b9e2bde7d93e4937371833e59ed56b73db7c8c05783c8b02f7

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\RegistryExx64.lmd

Filesize
4.6MB

MD5
8ea69457dee9d07bddf9a8ee799746b4

SHA1
7d2b1de3c7732bb1487395acbfc2bbc8168e9d23

SHA256
9f296943d1eaa751fa3da17fbc1dc6a5918145c47b12d4faab4e5022c4b65205

SHA512
a48a4bfb92a7fc0e69de9e4bc99386af99e79a539192a53b81ce908edebeaf35616f78bd9b32b1ad0526ef7c667430e1bf812bf472bb4efe9836b2bcfa4f73f4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Unattendedx64.lmd

Filesize
4.6MB

MD5
ba5747a2fdc7425756e1810c3c6b38dd

SHA1
6bacf03a60d33c2580141dead211616230fed0a5

SHA256
364b102f177c208d4f20961a6b96b27a4af7bf581686653d121e27cdbe1363aa

SHA512
7dca074717603bc4b1cd2246753f340ee51eadd780bb6fd2af88fb9756eea5e0b0a88cf5fb3209d6a8deff92186a128327c24875463a7dbc7cd8175effd4b2d9

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\WGLicensingx64.lmd

Filesize
7.1MB

MD5
cd6d55939b13c92e8b55f75202b6e5fe

SHA1
f8e9ffad917b1feb9fa5a2ab6e0015172c9fea07

SHA256
c3f5fa7be31c770aadec4d8e87bc642038338bf8d523368bf674323fbdb4172c

SHA512
961d6e2ed0aa5a1576d492a4ff92fb98598e7187701278e39ed06919242b2ae493fcb3dec29d5230bb9c1d4df7638f781c68d5857e62e1e8cd0e43a6a6398560

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
3.1MB

MD5
22cace4808b91271f479c4c309ec260f

SHA1
93a45735db4f88528a3aaf4985913a33e1297195

SHA256
f32408291fc74841d1668adcf45353e647c0fd9ae66f9cc69a1e223bdfb60d8a

SHA512
00882e9f09bdc9226ed50062ddef3d9935c19de06ece8fb004d7ba418134f5e9a7f49344230e5caef8f3b12a0e738bdf36fb16ecc685380a9c582cbe5d6bfb97

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
2.7MB

MD5
5eb9b7f2d603e255cf66853a6fd49270

SHA1
38fba5bcefd31b22a8ff9c7c1435ef3ed20f42c6

SHA256
f1d3251be81ce50e319f4829ff26c1f9bae3fbb420a83ec4113d7cbf94c79139

SHA512
4fd8873b02a2978c959057063730d52b682c7f01893978bedc926be87fe448034f8479b2215cd66d886041a429d28112b2922a37d3fdda64d310bb4d2041d80a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
2.2MB

MD5
bde23efa8f57413b14c2e103f3917186

SHA1
2d3ea6083ab1902188796730e906801accb88852

SHA256
c6c019b6f927967386e952d16577d311dbc69b31b4dc6af5bc4389f8d68e474e

SHA512
563229bec52f07481a1fd28a5637388b0bcba66e8bf99eb6807ef43a5bd7dac3917b68eb9d5a06bab10aec80ba93654a126a0568c32108ff37bd21821c6b4cf2

Download Submit