Overview

overview

7

Static

static

3

1d4cbdaae3...8d.exe

windows7-x64

7

1d4cbdaae3...8d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    373s
  • max time network
    386s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 01:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1d4cbdaae33209e38abf2e641a9d14840d6d0f4f06b951af7f5c70ac8932f18d.exe

  • Size

    84.1MB

  • MD5

    3f1e9c8ffb6a2ece33792a68ef1f6e9a

  • SHA1

    ef18a53db0856755de320e4982e8c492e441bf65

  • SHA256

    1d4cbdaae33209e38abf2e641a9d14840d6d0f4f06b951af7f5c70ac8932f18d

  • SHA512

    4091ef3c14fb6d2e84915357a0bdc6765345180129a36420f0144e33ceac8a4a34429ed5ad3d7b24317737cb40254f54cd99823d81686f113d139f4de95cb173

  • SSDEEP

    1572864:tgyw4TuSCiBem/SSde6JUgdjlROqNnVyizOAkR5TwoDTTwoD5:tguT1CZzSLjTOMR6YoDQoD5

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d4cbdaae33209e38abf2e641a9d14840d6d0f4f06b951af7f5c70ac8932f18d.exe
    "C:\Users\Admin\AppData\Local\Temp\1d4cbdaae33209e38abf2e641a9d14840d6d0f4f06b951af7f5c70ac8932f18d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1d4cbdaae33209e38abf2e641a9d14840d6d0f4f06b951af7f5c70ac8932f18d.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-635608581-3370340891-292606865-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\SRLicenseManager\SRLicenseManager_Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\SRLicenseManager\SRLicenseManager_Setup.exe" /S
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
          "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\SRLicenseManager\SRLicenseManager_Setup.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-635608581-3370340891-292606865-1000"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5104
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\perms.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4148
            • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\SetACL.exe
              C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\SETACL.EXE -on "C:\ProgramData\Stage Research" -ot file -actn ace -ace "n:S-1-1-0;p:full,write_dacl;s:y;"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3448
      • C:\Program Files (x86)\Stage Research\SRLicenseManager.exe
        "C:\Program Files (x86)\Stage Research\SRLicenseManager.exe" SoftPlot
        3⤵
        • Executes dropped EXE
        PID:4480
      • C:\Program Files (x86)\Stage Research\SRLicenseManager.exe
        "C:\Program Files (x86)\Stage Research\SRLicenseManager.exe" SoftPlot3D
        3⤵
        • Executes dropped EXE
        PID:4732

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Stage Research\SRLicenseManager.exe
          Filesize

          2.6MB

          MD5

          f15af20d3a752cd6fe4cf00098d50f02

          SHA1

          a51fac693212144d38bdc5312ecb840ef6064b64

          SHA256

          1f224fece2b860bcf55cd5d720fe8ada522cc50a67430cd60a8846818561c132

          SHA512

          60d714ebc6faa596c6a7f3207f589f4e91bc45885a8884c1a9a16cfd08a124e59cddfd45715bd39a63157a723dd8e12d84f9cc6542129284ea8350e3779c5cba

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SRLicenseManager.exe.log
          Filesize

          502B

          MD5

          ac7943e277671a6eb6720a445963aa06

          SHA1

          4289c79d705656ed7500e3f1d0cdeaaa41be23ab

          SHA256

          f1c1b5f197b46ea19379252fb485b0862008254009f980b8905d70ef2440b89b

          SHA512

          af2c6accd82aa05866cc3d44c5c2fbe6ecc119fa9fcfe58b699c5d8a38d197db35eebfb348658c8390682b77a0d35a5c12c0e1cde16a852b654b55aa47521644

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\SRLicenseManager\SRLicenseManager_Setup.exe
          Filesize

          2.4MB

          MD5

          aed69b6ead226c064a3ea14745664202

          SHA1

          350058e690665257a51d1e91f98bfa6902db7501

          SHA256

          255e6fb1aa61e9208b4e1f53171bdab6a25168fb259945abd403a6081c50adec

          SHA512

          353c58991611f5a75d8fa96b3d6582951ea323892c2d01df08e532d76b90fb9ea1c2d174e02782b5081b6d24b732ecd5a141e83a56018007787357c552a999cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\SoftPlot10Icon.ico
          Filesize

          52KB

          MD5

          265c5203f435725d63273321e03d77a7

          SHA1

          d56f8561cbce42fb74ba008c799c1266932d3140

          SHA256

          9c4d55555640f2e317ff9f062d79f2f642ea9b17244376e2d921b6f2933c4d3c

          SHA512

          5fb820a25f39edabee24907570ed4e2f6f8a239d3f3747ff87397e5e1421f36737adaeba3f06778c671606ad1231e68838ad613a3f792708372552c4c454f153

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
          Filesize

          1.3MB

          MD5

          dec931e86140139380ea0df57cd132b6

          SHA1

          b717fd548382064189c16cb94dda28b1967a5712

          SHA256

          5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

          SHA512

          14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
          Filesize

          318KB

          MD5

          b5fc476c1bf08d5161346cc7dd4cb0ba

          SHA1

          280fac9cf711d93c95f6b80ac97d89cf5853c096

          SHA256

          12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

          SHA512

          17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\SetACL.exe
          Filesize

          296KB

          MD5

          2e5a7d12c3170f61a08866600e74075b

          SHA1

          c13e3ee03a215b8620e015fab2f4d6d980f82a73

          SHA256

          f921a1f235dcc23114c359110e63739fc1eb5eed5fe7dcc8346b2b6768d05508

          SHA512

          d4b07286c39f13658da288e1b905c9f2208d6d2ee68cba8d36794127e40e3e0cacbb5caad5ee20938501a912f5cf296c3fb1198fd62ce93d60f8cc09b0ccc486

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
          Filesize

          108KB

          MD5

          5db8ed2a6ef398dffa62654a93a9f182

          SHA1

          3bc92db2632ac0a332b879935e4d60639497b8d0

          SHA256

          21415a09691f3f0b1dd1d731228576dec36d52aecef2ba067afa6e845564feef

          SHA512

          490ea9e347cd173d2c6c8f49a62a767127d720bf1a9c44100d0e39ce17a33c41fe378c0075b04afbb0b2d90aae73a7f135c63c3e8ab11141cba02d827d9c1387

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\perms.bat
          Filesize

          153B

          MD5

          5a051aca535bdd8a938dd1cc45caaf41

          SHA1

          e6b0c6941112fb411d5b126ffee672c6bbef7d59

          SHA256

          7cf8ebeb2c6e9cff127d10c29f4b130e8e76142e1169fd3a178f4c6439aba44a

          SHA512

          22dc0dbb1309b3ce24fcbb267ee8eced3efc439ca18e8d7212ebee04dfb98441fe36ca0f93b92f5a40b79d932de6d8a428824509f149cab901759293b5f57195

          Download Submit

        • memory/4480-94-0x0000000000200000-0x000000000049E000-memory.dmp

          Filesize

          2.6MB

          Download

        • memory/4480-100-0x00000000050B0000-0x00000000050C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4480-102-0x0000000072D70000-0x0000000073520000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4480-95-0x0000000072D70000-0x0000000073520000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4480-96-0x00000000053A0000-0x0000000005944000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4480-97-0x0000000004E90000-0x0000000004F22000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4480-98-0x0000000004F30000-0x0000000004F96000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4732-109-0x0000000072D70000-0x0000000073520000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4732-108-0x0000000005C90000-0x0000000005CA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4732-107-0x0000000072D70000-0x0000000073520000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4896-15-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-99-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-39-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-103-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-12-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-35-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-85-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/4896-115-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download

        • memory/5104-87-0x0000000000400000-0x00000000007CB000-memory.dmp

          Filesize

          3.8MB

          Download