49d867a06a863580939bbc3057db6f342890d3f8ea6f842d20fe3603a7cfc3e6

General

Target

26c6d1194cf3ec22fcc00da7de44704b.exe
Size

1.4MB
MD5

26c6d1194cf3ec22fcc00da7de44704b
SHA1

c5640485948b0eb2609e6229c7b96e8350d0abe4
SHA256

49d867a06a863580939bbc3057db6f342890d3f8ea6f842d20fe3603a7cfc3e6
SHA512

3b20a9a615faf592028426ad9f5b9f0a76b164654f297b6580022bc95e7412d324a9e24679e625fb72ad51b3f6de2ed0c2950026d40ebe03f95a5ab6b08c5765
SSDEEP

24576:Pmb5ta7ShseSshw9C0nsXH0EMC/yuPTbPSIzzjPrN8xFiFPuV40Tk0vEv:ObTaSh0nnENPTbKIzzjPJ+kxo40Y0k

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	irsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2344	26c6d1194cf3ec22fcc00da7de44704b.exe
1680	irsetup.exe
1680	irsetup.exe
1680	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1680	irsetup.exe
1680	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28
PID 2344 wrote to memory of 1680	2344	26c6d1194cf3ec22fcc00da7de44704b.exe	28

C:\Users\Admin\AppData\Local\Temp\26c6d1194cf3ec22fcc00da7de44704b.exe
"C:\Users\Admin\AppData\Local\Temp\26c6d1194cf3ec22fcc00da7de44704b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
6KB

MD5
123044b16601e61c9cb3a41f0039b261

SHA1
e2119058caf252e35f61dc0f8f9122d438d30f75

SHA256
d3bc8eca5e699c43c90e26ce28587f5bbc174d742bf76d6f66d5997a1657b342

SHA512
9eb9de4828e13a1b93e5f630adf9c2339b37ef590f068a910e4d62d3f1ce718258c003b48b6471e4fbf61663b41bbe6b59ce0e6ab865f37c3af5a278063c8582

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
401KB

MD5
711e3abd3e4d5e81614b083786270b38

SHA1
95fb852eefbc7ca8b4be0d4ccc40292a10eb2dd8

SHA256
33f80c7d0d3cfbee4ccbfc50a5a8578e00b0394adcfbcd46e6366edd03b2c90e

SHA512
973f97a14f5a98f34d511025ab53eed136f7308f5c37589c1f7a52f124aff05baeb1f3105246a24a7773be90ccb9462be76c9fa4d416f5ffd31ef02a73a58669

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
105B

MD5
53fad8027a47988f57cca036ea73ac8f

SHA1
8cc8ab47f97a4389d7f010cee8f47badbb9adcf4

SHA256
3624513b953a35b2fc7b99ff859c9de7ef85f817e78a8fac81453d5a179b1c4a

SHA512
0953b577a2a4ba57337dd1aadd4c2b7643dc09e83b9063032ebb830d45f85900f04de234b0547c421dfb53a8b9fc9b1389cb44df7d2469422795a28f11957b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
93KB

MD5
4f542a5e4c371d83c336e86a206be452

SHA1
edb2c1499632d39f295ed333b3e561fe7e674254

SHA256
9daf1f8c5b2538da2253dd086ecd375cc96b58ecbe866360528af0c9bd981a4e

SHA512
e80dc607ed40951ae7424f56bdda1b64fb9a19ca204170a389dbb716c586e38617acd2e8dbb85443d0b42bd87c9e5125e4f7e2e70bdcfb41236907e52be39bab

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit

Analysis

Sharing