a9f359bc6b7693bcba1ea119db1c51b66776516f2d0062dd90627ff16afd0915

General

Target

RCSetup.exe
Size

27.0MB
MD5

291df52c0e753c81bd381d68c5ef2789
SHA1

9dfe31c0d389b29acaf6f8eaacdf79c753b3e03c
SHA256

1e2bd3aca04c2675a3dfa0897657bb8ef3aa789b3df799fd67ae1cb9a2f62e45
SHA512

3f1c6e39da4ebd62df4c7f27aa30e3f6367408515f1e40dbe4706c275dd1d9a822e6edc178467357c9be82e8608f5c5923e367f73263e4347000e8e0f42eef2b
SSDEEP

393216:k27vCvphdDXzUH3GFZXvLqVrGwQ33EYf9Nz73R5weatxXmpGxAb8Lx1N0p/hK:k27qXhZXe9GFH5RNatxXacoppK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	irsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2128	RCSetup.exe
2380	irsetup.exe
2380	irsetup.exe
2380	irsetup.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Replay Converter\Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2380	irsetup.exe
2380	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28
PID 2128 wrote to memory of 2380	2128	RCSetup.exe	28

C:\Users\Admin\AppData\Local\Temp\RCSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RCSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
9c53a90ebe27452ed61847d6c8789759

SHA1
fa378c148053202a460b2ff5a658dd16e9c9135d

SHA256
49f7c7f492514fa4113748091c44386b32573494ca4cce7c4d61ad7f8d692984

SHA512
e1af07ffe662d4e47e108a38d8c793ef77901635f96277c6a1385d41149ef145645b6625d1db171b1bc40a18dd7457941447d4130c7b9ace8ba31daf602ba964

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
51KB

MD5
abd5e130918db8dad211bafc3fd4ab0b

SHA1
fdeed88d53ad209b9239aa29e6b4610e2a43e10d

SHA256
eb97b033666c2a928d20cb4a089c38a87a67146e9555bd5cad4e0d82980d4450

SHA512
326dcde0468e4e9bfb4f02f1a719c3461539614022b67697a8f84222ad13274efbf0ef26a1be795254b5b897e217896e4675a7a531f82f9c942870f114a38c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
40KB

MD5
10b0b080f290172052bcb416c00d54fa

SHA1
2c45f2cef5d4c56f5bae08b7a606e8c77b8dda1b

SHA256
d55cff09817350e4881317c1b49020af664ba8f7e7edadf4205f58be11c3ed88

SHA512
7075cefaacb4dc54630a2e18c299f986050cd259178fc7ccf69098b28a16d4c7d720febe0d413254530f07b5af7c4af9d0e9630de68895bb5427f68fe1ff879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
80B

MD5
ec0cc8d7f9e6dfe67829b5238923c397

SHA1
2e200d9f2d19f8e5b96d20cc4117ebc14878cb14

SHA256
3f2478c10544c6bfce42702f432eb8bb8d3c318beda77e5718505b23a68ae05f

SHA512
e2ebe69b8f4a7b355c83398e2c086240cc3a41f8823ada5935fa14645190fe8ac1879957e649712477946e64175b3b124d7ad286d6b64b485e7d1a4e5e5b6375

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.9

Filesize
15KB

MD5
cedffa2264d312a7ca515e64ff34b814

SHA1
3f2c492765f8e6f50ec8b0d3580a8b81f2fe108c

SHA256
b13b8d36a80294fb22f2e166a307f6dab26cef2b7f4be3067571731d7cdf424a

SHA512
3c42ba97bac9aefeec0c1190c9375893eafb8f230339b141a1fdacb51ff994f9d362988273a53144e689f90ef62dbee0a2063e49523d73ce55a6e72673f9b638

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
640KB

MD5
ae28c59ffd5393a69ef68c41be64209c

SHA1
7775613f8d15fed36155e43d5336364681caacde

SHA256
1d9f8c4ab0ff2dd0c1f8dce59bab5bb2d4df2811aaa08205a66d5fb96425aaf6

SHA512
96c22e02ba975119256622d55a9372e0fc41d9e91e355195379a76991db706b02b64886e685b69bc5031c8b97c29e950e72c03ee11632a921453f071238d059e

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
479KB

MD5
9665a2a4cc5c793356cdecce7d35cabd

SHA1
6370ca03f28dd21d86e286e433018c69e4d61ac7

SHA256
0cb70eb89cae91a4bc10b2f9ab60c4f95c9276a78fa92ecdb47e7e4841483ad2

SHA512
6d9f65eb5b28a2da55ae806259758539ce5ea87af9cc7198b73a0245f977addd398a398c4c2119839e0465586715f3a27c3737be0778a17910136863cc6dfee8

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
720KB

MD5
456462905091db042141487fe030e3c9

SHA1
bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7

SHA256
a93dc5e28d74ef40dd5d694aff7fb5f24c27dac4b59adae008cfdc5ca65587b0

SHA512
fdd82c126189454352b44c756be06e3e93ee26a93b56d99c3eb5254cac3f6d6ed71556765b76e65bd75efad461972044ce829443c006fc0816a28f7b4493296f

Download Submit

Analysis

Sharing