6151e96fd01e8fb202926b63729f12a4c7e3f66c3013bde46add4d38f4aed4b1

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

10.7MB
MD5

a991512916e453a8984f7e066d698d62
SHA1

ebfe1576776dd0f5ac1b3e37afd1d87aa0faf8f6
SHA256

d4747292524dc2168431a7fb0151328cab9b0081843b6feb1a460f8fbfe24fca
SHA512

c9b1d3cbc6a8f19e05388535912bb9bcc35c9d0e8450939bf8678c84f9d30802b6602cb833a92918b2fe038e51ecbc48a38f9915d31f8ae6b28810ea5f41fe2d
SSDEEP

196608:1a66Jc279kJcPT2a0BBxyk5T4S32HWr3d5MracOqLSJmg1Hw0:1FKfDCa0BB4k5T4S3Zr3dmJvrWHd

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	irsetup.exe

Loads dropped DLL 1 IoCs

pid	Process
2024	setup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015d23-1.dat	upx
behavioral1/memory/2024-5-0x00000000022D0000-0x000000000240D000-memory.dmp	upx
behavioral1/memory/1748-6-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral1/memory/1748-20-0x0000000000400000-0x000000000053D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1748	irsetup.exe
1748	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1748	2024	setup.exe	28
PID 2024 wrote to memory of 1748	2024	setup.exe	28
PID 2024 wrote to memory of 1748	2024	setup.exe	28
PID 2024 wrote to memory of 1748	2024	setup.exe	28
PID 2024 wrote to memory of 1748	2024	setup.exe	28
PID 2024 wrote to memory of 1748	2024	setup.exe	28
PID 2024 wrote to memory of 1748	2024	setup.exe	28

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
  __IRAOFF:542221 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\IRIMG2.JPG

Filesize
47KB

MD5
20c0416799e86e25d0f300bf8bb34e40

SHA1
7d5b59f2e39ef66b040b91fb29d650bc0de94f2f

SHA256
5430a1cbb3b4495cf1af10259844ae1f61cd14de54e6878283a4e54d5d83c3f5

SHA512
d8b5d3af3706773588434d0d9ab1e993293ff120bd067f99518551af5f600e460ff4090f463b5b99bda2e272764e1d15208fce14a132fe8f91217b4ea1afeb49

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
461KB

MD5
1c58b6ee4cb9561e81095b76656a2ef9

SHA1
1a7a7b05f97aa0d5280e423f5712a71d26a7c724

SHA256
f3361c6d49a75c7a7d6a1cba252d5ca4a178ee69b7a07e1fa2ed28820f6b7cc7

SHA512
106cbdb37d592b4586c206981e44f928e875c7497471f55031ebf7de0aaa0ace09e7fa028fc31a34aa6822415b068a91b4f3f297c7216171d07f6a50b9eadbf1

Download Submit
memory/1748-6-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1748-20-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2024-5-0x00000000022D0000-0x000000000240D000-memory.dmp

Filesize
1.2MB

Download
memory/2024-21-0x00000000022D0000-0x000000000240D000-memory.dmp

Filesize
1.2MB

Download