Analysis Overview
SHA256
561a27e811aa3a61afc77e1b4497c1d33aca7afd1adca5edbe4b5efa5bc38cd0
Threat Level: Known bad
The file 814e4e665cbfbb465b3a779f790155c8 was found to be: Known bad.
Malicious Activity Summary
Babadeda
Babadeda Crypter
Executes dropped EXE
UPX packed file
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-01-30 00:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 00:58
Reported
2024-01-30 01:00
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe
"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
"C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.55:80 | tcp | |
| RU | 185.215.113.55:80 | tcp | |
| RU | 185.215.113.55:80 | tcp | |
| RU | 185.215.113.55:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | fa569798a54777090a825a8e72a5deee |
| SHA1 | 622728b0348957599cfeecca337337383faedb9e |
| SHA256 | 0cab8ecdfa3d3d88c19fcb950480bb6b5083ef6bca8426b519cc081e9c25b800 |
| SHA512 | 2d8433f565108297116921e5c5a6f95c416bfccf8ffd510edd77cf33692bc9f8301db19802427273a41554aec6b0fa7f12124a93ce3257a8a07689edb2ed50d3 |
memory/1748-5-0x00000000033F0000-0x00000000037D8000-memory.dmp
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 6fa58e7f3b194515d234924e282abf2a |
| SHA1 | e67c619543b4f1fbca22adf8a56883c1cb43404e |
| SHA256 | 97400e652a52299fa3f39d023718d0d0b72b89aba0c2d6e3259068ce477215f9 |
| SHA512 | 64a74034fae5ac5810fc0cbb99a2cc8c158c1cea6a8abac6d654ac33281b958025df1368947cfb6840fc7c82f941f2a8f63d33934698024d15d3f8d6761f9fbc |
memory/1748-18-0x00000000033F0000-0x00000000037D8000-memory.dmp
memory/1748-20-0x00000000033F0000-0x00000000037D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 757c557f8630a4ee34bd77cfff505d8f |
| SHA1 | 2997a7d8ba681f3ac54a76ac723d07152e24d522 |
| SHA256 | d6751a533fa4932a94e2c39149c3f8caae1bbc3f6d6e977b342d46fbbe1fa3b6 |
| SHA512 | 9680ae1674223808160dfec375dfb5ac438e1acd689c8f6b4752000312a01a2ed09e4e2e374830350b4117b4c6307527ea81fc2811aae757e32aa2d6624001bb |
memory/1900-24-0x0000000000A20000-0x0000000000E08000-memory.dmp
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 9eee30f75fd7318dde87d713d5db2146 |
| SHA1 | 09f8c234a99067a6c48bd2122c9c4b7048b3f3bc |
| SHA256 | f7ef7c15519e942ee061a82597af22f07e31ff03e9a22fe33df47f4d216b1fdf |
| SHA512 | 14b382b76e2f588b79b3530bca1afedfed801648e2e37c0ba54b15bfc985fd1892226af35bb88e0b406b4c783affcc44987d35d866f5147af66b33fc92f898d8 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | f1913cc4d38fd3f764ae673e6893affe |
| SHA1 | 71cf102f02941a9d2b6338cc77acd96d82fd0e86 |
| SHA256 | f61dbfb1670bc6c1fc82ed8b3e46c3bc2c26010fe1e7b29e3927efeb132a6440 |
| SHA512 | ca31dfdbf9bbc44c10e072cdfc2b1eb632b145cab6651a5be40402b0bea38607c45577d12095a926b23c7e46796b071e5f41e2caf8d5ae0f937c77c30edb8661 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | ab9403b2c0ec1278bcb2013ff1b8e62d |
| SHA1 | b40909058fc1159edb86ac00c403ca6c6e1a65f6 |
| SHA256 | 7b765f5880731603ef01ba905a890028a801b3d472125818298d5a7e37fef963 |
| SHA512 | c3ea17536a5abd6d59653b48df5079302a9c34e32bc8868532ceb714b2f5b5a22de078238c5cd646c420399f7ed441ef91aaa0a84e66fee60a2604259b651190 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 9c60c4a7dfa9c4fc989463e56f680d31 |
| SHA1 | df949fc3f627c655c8246138c88ed1e889a01090 |
| SHA256 | 08cf8bb49dc97d9f33fa6886ae2fb07b2751ab7ce23a0fc502d00f2e50e50b39 |
| SHA512 | 90a8abf1bb313608e4de60b88e81871450b2343cb1b1cc0bcfe2e6e251b705c923ce1874626f38cc8e86496ffd40a43c9644cdf8158722a001d545687c4d9f6d |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 290c875260fcb4da9207029d1f6c559e |
| SHA1 | 5a94f8bf3e943e3471b475960c67bf505ad75c83 |
| SHA256 | 54e972b8a5d07098b72d66485d08434603452063aa2b324427a338dc15c53782 |
| SHA512 | 3c628a89ad049cc67d1ca958acddfc60ed8cf0171f5dd5e60fe6faaffd4b0e97beec66a72c9fe88a114b1ee45ff001ca465e34a2e084da6ef5e6b87b463f43b3 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 175e25dc755bb5c8b2dc27b47fd16df5 |
| SHA1 | 18578e86807f43370e49338bb44b027e93f37eb9 |
| SHA256 | 6f163bd10877d844eaf698b68e024b0bd1a2742ed4d3aa335dbce82807b2051c |
| SHA512 | 8bc2d35747b006573a9445d702599bf080394684790cbbaa3dc21447893e915b1306351767f67053c8f8581ab20ce2eb657cba3f7080e83ff2976ea5ee71b07b |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_connect_to_data_no_mru.html
| MD5 | 20bbd307866f19a5af3ae9ebd5104018 |
| SHA1 | 8e03c9b18b9d27e9292ee154b773553493df1157 |
| SHA256 | e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7 |
| SHA512 | 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_banner.html
| MD5 | 5d1f7da1c3d95020a0708118145364d0 |
| SHA1 | 02f630e7ac8b8d400af219bd8811aa3a22f7186e |
| SHA256 | d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a |
| SHA512 | 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\stylesheets\start_page_landing.css
| MD5 | 49617add7303a8fbd24e1ad16ba715d8 |
| SHA1 | 31772218ccf51fe5955625346c12e00c0f2e539a |
| SHA256 | b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907 |
| SHA512 | 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\stylesheets\start_page.css
| MD5 | f2ab3e5fb61293ae8656413dbb6e5dc3 |
| SHA1 | 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5 |
| SHA256 | 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192 |
| SHA512 | 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_topstrip_with_mru.html
| MD5 | cc4d8a787ab1950c4e3aac5751c9fcde |
| SHA1 | d026a156723a52c34927b5a951a2bb7d23aa2c45 |
| SHA256 | 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee |
| SHA512 | e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_topstrip_no_mru.html
| MD5 | eced86c9d5b8952ac5fb817c3ce2b8ba |
| SHA1 | 3ca24e69df7a4b81f799527a97282799fcd3f1e2 |
| SHA256 | 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d |
| SHA512 | a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_landing.html
| MD5 | 0a5b47256c14570b80ef77ecfd2129b7 |
| SHA1 | 69210a7429c991909c70b6b6b75fe4bc606048ae |
| SHA256 | 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d |
| SHA512 | 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_connect_to_data_with_mru.html
| MD5 | e6bc0d078616dd5d5f72d46ab2216e89 |
| SHA1 | f70534bb999bcb8f1db0cf25a7279757e794499f |
| SHA256 | e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54 |
| SHA512 | 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml
| MD5 | 03a258bd2b97e3267b725fc4d6144699 |
| SHA1 | c5193cd0dfadb615fd88ce98b69df2151d24c685 |
| SHA256 | b7503474bb17cf8fa6ddb62bc353371fd134b6302a9235abc924c0cd6ae97ec2 |
| SHA512 | b2b0eeb9e2c6291e2a6053bbd1baa8ae654dfe9c0e5091a13dfe668c068c20dd547697edfb37ab20ac39e166afa771d3ab38cce3063994f8e3510048e6b3b7f8 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml
| MD5 | 5b27b87227d4a9ef10a3257c817121da |
| SHA1 | efd20d8a5e5b351d59da53bb3d456da6527fa16b |
| SHA256 | 6177d775028d5af64d20eff912df958691de980aa874efd7060616ac04b0cce8 |
| SHA512 | 66d7f5c730f45062038a7e5aa158aa606c5f1ea67b02e56c2ac7128fadd120f4abbe18b0c5e91cddcf07f9b6605a26b6e791c5a4841e0b2424bcc82f12fb7bb9 |
memory/1900-877-0x00000000005F0000-0x0000000000600000-memory.dmp
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | 998be31f33476eb7ff7360549082b289 |
| SHA1 | ead49881c5c1de74953af970879565210718c916 |
| SHA256 | f6dea6168fe93e85b5c83c08793514f83e1c9993e25bf1869b5d3eb676b09f87 |
| SHA512 | ed6c9e8e1f975bcb59b541c0cf33741f21bae3b84b20ab19d4fa10539c537e44ece3336bb1f6e60fc82f3b6c9370fb3df25ddecbe54356d80bef0d7a1dec9077 |
\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | a878b5061bc563270d6b03ac071d16b3 |
| SHA1 | e4aeb7d07868bb4bd742e9dd6d3058c5cc096e28 |
| SHA256 | d3463e31fcfaeeee93a0872b5c2cea6c7eabbd03f77352be2566bde2281ceed8 |
| SHA512 | ac7f3addf64e57db50b1534310776549bc8771785be1d350fdff3830db663183bb71cc9aedbda60c11e05c7c4ef2988ce8690a60849ddabff2dae936c110e88c |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | f3d83f57b9783848508e7276f7b0e1b3 |
| SHA1 | 08798762497d8f01b1fb066121920eb71497d766 |
| SHA256 | 880bacd0acb602a064e87a9583e54d99959c287ce153d2becc1eb31b09ebb95f |
| SHA512 | 7f7b572e61b9c6142a80cb08331c99d9596ab1276c8bfac29497c46bda880b92ff9d4421e931c3b195a9243b01f5b6bc533284ef0b98e91d678115cdf4d1dc54 |
memory/1900-896-0x00000000050B0000-0x00000000058E0000-memory.dmp
memory/1900-895-0x0000000000A20000-0x0000000000E08000-memory.dmp
C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll
| MD5 | 32c06baf2d022359601c251309dd3549 |
| SHA1 | df56fb7030e82ec7929b6a88772d4726338d0ae4 |
| SHA256 | 5e69ee1e26b6e3e4b5b6e2f3941dfc88d6d827d4145e97d85306b4360d043768 |
| SHA512 | 86bbe76a0d78a9edf0c476c7f6d3aac93d577748aae5f481c89977a143ea46fd458c24959e87b3a72b83c95300b17c693fd06a3c139f24f26e3255ead7c50187 |
\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | b7058640318ebc795fe49a1b00100d8f |
| SHA1 | d64a03d380b6c44b4e83bcf2f0203bb0522ee090 |
| SHA256 | f9db09b2368744df33f4b6ea39c040af042e9c92d06712a9f3329b985ba80bee |
| SHA512 | 7a98d5171c0e74fe22f9301b79579ac909e0be9f26b6978204146b0be19f32e71ed6628988c63632d79a24617a1331b6bdf17d06f6d36f47cf3fd00ce82723bb |
\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | c398f1802d4c49d31f7821e6d93d10ea |
| SHA1 | 9acc471a8a790e58dd719748af61ab7cf96a395e |
| SHA256 | 9b2d1ad723c19c04bfb9f06e837f0315e3582a0c64ab48316c741d0b779902da |
| SHA512 | 001ee66014f305d227fbdadfe423ef1fb7d2fa0aec0d5f3249cfb23baf18c0f2b265c392e8b61e4a64e32da5c9b1376356c46be532496d4d2e9cb0eaa8810b58 |
\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | bda27d2abc2edd1cc566836913230749 |
| SHA1 | 800d02b4d5f4346a0779a1cea9642a95e307b1a8 |
| SHA256 | afed90ca13983ce44b585488647442029ae12d226243d31eb54d567efe07fde6 |
| SHA512 | f85d689af9a66e99d7a071d49251a134e1601ec836d1ad63c56cc4ce780d7bb09ad8fd7bbc753fa5e8b1b28dc7b841d9318b74db73313cc92a633693d2dedcb5 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | ee24a8927ebab0fb30fd1b7ea8547fe3 |
| SHA1 | 3eb72025b5dc520c8b36675c34854a2b95306467 |
| SHA256 | a510dfe592fe5223a3688357bc0765a1b1c1c99f461eb8570ea8074a20444428 |
| SHA512 | 3c2bb2b3b21708f6866b0dd836be22045b6a2ac37192f6205767633c221102d899596a03badc8c8ad55c76e959d5cf187780c796fce8be9563a0e80e8b34c156 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\ui.xml
| MD5 | 9fe531a860b574477cb03eb6f878ca7a |
| SHA1 | a22c81b16c7b73afb437eeafb753bb3275ee36c6 |
| SHA256 | 7ac20cce461f268a3fa4e9d371b67a33544297f33a5355d7b6f09edc7de6cfa3 |
| SHA512 | 9684355d8e304dac985f3eebb847cdf26a8b0a8f56ac8bdabafc95b998196a07dfd3f353fc7ee72598c4aff6c45c5bf700d898d7cf057b9a9deef904b75bd50b |
memory/2740-899-0x0000000000B00000-0x0000000001330000-memory.dmp
\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll
| MD5 | 11efa59c264a2d3425cb1a83ec7cac79 |
| SHA1 | e7e6f287822489f827ea21c9bd61b676d7a8df55 |
| SHA256 | 3bb0641fde93004a58127caed2fb414a1f5edb62e11751fa2b21620a057edf87 |
| SHA512 | 7c8eddbcae3b6523a1d70592d7d8a859f5e2336cd587ecd4287678da95da1f7da5404763d422082e42fee45124fd7a768840ccc51dd613c416b271e4638fc5c3 |
C:\Users\Admin\AppData\Local\Temp\152136276158
| MD5 | 1121132c578b5abc02bd69411a370adf |
| SHA1 | f42fe7952a4cbc5db0976758a1de3edf1ce21522 |
| SHA256 | 4d2407322218288208b424b1c6dcec5a6a1402d30db47a639a67cac48a8bb24b |
| SHA512 | c9726068aac1effbaa0f2be459bba7d645f80836e670268545a85df3fdefb22d2d8c0746baf8e40d430d0985aa3e8bae7dd2b7a46e949fee4586c9754ec3c98c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 00:58
Reported
2024-01-30 01:00
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe
"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1232405761-1209240240-3206092754-1000"
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
"C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| RU | 185.215.113.55:80 | tcp | |
| RU | 185.215.113.55:80 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| RU | 185.215.113.55:80 | tcp | |
| RU | 185.215.113.55:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | a132e44e438da2c9e9d8c725026d25b3 |
| SHA1 | 113effeac99b044d62a9f6746a6532600de695ac |
| SHA256 | 71a6a5de86a758b28a7f02ebe14804fc7fb1311220edd7616550c8cac956a5ea |
| SHA512 | 5e6bc45d0589572e53ec5a653105626c4c8eb87c8ebd8cda22cdf0a8b43ce8408dffa13a45dafd5c6f075a253f8923f762126e4755615e744db1f78bf3129ec9 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 7342c49823b223d309d701c2b8bc2be7 |
| SHA1 | 74b316dd680af56ff610e8920a888c7dae35ad6b |
| SHA256 | 8d662e87a181a5bb76fbb7fa2062f5878aca38189d9fd3b7002ea810117ba612 |
| SHA512 | 54cdc44370e45690e077b2d46f33a10f5e9cb8e44444bda9be0535bafa596a0cbe25c9af92b16a5aaffd80b57e06fa91486e3e6555c47605794f64cbf77b071f |
memory/1388-11-0x0000000000140000-0x0000000000528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | cb93f1e129e84ddd62ac202d804d7a4b |
| SHA1 | 1cfe018d4ceeb6003ff5139aab6de7ec2ce3f54d |
| SHA256 | 2fcf0af68e08f52d15a8ed455bfdf0060608261b353e6a8fad9cb36dca6ed48a |
| SHA512 | 9013d4634244e1629e5ce24368fa54657563a7c9f8cae3a913877efab24d1084688fd5608dce32e8f7df5a5fbd434b3783c70242c2f7f1f2bf831aeb2efe20bf |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | a2eacda9d529addeff750280e8a6ecde |
| SHA1 | 045d2d3b57d2709175628f74540818c2a846fc03 |
| SHA256 | 902c93b5a69c72d9999e922af19bd34c6222043be5e7baf75f034fcd8433af65 |
| SHA512 | da6ac993fa45896fac6cf99a631f968ea4273ef3956c35a4ffab8d6dba7323048471d60fc9983a156ea8f7212184d2e81b4c0cb26fe03bd6f00848e7dfd5b584 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | cf1b42b098f31157070f6cbf67f609aa |
| SHA1 | dc47fd664b81834e7386647e462766061189bbfe |
| SHA256 | 76b38a9e0e430094bf6113de89a5d267de451e8b9d1b1c151d8001f236dd122e |
| SHA512 | f88dd02c234e0e35091fce32cf2a228d2171ba4504c89709006ef623ec7e77d2e57b3cc43e293728d460faf2ef41d9cfdfc51ebf0bf46517a4069915e4d74daa |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\stylesheets\start_page_landing.css
| MD5 | 49617add7303a8fbd24e1ad16ba715d8 |
| SHA1 | 31772218ccf51fe5955625346c12e00c0f2e539a |
| SHA256 | b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907 |
| SHA512 | 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\stylesheets\start_page.css
| MD5 | f2ab3e5fb61293ae8656413dbb6e5dc3 |
| SHA1 | 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5 |
| SHA256 | 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192 |
| SHA512 | 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_topstrip_with_mru.html
| MD5 | cc4d8a787ab1950c4e3aac5751c9fcde |
| SHA1 | d026a156723a52c34927b5a951a2bb7d23aa2c45 |
| SHA256 | 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee |
| SHA512 | e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_topstrip_no_mru.html
| MD5 | eced86c9d5b8952ac5fb817c3ce2b8ba |
| SHA1 | 3ca24e69df7a4b81f799527a97282799fcd3f1e2 |
| SHA256 | 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d |
| SHA512 | a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_landing.html
| MD5 | 0a5b47256c14570b80ef77ecfd2129b7 |
| SHA1 | 69210a7429c991909c70b6b6b75fe4bc606048ae |
| SHA256 | 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d |
| SHA512 | 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_connect_to_data_with_mru.html
| MD5 | e6bc0d078616dd5d5f72d46ab2216e89 |
| SHA1 | f70534bb999bcb8f1db0cf25a7279757e794499f |
| SHA256 | e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54 |
| SHA512 | 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_connect_to_data_no_mru.html
| MD5 | 20bbd307866f19a5af3ae9ebd5104018 |
| SHA1 | 8e03c9b18b9d27e9292ee154b773553493df1157 |
| SHA256 | e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7 |
| SHA512 | 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_banner.html
| MD5 | 5d1f7da1c3d95020a0708118145364d0 |
| SHA1 | 02f630e7ac8b8d400af219bd8811aa3a22f7186e |
| SHA256 | d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a |
| SHA512 | 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | 3220a6aefb4fc719cc8849f060859169 |
| SHA1 | 85f624debcefd45fdfdf559ac2510a7d1501b412 |
| SHA256 | 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765 |
| SHA512 | 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml
| MD5 | 85889f4d7bebe3425502ed65424880d5 |
| SHA1 | 6c2b30dff6608be4a9f24c05c02fac2177360c87 |
| SHA256 | d806c452be87903d4c624288371ab1ed886dd0a644bac63e8efc6375805360d3 |
| SHA512 | b15eb381b1c5398488d53d260b24f5f4f49ea23c7c516267e94adae4ed5889cb3e1ec452b4dfc8d0e1f9945cd24247569609218623130a811e98b8b592cfb256 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml
| MD5 | 7f473f739d5afc986d1ba661cafa2bb9 |
| SHA1 | 0788df9d3ca2e31e375a83485162859b949c2058 |
| SHA256 | dba90f415643cbf77dc8ad4d761e8481016918a4b6f39da4f414539c6d130b55 |
| SHA512 | 2757e5280aa07eb83fed0442d43e197b5e91522d5b7820e5c50790dc294baffb9a6bd12a4759d5809af82d5d072ee299dc30f11439e56ebba9f03e411cf586b5 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | d017bc780b3efe2ae3b01986b3d2d48d |
| SHA1 | cb8544e47038b34f5e98ecf0774791aac77d078a |
| SHA256 | 1e7ef3846cdf9fc517a6021f74a5979d54de16a3d2a2eb377d62d5ac56e67ffe |
| SHA512 | eaa73227b482d7c1948c777192fe0a0edc13b98313243ee2a726933d4e1ca0d1fd2ea66a572b8700b13d7756dab23d37e877c16765dc142a8db02a2ca1859e98 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | f77b819e4559f406317ae26c31688e2d |
| SHA1 | 0e8421e32ae4fa0effbdf2cdfed62377f3a93450 |
| SHA256 | 5fc271234ea11a33b4152974bae430d41d7ec193e602640a9c9b607bc69722c8 |
| SHA512 | cfdc6e0568f30f0dd8962b0e3544e6cb095df198eb63c4f2f429ceb1d67258923eeb963c3d5c7a834399ac34ed9dd6af436b66368cbc0747b1b6372e2bcc2043 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
| MD5 | b4cd9408d001da78feb0f366c0a747a3 |
| SHA1 | aba0dfcf0f6e694af6c6da8e1e8a6ff0fa2dadc1 |
| SHA256 | 478b9a637f55676e987e8fe5d577b7dc1a32d6b86c4e22ebb9893365e0714a2b |
| SHA512 | fb60a3de4ea39366a548ba8a74e094985a5af66901f0f64f1832e864423e96cae2f0977f33b6dc575681b4056dac935a42c0e11766225b1c6f254701b513bda3 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\ui.xml
| MD5 | 2e79233b3ad881df35237c30ee2eeda9 |
| SHA1 | 72d2d617bfb5322915fae6ada090a85d037e5ad2 |
| SHA256 | d8530c0e05387ae70687ef470616a72240c4b38bfd5cc459b2601c3eca68c864 |
| SHA512 | d8126c0882ecd7553301788b8ee7cdf6d91a7f38a322dea43de4aac5ceed57ade0937469858c19dfb36f1340efbe3101ba83bc2352fa05de41d91a2fe152eb02 |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll
| MD5 | 7dd6d7846f93a0ddc5c8dd71df71dfcd |
| SHA1 | 64e66ec1b7f5303c1ebf2fa51b697af0c76e2489 |
| SHA256 | 9c633d3f1f74d2bca837661d290150b3b04b6303fcea096a26210483f2f9af15 |
| SHA512 | 62b783eb3c7660f7ca3fecddda5f2f662740feccc8677edbe217fed93261e8b6c18a37e46fb551d100b9a9786b0edf40fcf96059790478fc5f29b63c20d8b77c |
C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll
| MD5 | 3f8e79e0485268234f42c97c18b0c917 |
| SHA1 | 00492f969889a9b9ca0ef9ba05f5ca49fe78e07c |
| SHA256 | 706aad3366e057e0cb6effa9a4278c09f6bd25d82d5ddb4db9f1c29c740adfa3 |
| SHA512 | 6e750b646d9c86b10a6852401d6fc7075cab8fe28d59b27876ec23b0007ce8acb84bb32a6bab65f2d2924d122b6ff8383fd54c7ff2092ad17ec72e4f7b4944be |
memory/1388-613-0x0000000000140000-0x0000000000528000-memory.dmp
memory/3248-614-0x0000000000C90000-0x00000000014C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\152112324057
| MD5 | 784f0ed4feb5d62613a656ae9b2dba7a |
| SHA1 | 5c501f52e533931a140fb9bc9a11352f1964fbde |
| SHA256 | 0682749d042feb6a50386f251e36b17fb62490b6a4c52395d358721be7919990 |
| SHA512 | 74dbd037e28df47c1659184921187270018e201d00d8b4f41d3a5270452db97f99ca6a641d3eeaf7c7bc23ed44b3b1701a73e124d17b1ce04c8ce750ecc210b3 |