Malware Analysis Report

2024-09-22 16:37

Sample ID 240130-bbhhqafghp
Target 814e4e665cbfbb465b3a779f790155c8
SHA256 561a27e811aa3a61afc77e1b4497c1d33aca7afd1adca5edbe4b5efa5bc38cd0
Tags
babadeda crypter discovery loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

561a27e811aa3a61afc77e1b4497c1d33aca7afd1adca5edbe4b5efa5bc38cd0

Threat Level: Known bad

The file 814e4e665cbfbb465b3a779f790155c8 was found to be: Known bad.

Malicious Activity Summary

babadeda crypter discovery loader upx

Babadeda

Babadeda Crypter

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-30 00:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 00:58

Reported

2024-01-30 01:00

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1748 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1900 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
PID 1900 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
PID 1900 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
PID 1900 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

Processes

C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe

"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

"C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe"

Network

Country Destination Domain Proto
RU 185.215.113.55:80 tcp
RU 185.215.113.55:80 tcp
RU 185.215.113.55:80 tcp
RU 185.215.113.55:80 tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 fa569798a54777090a825a8e72a5deee
SHA1 622728b0348957599cfeecca337337383faedb9e
SHA256 0cab8ecdfa3d3d88c19fcb950480bb6b5083ef6bca8426b519cc081e9c25b800
SHA512 2d8433f565108297116921e5c5a6f95c416bfccf8ffd510edd77cf33692bc9f8301db19802427273a41554aec6b0fa7f12124a93ce3257a8a07689edb2ed50d3

memory/1748-5-0x00000000033F0000-0x00000000037D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 6fa58e7f3b194515d234924e282abf2a
SHA1 e67c619543b4f1fbca22adf8a56883c1cb43404e
SHA256 97400e652a52299fa3f39d023718d0d0b72b89aba0c2d6e3259068ce477215f9
SHA512 64a74034fae5ac5810fc0cbb99a2cc8c158c1cea6a8abac6d654ac33281b958025df1368947cfb6840fc7c82f941f2a8f63d33934698024d15d3f8d6761f9fbc

memory/1748-18-0x00000000033F0000-0x00000000037D8000-memory.dmp

memory/1748-20-0x00000000033F0000-0x00000000037D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 757c557f8630a4ee34bd77cfff505d8f
SHA1 2997a7d8ba681f3ac54a76ac723d07152e24d522
SHA256 d6751a533fa4932a94e2c39149c3f8caae1bbc3f6d6e977b342d46fbbe1fa3b6
SHA512 9680ae1674223808160dfec375dfb5ac438e1acd689c8f6b4752000312a01a2ed09e4e2e374830350b4117b4c6307527ea81fc2811aae757e32aa2d6624001bb

memory/1900-24-0x0000000000A20000-0x0000000000E08000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 9eee30f75fd7318dde87d713d5db2146
SHA1 09f8c234a99067a6c48bd2122c9c4b7048b3f3bc
SHA256 f7ef7c15519e942ee061a82597af22f07e31ff03e9a22fe33df47f4d216b1fdf
SHA512 14b382b76e2f588b79b3530bca1afedfed801648e2e37c0ba54b15bfc985fd1892226af35bb88e0b406b4c783affcc44987d35d866f5147af66b33fc92f898d8

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 f1913cc4d38fd3f764ae673e6893affe
SHA1 71cf102f02941a9d2b6338cc77acd96d82fd0e86
SHA256 f61dbfb1670bc6c1fc82ed8b3e46c3bc2c26010fe1e7b29e3927efeb132a6440
SHA512 ca31dfdbf9bbc44c10e072cdfc2b1eb632b145cab6651a5be40402b0bea38607c45577d12095a926b23c7e46796b071e5f41e2caf8d5ae0f937c77c30edb8661

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ab9403b2c0ec1278bcb2013ff1b8e62d
SHA1 b40909058fc1159edb86ac00c403ca6c6e1a65f6
SHA256 7b765f5880731603ef01ba905a890028a801b3d472125818298d5a7e37fef963
SHA512 c3ea17536a5abd6d59653b48df5079302a9c34e32bc8868532ceb714b2f5b5a22de078238c5cd646c420399f7ed441ef91aaa0a84e66fee60a2604259b651190

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 9c60c4a7dfa9c4fc989463e56f680d31
SHA1 df949fc3f627c655c8246138c88ed1e889a01090
SHA256 08cf8bb49dc97d9f33fa6886ae2fb07b2751ab7ce23a0fc502d00f2e50e50b39
SHA512 90a8abf1bb313608e4de60b88e81871450b2343cb1b1cc0bcfe2e6e251b705c923ce1874626f38cc8e86496ffd40a43c9644cdf8158722a001d545687c4d9f6d

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 290c875260fcb4da9207029d1f6c559e
SHA1 5a94f8bf3e943e3471b475960c67bf505ad75c83
SHA256 54e972b8a5d07098b72d66485d08434603452063aa2b324427a338dc15c53782
SHA512 3c628a89ad049cc67d1ca958acddfc60ed8cf0171f5dd5e60fe6faaffd4b0e97beec66a72c9fe88a114b1ee45ff001ca465e34a2e084da6ef5e6b87b463f43b3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 175e25dc755bb5c8b2dc27b47fd16df5
SHA1 18578e86807f43370e49338bb44b027e93f37eb9
SHA256 6f163bd10877d844eaf698b68e024b0bd1a2742ed4d3aa335dbce82807b2051c
SHA512 8bc2d35747b006573a9445d702599bf080394684790cbbaa3dc21447893e915b1306351767f67053c8f8581ab20ce2eb657cba3f7080e83ff2976ea5ee71b07b

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml

MD5 03a258bd2b97e3267b725fc4d6144699
SHA1 c5193cd0dfadb615fd88ce98b69df2151d24c685
SHA256 b7503474bb17cf8fa6ddb62bc353371fd134b6302a9235abc924c0cd6ae97ec2
SHA512 b2b0eeb9e2c6291e2a6053bbd1baa8ae654dfe9c0e5091a13dfe668c068c20dd547697edfb37ab20ac39e166afa771d3ab38cce3063994f8e3510048e6b3b7f8

C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml

MD5 5b27b87227d4a9ef10a3257c817121da
SHA1 efd20d8a5e5b351d59da53bb3d456da6527fa16b
SHA256 6177d775028d5af64d20eff912df958691de980aa874efd7060616ac04b0cce8
SHA512 66d7f5c730f45062038a7e5aa158aa606c5f1ea67b02e56c2ac7128fadd120f4abbe18b0c5e91cddcf07f9b6605a26b6e791c5a4841e0b2424bcc82f12fb7bb9

memory/1900-877-0x00000000005F0000-0x0000000000600000-memory.dmp

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 998be31f33476eb7ff7360549082b289
SHA1 ead49881c5c1de74953af970879565210718c916
SHA256 f6dea6168fe93e85b5c83c08793514f83e1c9993e25bf1869b5d3eb676b09f87
SHA512 ed6c9e8e1f975bcb59b541c0cf33741f21bae3b84b20ab19d4fa10539c537e44ece3336bb1f6e60fc82f3b6c9370fb3df25ddecbe54356d80bef0d7a1dec9077

\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 a878b5061bc563270d6b03ac071d16b3
SHA1 e4aeb7d07868bb4bd742e9dd6d3058c5cc096e28
SHA256 d3463e31fcfaeeee93a0872b5c2cea6c7eabbd03f77352be2566bde2281ceed8
SHA512 ac7f3addf64e57db50b1534310776549bc8771785be1d350fdff3830db663183bb71cc9aedbda60c11e05c7c4ef2988ce8690a60849ddabff2dae936c110e88c

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 f3d83f57b9783848508e7276f7b0e1b3
SHA1 08798762497d8f01b1fb066121920eb71497d766
SHA256 880bacd0acb602a064e87a9583e54d99959c287ce153d2becc1eb31b09ebb95f
SHA512 7f7b572e61b9c6142a80cb08331c99d9596ab1276c8bfac29497c46bda880b92ff9d4421e931c3b195a9243b01f5b6bc533284ef0b98e91d678115cdf4d1dc54

memory/1900-896-0x00000000050B0000-0x00000000058E0000-memory.dmp

memory/1900-895-0x0000000000A20000-0x0000000000E08000-memory.dmp

C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll

MD5 32c06baf2d022359601c251309dd3549
SHA1 df56fb7030e82ec7929b6a88772d4726338d0ae4
SHA256 5e69ee1e26b6e3e4b5b6e2f3941dfc88d6d827d4145e97d85306b4360d043768
SHA512 86bbe76a0d78a9edf0c476c7f6d3aac93d577748aae5f481c89977a143ea46fd458c24959e87b3a72b83c95300b17c693fd06a3c139f24f26e3255ead7c50187

\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 b7058640318ebc795fe49a1b00100d8f
SHA1 d64a03d380b6c44b4e83bcf2f0203bb0522ee090
SHA256 f9db09b2368744df33f4b6ea39c040af042e9c92d06712a9f3329b985ba80bee
SHA512 7a98d5171c0e74fe22f9301b79579ac909e0be9f26b6978204146b0be19f32e71ed6628988c63632d79a24617a1331b6bdf17d06f6d36f47cf3fd00ce82723bb

\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 c398f1802d4c49d31f7821e6d93d10ea
SHA1 9acc471a8a790e58dd719748af61ab7cf96a395e
SHA256 9b2d1ad723c19c04bfb9f06e837f0315e3582a0c64ab48316c741d0b779902da
SHA512 001ee66014f305d227fbdadfe423ef1fb7d2fa0aec0d5f3249cfb23baf18c0f2b265c392e8b61e4a64e32da5c9b1376356c46be532496d4d2e9cb0eaa8810b58

\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 bda27d2abc2edd1cc566836913230749
SHA1 800d02b4d5f4346a0779a1cea9642a95e307b1a8
SHA256 afed90ca13983ce44b585488647442029ae12d226243d31eb54d567efe07fde6
SHA512 f85d689af9a66e99d7a071d49251a134e1601ec836d1ad63c56cc4ce780d7bb09ad8fd7bbc753fa5e8b1b28dc7b841d9318b74db73313cc92a633693d2dedcb5

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 ee24a8927ebab0fb30fd1b7ea8547fe3
SHA1 3eb72025b5dc520c8b36675c34854a2b95306467
SHA256 a510dfe592fe5223a3688357bc0765a1b1c1c99f461eb8570ea8074a20444428
SHA512 3c2bb2b3b21708f6866b0dd836be22045b6a2ac37192f6205767633c221102d899596a03badc8c8ad55c76e959d5cf187780c796fce8be9563a0e80e8b34c156

C:\Users\Admin\AppData\Roaming\LittleCMS engine\ui.xml

MD5 9fe531a860b574477cb03eb6f878ca7a
SHA1 a22c81b16c7b73afb437eeafb753bb3275ee36c6
SHA256 7ac20cce461f268a3fa4e9d371b67a33544297f33a5355d7b6f09edc7de6cfa3
SHA512 9684355d8e304dac985f3eebb847cdf26a8b0a8f56ac8bdabafc95b998196a07dfd3f353fc7ee72598c4aff6c45c5bf700d898d7cf057b9a9deef904b75bd50b

memory/2740-899-0x0000000000B00000-0x0000000001330000-memory.dmp

\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll

MD5 11efa59c264a2d3425cb1a83ec7cac79
SHA1 e7e6f287822489f827ea21c9bd61b676d7a8df55
SHA256 3bb0641fde93004a58127caed2fb414a1f5edb62e11751fa2b21620a057edf87
SHA512 7c8eddbcae3b6523a1d70592d7d8a859f5e2336cd587ecd4287678da95da1f7da5404763d422082e42fee45124fd7a768840ccc51dd613c416b271e4638fc5c3

C:\Users\Admin\AppData\Local\Temp\152136276158

MD5 1121132c578b5abc02bd69411a370adf
SHA1 f42fe7952a4cbc5db0976758a1de3edf1ce21522
SHA256 4d2407322218288208b424b1c6dcec5a6a1402d30db47a639a67cac48a8bb24b
SHA512 c9726068aac1effbaa0f2be459bba7d645f80836e670268545a85df3fdefb22d2d8c0746baf8e40d430d0985aa3e8bae7dd2b7a46e949fee4586c9754ec3c98c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 00:58

Reported

2024-01-30 01:00

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe

"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1232405761-1209240240-3206092754-1000"

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

"C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
RU 185.215.113.55:80 tcp
RU 185.215.113.55:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
RU 185.215.113.55:80 tcp
RU 185.215.113.55:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 a132e44e438da2c9e9d8c725026d25b3
SHA1 113effeac99b044d62a9f6746a6532600de695ac
SHA256 71a6a5de86a758b28a7f02ebe14804fc7fb1311220edd7616550c8cac956a5ea
SHA512 5e6bc45d0589572e53ec5a653105626c4c8eb87c8ebd8cda22cdf0a8b43ce8408dffa13a45dafd5c6f075a253f8923f762126e4755615e744db1f78bf3129ec9

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 7342c49823b223d309d701c2b8bc2be7
SHA1 74b316dd680af56ff610e8920a888c7dae35ad6b
SHA256 8d662e87a181a5bb76fbb7fa2062f5878aca38189d9fd3b7002ea810117ba612
SHA512 54cdc44370e45690e077b2d46f33a10f5e9cb8e44444bda9be0535bafa596a0cbe25c9af92b16a5aaffd80b57e06fa91486e3e6555c47605794f64cbf77b071f

memory/1388-11-0x0000000000140000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 cb93f1e129e84ddd62ac202d804d7a4b
SHA1 1cfe018d4ceeb6003ff5139aab6de7ec2ce3f54d
SHA256 2fcf0af68e08f52d15a8ed455bfdf0060608261b353e6a8fad9cb36dca6ed48a
SHA512 9013d4634244e1629e5ce24368fa54657563a7c9f8cae3a913877efab24d1084688fd5608dce32e8f7df5a5fbd434b3783c70242c2f7f1f2bf831aeb2efe20bf

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 a2eacda9d529addeff750280e8a6ecde
SHA1 045d2d3b57d2709175628f74540818c2a846fc03
SHA256 902c93b5a69c72d9999e922af19bd34c6222043be5e7baf75f034fcd8433af65
SHA512 da6ac993fa45896fac6cf99a631f968ea4273ef3956c35a4ffab8d6dba7323048471d60fc9983a156ea8f7212184d2e81b4c0cb26fe03bd6f00848e7dfd5b584

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 cf1b42b098f31157070f6cbf67f609aa
SHA1 dc47fd664b81834e7386647e462766061189bbfe
SHA256 76b38a9e0e430094bf6113de89a5d267de451e8b9d1b1c151d8001f236dd122e
SHA512 f88dd02c234e0e35091fce32cf2a228d2171ba4504c89709006ef623ec7e77d2e57b3cc43e293728d460faf2ef41d9cfdfc51ebf0bf46517a4069915e4d74daa

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml

MD5 85889f4d7bebe3425502ed65424880d5
SHA1 6c2b30dff6608be4a9f24c05c02fac2177360c87
SHA256 d806c452be87903d4c624288371ab1ed886dd0a644bac63e8efc6375805360d3
SHA512 b15eb381b1c5398488d53d260b24f5f4f49ea23c7c516267e94adae4ed5889cb3e1ec452b4dfc8d0e1f9945cd24247569609218623130a811e98b8b592cfb256

C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml

MD5 7f473f739d5afc986d1ba661cafa2bb9
SHA1 0788df9d3ca2e31e375a83485162859b949c2058
SHA256 dba90f415643cbf77dc8ad4d761e8481016918a4b6f39da4f414539c6d130b55
SHA512 2757e5280aa07eb83fed0442d43e197b5e91522d5b7820e5c50790dc294baffb9a6bd12a4759d5809af82d5d072ee299dc30f11439e56ebba9f03e411cf586b5

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 d017bc780b3efe2ae3b01986b3d2d48d
SHA1 cb8544e47038b34f5e98ecf0774791aac77d078a
SHA256 1e7ef3846cdf9fc517a6021f74a5979d54de16a3d2a2eb377d62d5ac56e67ffe
SHA512 eaa73227b482d7c1948c777192fe0a0edc13b98313243ee2a726933d4e1ca0d1fd2ea66a572b8700b13d7756dab23d37e877c16765dc142a8db02a2ca1859e98

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 f77b819e4559f406317ae26c31688e2d
SHA1 0e8421e32ae4fa0effbdf2cdfed62377f3a93450
SHA256 5fc271234ea11a33b4152974bae430d41d7ec193e602640a9c9b607bc69722c8
SHA512 cfdc6e0568f30f0dd8962b0e3544e6cb095df198eb63c4f2f429ceb1d67258923eeb963c3d5c7a834399ac34ed9dd6af436b66368cbc0747b1b6372e2bcc2043

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe

MD5 b4cd9408d001da78feb0f366c0a747a3
SHA1 aba0dfcf0f6e694af6c6da8e1e8a6ff0fa2dadc1
SHA256 478b9a637f55676e987e8fe5d577b7dc1a32d6b86c4e22ebb9893365e0714a2b
SHA512 fb60a3de4ea39366a548ba8a74e094985a5af66901f0f64f1832e864423e96cae2f0977f33b6dc575681b4056dac935a42c0e11766225b1c6f254701b513bda3

C:\Users\Admin\AppData\Roaming\LittleCMS engine\ui.xml

MD5 2e79233b3ad881df35237c30ee2eeda9
SHA1 72d2d617bfb5322915fae6ada090a85d037e5ad2
SHA256 d8530c0e05387ae70687ef470616a72240c4b38bfd5cc459b2601c3eca68c864
SHA512 d8126c0882ecd7553301788b8ee7cdf6d91a7f38a322dea43de4aac5ceed57ade0937469858c19dfb36f1340efbe3101ba83bc2352fa05de41d91a2fe152eb02

C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll

MD5 7dd6d7846f93a0ddc5c8dd71df71dfcd
SHA1 64e66ec1b7f5303c1ebf2fa51b697af0c76e2489
SHA256 9c633d3f1f74d2bca837661d290150b3b04b6303fcea096a26210483f2f9af15
SHA512 62b783eb3c7660f7ca3fecddda5f2f662740feccc8677edbe217fed93261e8b6c18a37e46fb551d100b9a9786b0edf40fcf96059790478fc5f29b63c20d8b77c

C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll

MD5 3f8e79e0485268234f42c97c18b0c917
SHA1 00492f969889a9b9ca0ef9ba05f5ca49fe78e07c
SHA256 706aad3366e057e0cb6effa9a4278c09f6bd25d82d5ddb4db9f1c29c740adfa3
SHA512 6e750b646d9c86b10a6852401d6fc7075cab8fe28d59b27876ec23b0007ce8acb84bb32a6bab65f2d2924d122b6ff8383fd54c7ff2092ad17ec72e4f7b4944be

memory/1388-613-0x0000000000140000-0x0000000000528000-memory.dmp

memory/3248-614-0x0000000000C90000-0x00000000014C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\152112324057

MD5 784f0ed4feb5d62613a656ae9b2dba7a
SHA1 5c501f52e533931a140fb9bc9a11352f1964fbde
SHA256 0682749d042feb6a50386f251e36b17fb62490b6a4c52395d358721be7919990
SHA512 74dbd037e28df47c1659184921187270018e201d00d8b4f41d3a5270452db97f99ca6a641d3eeaf7c7bc23ed44b3b1701a73e124d17b1ce04c8ce750ecc210b3